It’s no secret that the IT infrastructure of the U.S federal government has lagged behind the private sector. President Obama has consequently made updating outdated IT systems a top priority of his cybersecurity initiative. FedRAMP is one such initiative borne out of this renewed focus on revamping the federal government’s dilapidated IT systems. However, over the last couple of years, there has been a growing number of stakeholders who have been dissatisfied by the FedRAMP initiative.
In response to complaints, the FedRAMP Director Matt Goodrich and his team have done something almost unprecedented. They’ve hit the road to meet with program stakeholders and collect feedback on inefficiencies in the certification process. In a recent blog post, Goodrich pledged to unveil a significant redesign to the four-year-old FedRAMP program that is intended to increase the speed of security authorizations and provide more visibility into the entire process.
What is FedRAMP
Recognizing the many advantages of cloud computing, the federal government initiated the FedRAMP program to increase cloud adoption. “FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services,” according to the official FedRAMP website.
Launched in 2011, FedRAMP is the product of close collaboration between IT security experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council, and private sector.
FedRAMP’s primary goal is to accelerate cloud adoption by federal agencies while improving IT security and decreasing IT maintenance costs. The FedRAMP program has three main entities or stakeholders: The federal agency, the cloud service provider (CSP), and third parties in charge of auditing and assessing the security and compliance of the CSPs.
What went wrong with FedRAMP
In a nutshell, the FedRAMP certification process has become lengthy and expensive for cloud providers. Two years ago, the end-to-end process took approximately 6 months and cost around $250,000 for the CSP. Today, those numbers have jumped to 2 years and nearly $5 million dollars, according to a FastFoward report.
The report also points out a general lack of transparency: CSPs have little visibility into their certification status or how close they might be to achieving certification. After spending years and between $4 – $5 million dollars, it shouldn’t come as a surprise that technology behemoths like IBM and Hewlett Packard were amongst those most vocal about FedRAMP. MeriTalk founder Steve O’Keeffe has stated “fix the program or it’ll fall under its own weight.”
The report outlines 6 general steps that FedRAMP needs to take in order to achieve its mission:
1. Normalize JAB and Agency ATO Certification Processes
There are three paths to becoming FedRAMP certified: 1) JAB provisional authorization, Agency Authorization, or CSP supplied package. According to the FastForward report, CSPs consider the JAB certification path to be the “gold standard.” This has created a bottleneck within the JAB certification process. Normalizing the relative values of the three processes could alleviate the existing bottleneck while accelerating the certification pipeline.
2. Increase Transparency
One of the longstanding complaints around FedRAMP is the lack of transparency that surrounds the FedRAMP certification processes. Nobody knows how much the process will cost, how long it will take, where they stand in the process at any given time, how reviews are processed, and who is getting prioritized. This black box has created a sense that the federal government is in the game of picking winners and losers.
Some of the recommended changes proposed by FastForward is to let CSPs see how their FedRAMP dollars are being spent, create resources that can outline the fastest path to FedRAMP certification, and leverage FITARA to incentivize greater information sharing between the agencies and CSPs.
3. Harmonize Standards
The vast majority of CSPs vying for FedRAMP certification already meet compliance standards outlined by regulations like HIPAA-HITECH, ISO/IEC 27001, and other federal regulations. At the same time, there is a significant amount of overlap between FedRAMP certification requirements and the myriad of other regulations that exist at the state and federal level. However, FedRAMP certification requires CSPs to expend significant resources proving they meet the requirements that they’ve already proven under other federal regulations.
The obvious recommendation here would be to add to the existing FedRAMP process a means for CSPs to pre-qualify for certain elements of FedRAMP if they overlap with another federal regulation that they’re compliant with. The benefit of creating such a system would be realized by FedRAMP (as it would alleviate the above mentioned bottleneck), while saving CSPs millions of dollars and accelerating their path to certification.
An even more bold recommendation provided by FastForward is to standardize multiple certifications on FedRAMP. If FedRAMP was the standard across regulated industries such as healthcare, education, or financial services, and both at the city, state and federal level, then having FedRAMP certification alone would fulfill the requirements needed to be compliant with HIPAA-HITECH, PCI-DSS, and other regulations.
4. Reduce Cost of Continuous Monitoring
The FedRAMP program requires CSPs to take a continuous monitoring approach to their security capabilities, which has become costly to operate and maintain. CSPs are required to submit an exhaustive security impact analysis to agencies anytime they make a significant change to their hardware or software.
One of the recommendations put forth is to empower CSPs and the third party in charge of assessing CSP security systems to self-accredit changes while still retaining a continuous monitoring approach.
5. Empower Infrastructure Upgrades
Confusion exists within agencies as to which FedRAMP rules should apply to CSPs that provide Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS providers, in particular, find it difficult to meet the demands of upgrading their product while ensuring they and their partners are compliant with FedRAMP. This is because anytime an IaaS provider upgrades their product and therefore must prove they remain FedRAMP compliant, the PaaS and SaaS built on that particular IaaS provider must also do the same.
The recommendation here is to apply a lighter version of FedRAMP to PaaS and SaaS providers who are sitting on a FedRAMP-certified IaaS product.
6. Establish Defense Department Crosswalk
According to FastForward, there is a lack of “clear information on the Defense Department’s security control requirements and how they map to the FedRAMP requirements.” The two recommendations put forth are:
- Create a guide that maps FedRAMP requirements to DoD requirements so that if a CSP meets one of them, the other can also be assumed.
- Create a process where CSPs are only tested on those analogous requirements where they don’t meet it under FedRAMP nor DoD.
How is FedRAMP expected to respond?
The General Service Administration that is responsible for the FedRAMP program is expected to announce sweeping changes to the program on March 28, 2016 that are intended to make the authorization process last 6 months or less. FedRAMP director Matt Goodrich has stated “FedRAMP will have be having an event on March 28 at GSA to detail our redesigned process to focus on capabilities and risks earlier in the process.”
The FedRAMP programs expects to accelerate the certification process by starting with assessing the minimum required capability of a CSP early on so that they can let the CSP know early on whether they’ll be getting certification. According to Goodrich, one of the goals is to make sure the process has a “focus on capabilities at the beginning of the authorization process, rather than documentation.”
The assumption here is that lowering the time it takes a CSP to get certified will also lower the costs. Weary CSPs will have to wait and see whether the upcoming initiatives will have the intended effect.