After recently drawing out two major initiatives for the coming months, the General Service Administration’s Federal Risk and Authorization Management Program (FedRAMP) announced structural changes on March 28, 2016. As previously discussed, the FedRAMP process has come under pressure to improve transparency and to address efficiency challenges. In response to concerns related to the burden of review duration and cost, FedRAMP wasted no time setting new priorities to revise and enhance the process. The rapid turnaround includes a request for quotations (RFQ) to standup a dashboard for the program that will shed light on status and usage. (While some of this information is already captured and available, it has not been centralized.) The other component of the overhaul targets the authorization process.
And Then There Were Two
Since October 2014, descriptions of the cloud security evaluation usually spelled out three paths: self-review, agency review, and assessment by the FedRAMP Joint Authorization Board (JAB). While this captures the different directions cloud vendors can take to pursue FedRAMP approval, it can be a bit misleading since one of the paths only took vendors part of the way to an authorization. Previously, by pursuing FedRAMP Ready status through self-review, cloud service providers (CSP) signaled to federal agencies that they’d prepared the documentation for their security assessment. This CSP supplied packages path offered an alternative to starting down the JAB path for vendors yet to be tapped by a government customer. Ultimately, in order to receive an authorization, these security packages still needed to undergo additional review. Considering how these options fit together, it’s not surprising that this option is not going to be supported in the new model. FedRAMP will continue to accept CSP supplied packages until April 29, 2016. Vendors meeting compliance prior to that deadline will have a year to complete the authorization process.
How Fast You Go
Initial appraisals of FedRAMP process estimated reviews took around nine months. More recently, that timeframe has been placed somewhere around two years. To streamline the process and bring JAB authorizations within a six month timeframe, the program office is implementing a new FedRAMP Ready status. (Note: These changes are not anticipated to impact the agency authorization path.)
Rather than focusing on documentation, vendors will need to have an onsite assessment of their system completed by an accredited Third Party Assessment Organization (3PAO). The review of required FedRAMP Readiness Capabilities are to be documented in a Readiness Assessment Report. FedRAMP Director Matt Goodrich expects it to take 3PAOs 30 days to complete assessment of vendors’ readiness. FedRAMP has released draft readiness capabilities and documentation, which are open for comment until April 29, 2016. The program office aims to have the new capabilities assessment procedure finalized within two to three months.