Designed to promote a “do once, use many times” approach to security assessments, the FedRAMP process has several paths for cloud providers to pursue authority to operate (ATO). Prior to this process, vendors relied on the authority granted to them each time their offerings underwent review by government customers. Rather than repeating this lengthy and costly process over and over again, FedRAMP provides a government-wide baseline for cloud security assessments, which allows agencies to leverage the completed initial reviews and continuous monitoring of compliant systems that are in use by other government organizations. As an alternative to seeking ATO from a customer agency, vendors also have the option of submitting their packages for review by FedRAMP’s Joint Authorization Board (JAB). Estimates suggest that JAB review takes a few months longer than review by an individual agency. That shorter timeline relies on a vendor having a potential agency customer lined up to complete the assessment, though. Following JAB review bottlenecks, the introduction of a “FedRAMP Ready” status, which allows cloud service providers (as well as vendors of open source builds) to prepare their security assessment packages and position for business opportunities, seemed to further indicate that agency ATO would be the preferred path for vendors.
As of the end of June 2015, the JAB has awarded provisional authorizations to 18 different cloud service providers. By comparison, only 17 cloud services offerings have been vetted by agencies. At first blush, you might assume those services are on equal footing. However, those 17 services have received at total of 43 ATOs from agencies. The JAB route totals 26 agency authorizations, and an additional 8 provisional ATOs have yet to link up with potential customers. The both FedRAMP paths combine for a total of 69 agency authorizations. Spread across 35 compliant service offerings, there’s still room for improvement but that repeat use is precisely the goal of FedRAMP.
Based on the current number of offerings reported as “In Process” for each path, the queue for agency authorizations is twice as long as those awaiting JAB review. A dozen cloud services lined up for JAB assessments, hopeful to avoid joining those 8 lingering provisional authorizations. Yet, with 30 cloud services engaged in the review process with agencies, the growing ranks of FedRAMP compliant cloud services implemented across the government will increase options and competition in the market.