Reuse of FedRAMP authorizations could save $70M annually

At least 38 cloud service providers are now compliant with the Federal Risk and Authorization Management Program (FedRAMP), which is up 41 percent over the past six months. In addition, initial estimates show at least 700 cloud systems meet FedRAMP standards.

But the General Services Administration knows there’s a gap between what agencies and vendors report and what they’re actually using.

Headshot of Matt Goodrich
Matt Goodrich, FedRAMP director, Office of Citizen Services and Innovative Technologies, General Services Administration

Matt Goodrich, FedRAMP director at the Office of Citizen Services and Innovative Technologies at GSA, told In Depth with with Francis Rose that he wants to hear what’s working and what’s not as more agencies move to the cloud.

“What we’re trying to do is help everyone realize that particularly with cloud, they aren’t unique, because they’re using a cloud service,” he said. “They’re using a common platform that they’re making work for them and that other agencies can use in the same way.”

Goodrich’s office released an infographic this week to illustrate the progress agencies and vendors made in the first six months of FedRAMP.

One of the key elements GSA revealed is that through reuse of FedRAMP security authorizations, the government could save $70 million in cost avoidance annually. This is up from the original $40 million estimate.

“We created that first baseline, which I still think is a good starting point but not a completely accurate baseline,” Goodrich said. “But even with that, we’re saying there’s over 80 cloud providers being used across the government with over 1,400 instances. And when we apply that to the rough estimates of what it costs to do a security authorization, that’s on average roughly $70 million we’re doing in cost avoidance through the reuse of those authorizations themselves.”

Goodrich emphasized that that wasn’t just a total of $70 million, but $70 million in savings per year, which could become even higher over time.

“That number’s going to go up as we continue to maintain these authorizations and continue to reuse them,” he said. “It’s a number that’s going to go up. It’s also a number that’s avoided every year due to the program.”

GSA solicits feedback on FedRAMP High Baseline requirements

In January, GSA released a draft of the FedRAMP High Baseline requirements, seeking public comment. So far, Goodrich’s office has received and acted on over 1,000 comments in regard to high baseline and 300 comments in relation to Trusted Internet Connection (TIC) overlay. It’s also requested comments on Third Party Assessment organization (3PAO) requirements. The comment period ends Aug. 20.

“We haven’t heard any, ‘What are you doing? This is crazy,’ which typically happens within the first few days,” he said. “We’re really excited to see what comes then, but also typically without having that, I’m hopeful that means the comments we get back are basically aligned with what we were thinking and saying, ‘Hey, this is really the direction the program should be going in.'”

Speaking recently, Goodrich employed an analogy involving a garden hose and tennis bracelet to describe how agencies should be looking at data.

“When we look at data across the government security, I think we need to take a bit of a view on it with sort of physical assets and looking at data in that same perspective,” he said. “And so, when agencies are looking at how they can do things through the cloud, they should really be caring about what they are paranoid about. And so, if you think about a garden hose that you have at your house. Most people have that garden hose hooked up in the front of their house year round. They don’t lock it up every night, put it in a garage and put it in a safe. But the diamond tennis bracelet that someone bought their wife for their 20-year marriage anniversary, that is locked up in a safe in the bottom of the closet covered in a bunch of sweaters when it’s not being worn.”

Goodrich added the federal government needs to think about data in the same way, identifying what’s the most important thing to protect and securing it in the most appropriate way.

“It’s really important to think about those services that you actually need, and that sort of hybrid model around how agencies are using IT and where data resides within that IT is really sort of being promulgated by the use of the cloud,” he said.

Looking ahead to the next six months, Goodrich said he was excited about the upcoming $250,000 prize competition GSA will be launching through

“The beginning process of FedRAMP is one of the lengthiest parts of the process, where it’s really difficult for providers to make sure that they have adequate documentation and things like that,” he said. “And so, we want to create an automated tool that providers, agencies and we can actually use to automate that review process to make sure everything’s there before we begin the process to make it even faster.”

Goodrich estimated that automating the process could reduce time frames by 50 percent to 90 percent.

“We’d like to see what other people have out there for ideas and how to do this,” he said. “We have basically a goal of what we want to see. And I want to see what people can provide us and how we can do that more effectively.”

Related Stories