Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Cloud computing became a major technology strategy for the government more than 10 years ago. To help agencies ensure cloud security, the GSA set up a program called FedRAMP, Federal Risk and Authorization Management Program. The basic idea was, a vendor with FedRAMP certification for one agency could be trusted by other agencies for a given product. The program has come a long way. For an update, the Federal Drive with Tom Temin spoke with the acting FedRAMP director, Brian Conrad.
Tom Temin: I guess originally FedRAMP was for the major cloud services providers as they existed more than 10 years ago. But really, it’s almost the entire industry now, isn’t it?
Brian Conrad: Yeah, absolutely. If you look back at the history of the program, obviously, the big players, the infrastructure players, where everything lives on were sort of the first ones through the process. But now we’re seeing an increase of software as a service applications coming through, agencies finding this unique capability out in a commercial marketplace that fits their mission need. And so they bring it into the FedRAMP marketplace. And that’s contributed to the growth of the FedRAMP marketplace over the years.
Tom Temin: And agencies are using a lot of services that are cloud-hosted secondarily, I’m thinking, say in the identity management area, for example. They want to use third party data services that can verify individuals, that kind of thing. And those are also part of FedRAMP too then, correct?
Brian Conrad: Well, what we use for our authoritative source on where FedRAMP applies is the [Office of Management and Budget] memo that gave birth to the program, if you will. That memo spells out pretty clearly where FedRAMP needs to be applied in Federal Information Systems. And we’re constantly because technology is changing. And the way companies are applying technology. We’re constantly having conversations with our friends at OMB to make sure that we’re on point with making sure that those things that require a FedRAMP authorization are getting it.
Tom Temin: Right, and the knock on FedRAMP early on was it took so darn long to get the certification. Tell us how the process works now, what are your metrics? Do you have backlogs? Tell us how it looks from a vendor standpoint at this point here, as we almost are at 2023.
Brian Conrad: Sure. Yeah, absolutely. One of the success stories of FedRAMP is that we’ve been able to get cloud providers authorized through the joint authorization board in about four and a half months. That’s after a formal kickoff and a go decision from the [Joint Authorization Board] technical representatives. And then through the assessment in the partnership and collaboration between the JAB review teams, the PMO and the FedRAMP PMO, and the cloud provider, getting that down to four and a half months. That was instituted in 2017, what we called FedRAMP Accelerated, and we’re putting a lot more onus on the cloud provider to do work upfront, prior to them coming to the government into the JAB, the joint authorization board, before we even start that process on the agency authorization side. So that’s the second way for a cloud provider to get authorized. We’re seeing authorization timelines about seven and a half months. And the calculus there is the time that the agency takes to do their authorization, and the time that the FedRAMP PMO, our fabulous agency review team, takes to get the authorization done as well post agency ATO.
Tom Temin: And how many applications are in all of this in process at a given time, roughly?
Brian Conrad: Quite a bit, we have a pipeline with a joint authorization board that extends about six months out. And we have– I don’t want to guess because I don’t want to give an incorrect number — But we have several in the pipeline waiting for agency review as well. And also so we have kickoff meetings with agencies, and they go off with their cloud providers and do their thing. And there’s all that stuff going on in the background, which we’re not necessarily tracking. When it comes to us through that collaboration with the agencies and the cloud providers, then that’ll pop up on our screen as being in process in our queue.
Tom Temin: And early on, as we mentioned at the top, it was for the Microsoft Azure cloud or the AWS cloud to get them certified because nobody knew what the heck they were buying, really, in those days, and how secure it might have been. And as those have gotten gigantic, and have added catalogs with thousands of line items in them as services along with just basic infrastructure as a service. Do they have to stay certified and recertify? And if there’s a block of new products offered by an AWS or a Google, those have to go through FedRAMP?
Brian Conrad: Yeah, that’s a great question. And typically how we handle that — because the technical boundary isn’t changing when they add services within it — and so what we do, especially on the joint authorization board side, is look at those significant changes. And so we work again very closely with the cloud providers to understand where they’re going in the direction of their technology and what they’re intending to do. So we get a list of services that they want to add through our formalized significant change process. Those services just get added to the existing technical boundary.
Tom Temin: I imagine over time, they can anticipate what they’ll need to do to get through FedRAMP and almost pre-stage it to help themselves get through faster.
Brian Conrad: Absolutely. And I’ve mentioned working with the cloud providers many times, that’s one of the key aspects of the program is collaboration. And something that I’ve been pushing since I’ve been in the acting director role is we’re not doing this alone. It’s a team sport, everybody has their role. And we all do that collaboratively to make sure that, one, the CSPs get taken care of, and they can do what they need to do on the business side. And we can do what we’re doing: making sure that they’re protecting federal information.
Tom Temin: We’re speaking with Brian Conrad, he’s acting director of the FedRAMP, at the General Services Administration. And what do you plan for 2023? Here we are, let’s presume you’ll have an appropriation at some point to do what you need to do for the new year. But what’s ahead for FedRAMP?
Brian Conrad: Well, we’ve been working on some really interesting things. And that is mostly in the realm of automation. We have been working very closely with [National Institute of Science and Technology] to develop the open security controls assessment language, or OSCAL.
Tom Temin: And what is your PMO doing to promote OSCAL?
Brian Conrad: Great question. So one of the things we recognize that this is a kind of a new thing. And so what our automation team inside the FedRAMP PMO has done has started hosting what we call Data Bites every other Tuesday, or twice a month, something like that. Our next instance is January 19, taking a little break for the holidays. But this is an opportunity for OSCAL developers from industry, agencies to get together and ask questions of our FedRAMP automation team.
Brian Conrad: We are looking at incorporating a GRC tool that will enable automated package handling, automated validations. So one of the things that we’re trying to avoid, for example, is our agency review teams having to go back and forth with cloud providers to make sure that the package is of optimal quality. And so with this automated validations, before the package even comes to the government, we’ll have some level of confidence that the quality is spot on. All the little things that normally can get overlooked or trip up CSPs or 3PIOs. And it’s human error. It’s okay. But we want to make sure that we’re having machines do what machines do best with regards to that. And so we’re really excited about that.
Tom Temin: Yes, I’m detecting the sense of a little artificial intelligence in there.
Brian Conrad: Not yet. We’re laying the groundwork for what we can automate. The first step is getting OSCAL and our GRC online, to make sure that we can automate the ingestion of packages. We’ve already done it once on a test case. We’re really excited about the resource savings across the board, not just for the JAB review teams, but for the cloud providers as well. Anything that we can do to make things better, stronger, faster, is going to benefit both government and industry.
Tom Temin: And let’s just back out for a moment because the original reason for this was to streamline acquisition of cloud services by agencies. It’s good for them, therefore, it applies here. Let’s go buy it. Does the data show that that’s actually happened?
Brian Conrad: Yeah, absolutely. I guess the biggest thing that I can point to to show of cloud adoption and how cloud services are being used is buyer reuse numbers. We’re up over, I want to say, 4,700 instances of reuse on cloud providers in our marketplace. And that’s indicative of not just other cloud providers, SAAS providers, building on top of FedRAMP authorized infrastructures, but it’s also indicative of agencies who are coming to FedRAMP and saying, hey, there’s good stuff in there that will meet my mission needs, and I can go after that.
Tom Temin: I was gonna say, Do you ever find an agency trying to certify something on their own, and you want to go up to them and say, Hey, dummy, it’s already been through FedRAMP, you don’t need to do this. You might not put it quite that way.
Brian Conrad: Right? We have the marketplace that’s open. And even if there’s something that catches your eye, that may be of interest to your agency, agency representatives can always request a security package, take a look through it and exercise their due care to make sure that is in fact what they need. And that’s one of the things that a robust marketplace will help provide for the government as well.
Tom Temin: And if an agency practitioner has a suggestion for improving FedRAMP, or for improving a package in some way, they can call you can call the office.
Brian Conrad: Yeah, firstname.lastname@example.org. Again, we live and breathe on collaboration. And because this is a multifaceted program, what you see may not be visible to us. And I do outreach to cloud providers, and I have, as a cybersecurity program manager, I try and do one-on-ones with the cloud providers that have gone through the JAB process to get that real down-in-the-weeds tactical level kind of feedback. And we’re open to any good ideas. We don’t have a monopoly on good ideas. And so we’re glad to hear anything.