The Federal Risk Authorization and Management Program’s (FedRAMP) new streamlined, simplified process is paying off. The program is boasting increased authorizations and return business, and the new dashboard is making it easier for feds to use the program.
“We have seen an 85 percent increase in FedRAMP authorization for new cloud services,” said Ashley Mahan, FedRAMP agency evangelist, during an Oct. 19 Digital Government Institute webinar. “And those that have received a FedRAMP authorization, we have seen a 185 percent increase in agency re-use of existing FedRAMP authorized services, which is absolutely significant.”
More than 75 cloud service providers have been authorized by FedRAMP, along with 41 third-party assessment organizations. There are also 50 more cloud service providers currently in line for imminent approval.
FedRAMP is also reaching for a “reduction of up to 75 percent in time without compromising the program’s rigorous security standards,” Mahan said.
The program’s goal is to reduce the amount of time it takes for a cloud service provider to earn a FedRAMP provisional authorization — essentially giving agencies the go-ahead to consider these services — in as little as three months.
Agencies and other organizations can view the available services, which third-party assessors approved them, and which agencies are now using them with the FedRAMP Dashboard, which launched in August.
“That is an effort to really be as transparent as possible to our federal community and to the FedRAMP family,” Mahan said.
It offers near-real-time status updates on what cloud service providers have been authorized, which third-party assessors authorized them, and which agencies are using them. It also provides contact information and service descriptions.
“If you are an agency, this is an excellent, excellent resource to see which cloud services are authorized and which ones are coming down the pipe,” Mahan said.
Another recent improvement FedRAMP has made is its new focus on high-impact systems. Mahan said about $80 billion, roughly 50 percent of federal cloud spending, is on low-or-moderate- impact systems. The other 50 percent is focused on high-impact systems, mostly located within the Defense or Homeland Security departments.
“Until now we’ve been focused on low and moderate impact systems, which we equated to roughly about 80 percent of all federal IT systems,” Mahan said. “And the high baseline has really targeted that remaining 20 percent. Datasets that typically require the protection of high systems are those that would cause catastrophic, adverse effects on organizational operations, organizational assets or individuals.”
FedRAMP’s high-baseline, Mahan said, consists of about 100 more controls and security enhancements than the moderate-impact. There are currently three FedRAMP approved high-baseline cloud service providers: Amazon Web Services’ GovCloud, Microsoft Azure, and Autonomic Resources ARC-P.
FedRAMP released the standards baseline for these high impact systems in July, and included a number of new stricter controls to meet DoD’s needs, but there is more the military needs to do.
“A vast majority of the new controls relate to stricter processes and automation requirements around technical implementations,” Matt Goodrich, FedRAMP director, said in July. “There weren’t major changes in terms of capabilities [as compared to the draft high baseline], but there were a few control additions and tighter implementations that are present in the final baseline that were not in the original baseline requirements.”