Building off its success stories and industry feedback, the General Services Administration has rolled out a roadmap to accelerate the cloud vendor certification process under the Federal Risk Authorization and Management Program (FedRAMP) over the next year.
GSA saw a promising trend in the program in fiscal 2019, with 45 new cloud products authorized. Ashley Mahan, GSA’s FedRAMP director, said that’s a 30% increase in products approved compared to the year before, the biggest increase in the program’s history.
New products brought into the marketplace include body-camera technology for federal law enforcement officers and scientific collaboration tools for research agencies.
But for all these successes, vendors still face challenges with the FedRAMP certification process.
Last month at an American Council for Technology and Industry Advisory Council (ACT-IAC) brainstorming event, officials at one company told GSA they had submitted their product for FedRAMP review with the necessary security materials, but were told they had to go through an agency’s government’s risk and compliance (GRC) tool.
That decision, Mahan said, added another month to the authorization process, and required that company to spend additional resources to make it through the process.
As a result, GSA is working with the National Institute of Standards and Technology to develop a common machine-readable language — the Open Security Controls Assessment Language (OSCAL) — to lay the foundation for future automation efforts.
“OSCAL is your Rosetta Stone for tomorrow, for [the] automation of security assessments,” said Michaela Iorga, NIST’s senior security technical lead for cloud computing, at a Federal Computer Week conference.
Through automation, Mahan said that one-month GRC review could eventually take just a few minutes.
“We strongly believe this will open doors for industry to develop tooling for agencies to expedite their review and approval of the security materials, as well as fine-tune their risk management practices at their agency,” Mahan said.
GSA has released its FedRAMP baseline requirements in OSCAL for public comment, and the agency is also working on draft guidance for its system security plan (SSP). Mahan said that guidance would be released later this year.
“We want to hear from you,” Mahan said. “We want to know if this is helpful, if this is useful, if this is going to create efficiencies associated with the authorization process.”
On Capitol Hill, the leadership of the House Oversight and Reform Committee’s subcommittee on government operations has looked at legislative fixes to FedRAMP.
A bill introduced this summer by Reps. Gerry Connolly (D-Va.) and Mark Meadows (R-N.C.) would codify the FedRAMP certification process and would take steps to ensure that once a vendor gets the go-ahead to provide cloud services to one agency, it doesn’t have to start the process all over again to do business with other agencies.
The Defense Department has also taken steps to address hurdles in the certification process. The Pentagon will now issue general provisional authorizations to vendors that have a Provisional Authority to Operate (P-ATO) at the FedRAMP moderate impact level from the program’s Joint Authorization Board (JAB).
GSA lays out FY 2020 FedRAMP roadmap
For FY 2020, Mahan said GSA has a FedRAMP strategy focused on four priorities: simplicity, automation, growing the marketplace and learning.
Those four pillars, Mahan said, stem from some “candid and difficult conversations” GSA has had with industry partners. Through ACT-IAC’s ideation challenge, the agency got more than 60 ideas from vendors on how to improve FedRAMP.
“We’re all in this together: the system administrators, the network administrators, the technical writers,” Mahan said. “We really wanted to harness the insights from each stakeholder that’s out there to contribute an idea of how can we make things better.”
For the simplicity piece, Mahan said officials at GSA have looked at revamping FedRAMP.gov to give vendors the resources they need going through the authorization process for their products. That new website, she added, might include short, three-to-five minute videos that unpack more technical topics.
To grow the marketplace, Mahan said GSA will continue to host small-business and startup meetups across the country, building off the momentum of a meeting GSA held with vendors in San Francisco this September.
GSA, she said, is also considering whether agencies under the Chief Financial Officers Act should name a FedRAMP liaison to work with industry partners.
For learning and training opportunities, Mahan said GSA will continue to offer in-person training and industry days.