Agency Authorizations for Cloud Security Compliance Show Steady Growth

Published: January 27, 2016

Cloud ComputingCybersecurityGSA

The number of cloud service provider systems that meet compliance requirements for Federal Risk and Authorization Management Program (FedRAMP) has increased by 26% in the past six months.

In June 2015, 35 cloud service offerings had completed the FedRAMP process and received either agency level authority to operate (ATO) or a provisional ATO through the FedRAMP joint authorization board (JAB). At that time, and a few providers had undergone the process to achieve FedRAMP Ready status, but the offerings were by and large either from the JAB path or agency ATO path - split fairly evenly between the two. The pace of reviews seemed to be picking up, but a number of providers still had security assessment packages for their cloud offerings in the review pipeline.

The options for compliant cloud services continue to be spread across the three different service models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The number of SaaS offerings has outpaced the models, though. It’s worth mentioning that this calculation includes 5 offerings that are in the end stage of FedRAMP review. As was previously observed, several offerings are available in multiple service models, which impacts the spread across them.

Agency authorization have surpassed the provisional ATOs issued by the FedRAMP JAB. This shift is not that surprising considering previous concerns about the rate at which the JAB has been able to complete reviews. While the figures shown in the charts above include 5 offerings in the final stages of PMO review, the number of completed agency reviews increased from 17 last June to 27 at the end of January 2016. (Those 5 additional offerings bump that figure up to 32.) During the same period, the JAB completed 6 authorizations, bringing the total of provisional ATOs to 24.

One development of note is that a couple of the FedRAMP Ready offerings from last June have received agency ATOs. When the option for service providers to prepare their security packages without submitting before the JAB or a federal customer, it was unclear how agencies would respond. This slightly risky move has paid off for a couple of the vendors that when through the exercise of preparing their assessments and opted not to submit for JAB review in favor of waiting for an agency customer.

Currently, only one IaaS offering is on the FedRAMP Ready bench. By contrast, 9 offerings with provisional authorizations through the JAB have yet to receive any authorizations from agencies (shown in the charts below as “No Authorizations Listed”).

Since the outset, a key goal of the FedRAMP process has been to establish a “do once, use many times” approach to cloud security authorizations. Signs of progress toward this objective continue to build as the program matures. As of this writing, 124 agency authorizations have resulted from 57 offerings. While this does not provide a clear measure of utilization of those offerings within agencies, it does suggest that the process is saving federal organizations from repeating cloud security assessments from scratch. Providers receiving an agency authorization have seen the greatest reuse of those assessments. So far, Amazon, Microsoft, Akamai, and MicroPact have tallied up the highest counts for agency authorizations across their various approved cloud products. With an additional level of FedRAMP security assessment on the horizon, the program is likely to continue to offer an interesting perspective on federal cloud computing.