Efforts that begin with the best intentions often go awry in the execution.  Such is the case with the Federal Risk and Authorization Management Program (FedRAMP) process, which provides cloud service providers with the authorization to operate (ATO) within federal agencies.

The FedRAMP program was intended to streamline the approval process and accelerate the adoption of cloud services throughout the federal government, while ensuring that a cloud service provider is offering the most secure system available to manage critical information held by federal agencies.  Since 2012, agencies have been required to use FedRAMP when deploying cloud solutions, instead of their own approval process. 

Unfortunately, FedRAMP caused several problems.  Witnesses at a May 14, 2013 House Oversight and Government Reform Government Operations Subcommittee hearing complained about the lengthy process required to obtain an ATO.  An October 27, 2016 article estimated the median cost for a company to receive an ATO to be around $2.25 million, creating a barrier to small and middle-sized cloud service providers.  In March 2017, GSA FedRAMP Director, Matt Goodrich noted that there are approximately 600-700 individual controls that are reviewed during the FedRAMP process, with 100 controls for low-impact systems; 300 for moderate impact systems; and 420 for high impact systems.

On February 5, 2020, the House of Representatives passed H.R. 3941, the FedRAMP Reauthorization Act, which would codify the program into law.  However, the bill falls short on modernizing the program to meet the needs of federal agencies into the future. 

Many of the reforms to FedRAMP that are included in H.R. 3941 should be achieved through administrative action or an executive order, like reducing duplication of security assessments by establishing a presumption of adequacy; facilitating agency reuse of FedRAMP-authorized cloud products and agency compliance with FedRAMP requirements; requiring agencies to report their authorizations to operate; and establishing metrics to track implementation of FedRAMP.  FedRAMP should not be locked into a single process through legislation.

A February 21, 2020 report from the Center for Cybersecurity Policy and Law makes several recommendations to improve the FedRAMP process that do not require legislation.  Among the report’s recommendations are:

1. Redefining Federal information technology risk management, including FedRAMP, to place continuous, incremental, and automated monitoring at the heart of the process;
2. Consolidate and standardize the process for risk acceptance across the federal government; and,
3. Enable the federal government to leverage the full scope of emerging innovation in the cloud computing and information technology markets.

While the initial FedRAMP program was a good start, the program must be able to continually evolve and adapt with the changing technology environment.  The Center for Cybersecurity Policy and Law recommendations lay a path forward for the program.