FedRAMP Refines Targeted Improvements for Path Forward

FedRAMP Forward: Background

In December 2014, the Federal Risk and Authorization Management Program (FedRAMP) released an outline of its 2 year priorities. The main goals of the plan included increasing stakeholder engagement, improving efficiencies, and continuing to adapt. The document described a number of initiatives and projects to address in step with those core goals slated for different time frames (e.g. 6 months, 12 months, 18 months).

The first progress update covered 14 initiatives and their related achievements during the period from January to June 2015. Accomplishments during the period included a 41% increase to the number of FedRAMP compliant cloud service providers (CSPs), a 32% increase in the number of third party assessment organizations (3PAOs), and an estimated $70 million in annual cost avoidance through the reuse of FedRAMP authorizations. According to FedRAMP’s initial baseline, over 1,400 cloud instances were identified which represent over 80 cloud services implemented across the government. Of those services, 82% were determined to be FedRAMP compliant. Other accomplishments included the relaunch of the program’s website, the release of a draft of high baseline security controls, and the partnership with Challenge.gov to automate quality reviews conducted by FedRAMP’s Joint Authorization Board (JAB).

Despite these achievements and ongoing improvement efforts, concerns about the efficiency and transparency of the process have been voiced by both government and industry. Estimates from the Cloud Computing Caucus suggest that the pace of reviews has declined while the costs to vendors have spiked. Previous appraisals of the FedRAMP process suggested a vendor might be looking at an investment of nine months and $250,000 in order to complete the authorization process. New assessments, however, put those figures at two years and between $4 million and $5 million. These concerns along with other challenges spurred collaboration between members of the FedRAMP Fast Forward Industry Advocacy Group, government policy executives, federal IT leadership, and industry. The group worked together over seven months to develop a six-step plan addressing necessary improvements to the FedRAMP process.

In early March 2016, the Cloud Computing Caucus held a meeting to discuss Fix FedRAMP, the position paper that captured the six-step plan. In advance of that discussion, an official from Capitol Hill contacted the FedRAMP office for insight on issues such as timeliness and transparency. While the exchange may not have produced concrete answers to what caused the problems, agreement was reached to improve both areas of the process.

FedRAMP Forward: Update

The second progress update post, released March 10, 2016, highlighted a 50% increase in FedRAMP authorizations, a 340% increase in FedRAMP training enrollment, steps taken to redesign the JAB, and the pilot of high baseline controls with multiple vendors. In a blog accompanying the update, FedRAMP Director Matt Goodrich noted that, based on six months of feedback from industry, they’ve “worked with OMB to re-direct [their] efforts to the fewest, most important things” from those comments and suggestions. As a result, two efforts have been called out for the coming months:

• Revising the JAB provisional authorization process. Bringing the process under the six month timeline will help curb some of the costs to vendors as well as allowing more rapid scaling of the authorizations.
• Creating a public dashboard on FedRAMP.gov to detail agency use, issued CSP authorizations, the status of CSP applications within the authorization process. 

FedRAMP Dashboard Opportunity

In step with that targeted improvement, a draft request for quotation (RFQ) has been released for the FedRAMP dashboard through the General Service Administration’s (GSA) 18F blanket purchase agreement (BPA). Along with the use of the Agile Delivery Services BPA (Agile BPA), the procurement will utilize oral presentations and a multi-phased approach. The phases will include a compliance check followed by a review of the written and oral components. Posting of the final RFQ is expected sometime during the week of March 28, 2016.