In the future, Federal Risk and Authorization Management Program (FedRAMP) authorizations and government cloud service adoption could both get easier if newly introduced legislation passes. On July 26, Reps. Gerry Connolly (D-VA.) and Mark Meadows (R-N.C.) introduced the FedRAMP Reform Act of 2018, which would provide many needed improvements to the FedRAMP authorization program. The changes would likely make it more efficient for cloud service providers (CSPs) to serve the government, and according to Connolly’s office “will help eliminate redundant processes such as agencies re-doing security assessments that have been facilitated by third-party assessment organizations and certified by the Joint Authorization Board (JAB).”
Why did FedRAMP need improvements?
While moving to the cloud has been a forgone conclusion for many enterprises, agencies have been slower to adopt the cloud for a myriad of reasons, including security concerns, entrenched legacy systems and difficulty adopting change. Yet, the government is under increasing pressure to modernize their IT environments: The Modernizing Government Technology Act, which was signed into law late last year, established a $500 million central fund to support rapid IT modernization (though to date, has only allocated $100 million for 2018). We anticipate moving to cloud services will play a central role in that evolution.
However, for any CSP to offer a solution (of which there are many thousands) into the government space, they must first be authorized by FedRAMP. The program is a national, governmentwide effort that offers a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services via two routes: Joint Authorization Board (JAB) or by an agency.
The goal of the JAB route is to obtain a provisional authority to operate (JAB P-ATO); meaning, they have demonstrated the cloud service meets the government security requirements, allowing reuse of the security assessment package across the entire federal government. However, lack of reciprocity has led to agencies often re-assessing a CSP against FedRAMP requirements, bringing inefficiency and incurring more costs into the process.
The proposed law would require agencies to document why the JAB P-ATO won’t work for their agency.
The bill also addresses FedRAMP gaps including a lack of standardized, clear metrics and clearly defined roles and responsibilities that spanned agency, CSP, and certification body personnel.
What are the important changes proposed in the legislation?
The legislation, first and foremost, establishes the FedRAMP program in statute, ensuring that those CSPs that have already invested in FedRAMP will have their investments protected. The bill requires the FedRAMP Program Management Office (PMO) to adopt standardized metrics regarding the time, cost, and quality of the assessments necessary for completion of the FedRAMP authorization process in a manner that can be consistently tracked over time. The Office of Management and Budget (OMB) and General Services Administration (GSA) are required to submit an annual report to Congress on the status and performance of the FedRAMP PMO and the description of and progress toward meeting metrics adopted by the OMB.
Additional role and responsibility clarity provided by the legislation includes: the OMB shall provide best practices for compliance with the Trusted Internet Connection (TIC); the PMO will be the provider of guidance; the JAB (the certifying body), must now appoint technical representatives for FedRAMP activities; third-party assessment organizations (3PAOs) must develop certification programs for individuals who lead assessments; and agencies must provide access and information to support assessment efforts.
The legislation, if passed, would provide a critical funding mechanism (“to the extent deemed appropriate” per the bill, allocated through the Acquisition Services Fund for FedRAMP), which we expect will allow the program to do more and speed the time to market for FedRAMP-authorized CSPs.
The FedRAMP director will now submit an annual report on the status, efficiency and effectiveness of the FedRAMP program, time it took to grant ATOs, automation progress, number of cloud systems in use, and number of cloud ATOs for full market transparency.
Finally, and importantly, the bill encourages reciprocity to the maximum extent possible, with the goal of encouraging agencies to look favorably upon prior security assessment work (in other words, JAB P-ATOs are to be considered adequate, discouraging rework). By providing what the bill terms a “legal presumption of adequacy,” the hope is that the spirit of FedRAMP’s mantra “approve once, use many times” will finally be a reality.
Overall, the key benefits of the legislation, from our view, include improved efficiency in the process (through the elimination of redundant assessments), funding for the program, defined metrics to aid in improving the program over time, and defining roles for a more efficient and clear process for all involved.
The importance of the legislation in supporting government IT
Over the past six years, the FedRAMP program has grown and evolved. To date, more than 100 cloud service offerings from CSPs have achieved FedRAMP authorization, with another 70+ in the queue and more considering how to approach the program daily. FedRAMP improves government agency efficiency in adopting cloud solutions, saving an estimated 30-to-40 percent in government spend while reducing the staff time required to perform redundant agency assessments.
FedRAMP has become essential in ensuring that agencies can move securely to the cloud. 3PAOs play a critical role in ensuring agencies can do so successfully by ensuring CSPs meet the FedRAMP standards.
As we move forward, it is important that the FedRAMP program, including the JAB, have the resources they need to continue to grow to meet the needs of organizations considering and currently providing cloud-based services to the federal government.
This legislation will do that while driving efficiencies and ensuring appropriate cybersecurity controls exist for agencies looking to modernize their IT environments and migrate to cloud-based services.
Michael Carter is the vice president for FedRAMP and assurance services for Coalfire.