FedRAMP Gets a ReVAMP
By Deborah Collier
WasteWatcher, April 2017
The need to modernize federal information technology (IT) is being taken seriously by the Trump administration. One of the President’s early White House appointments was for Reed Cordish to become Assistant to the President for Intragovernmental and Technology Initiatives. He has also created the White House Office of Innovation, headed by Senior Advisor Jared Kushner, and has met with more than 100 business leaders and government officials to discuss issues related to technology.
This much-needed and welcome focus on federal IT must include a close examination of cloud solutions, particularly as they relate to the Federal Risk Assessment Management Program (FedRAMP).
In 2010, then-federal Chief Information Officer (CIO) Vivek Kundra instituted a cloud first policy as part of the Office of Management and Budget’s (OMB) 25-point plan to reform federal IT management. The cloud first initiative was intended to encourage federal agencies to embrace emerging technologies in cloud computing that would allow more effective IT investments, and enable agencies to respond more quickly to taxpayer requests.
Issues related to the security of cloud computing were addressed in a July 25, 2011 report by the cloud computing working group of the Council of the Inspectors General on Integrity & Efficiency Information Technology Committee. The report noted that, “Cloud computing is a completely different animal when applied to the Federal government as opposed to its existence in the private sector. The private sector does not have the wide variety of regulations, restrictions, and concerns that face the Federal government daily.” The report raised eight areas of concern for agency cloud computing contracts: data security; access to information; regulatory compliance; termination and transition; asset availability; maintenance; pricing and time; and intellectual property rights.
To address these security concerns, the General Services Administration, Department of Defense, Department of Homeland Security, and the National Institute for Standards and Technology developed a certification process for cloud services, which would review and authorize vendors and services to operate within the federal government. On June 6, 2012, the Federal Risk Assessment Management Program (FedRAMP) began accepting applications from cloud service providers and federal agencies to obtain authorization to operate (ATO) cloud services within the federal government. While FedRAMP was created to cover cloud services, security standards for other IT contracts and services are covered under the Federal Information Security Management Act of 2002, which was amended in 2014.
FedRAMP offers federal agencies multiple routes to authorization by encouraging built-in security, ease for agencies to share ATOs once approved, and, broad appeal to federal, state, and local agencies wishing to minimize risk to data and constituent information. However, what was intended to be a straightforward process to ensure the security of cloud services within the federal government has become a costly, cumbersome, and lengthy process that could be provided in an equally secure manner at a much lower cost.
The FedRAMP review process began in June 2012, and on December 27, 2012, the first provisional ATO was issued by the Joint Authorization Board. As of April 6, 2017, there are 78 authorized products available on FedRAMP, nine products are close to being authorized, and 60 more are being processed. On October 27, 2016, collab9 CEO Kevin Schatzle estimated the median cost to a company seeking an ATO to be around $2.25 million.
As noted by GSA FedRAMP Director Matt Goodrich during a March 27, 2017 interview on Federal News Radio, there are approximately 600-700 individual controls that are reviewed during the FedRAMP process. Around 100 controls are reviewed for low-impact systems, 300 for moderate impact systems, and 420 for high impact systems. On February 16, 2017, GSA announced that a new FedRAMP Tailored program would be developing a revised baseline for ATOs that would streamline the authorization process for low-impact systems.
The draft proposal notes that such IT systems do not contain any critical data or request and store any personal identifying information (PII). Vendors seeking an ATO through the FedRAMP Tailored process must be able to respond affirmatively to six questions that prove their product’s suitability for the process. The public comment period on GSA’s proposed revamp has been extended to April 24, 2017.
The use of cloud solutions for federal agencies should continue to be encouraged by the Trump administration. While the FedRAMP program is still relatively young, the government has recognized that the process has become cumbersome. The FedRAMP Tailored proposal may provide the necessary reboot to streamline the application process and reduce the cost of obtaining an ATO.