FedRAMP tells cloud vendors to show, not tell security qualifications

The cloud security program known as FedRAMP is modifying its process to make obtaining certifications faster by relying more on third-party assessment organizations.

Matt Goodrich, the director of FedRAMP, said March 28 that after four years it’s time to take a step back and see where the cybersecurity initiative can become more efficient and effective.

He said one obvious place for improvement based on agency and vendor feedback was to give 3PAOs a more prominent role in the authorization process. Under the new approach that is about two-to-three months from kicking off, 3PAOs will perform a capability assessment of a cloud service provider (CSP) before the vendor enters the formal approval process by the Joint Authorization Board (JAB), which is made up of the chief information officers from the departments of Defense and Homeland Security and from the General Services Administration.

“We want to focus on the strengths of our community, the strengths of our customers, so who can we rely on? 3PAOs. We’ve accredited 3PAOs to do this type of work. To provide their expertise, to provide the government with an understanding of the system so we can make an informed decision,” he said. “Providers want to give us their documentation, you want to prove your capabilities and you want to do it fast. Documentation reviews are not fast. So how can we make that faster? Relying on our 3PAOs to do these types of assessments and provide that in a different way that it actually has way more weight and strength than it currently does.”

FedRAMP initially introduced the process known as FedRAMP Ready back in October 2014 with a goal of ensuring CSPs meet minimum quality and security standards across 12 areas.

“Our old FedRAMP Ready was looking at system security plan documentation. It was looking at documentation that was many times thousands of pages,” Goodrich said. “We want to make FedRAMP Ready powerful. We don’t want to be based off what small level of review the program management office can do before we enter the process. As we look at that and we look at the amount of vendors that were wanting to get to FedRAMP Ready and the simple amount of resources we have at the PMO when it comes to looking at the SSPs, we had to build a Python application just to see if people checked off the right things within it. Those simple check boxes and seeing if things were completed, took 20-to-30 hours worth of work just to see if someone had filled out the documentation completely, not even doing a substantive review.”

Instead, the new process, FedRAMP hopes, will help them understand the system and help vendors define their systems correctly.

“One thing we see in FedRAMP and the hard thing for many of our providers is we are asking you to draw a boundary around something that does not exist in the real world. We are saying, ‘What is the boundary we are authorizing?’” he said. “You are trying to figure out how to define the services or capabilities you are offering, and we are trying to get to that through documentation. Many times when we would see those services, you would define them and not understand them technically themselves.”

Goodrich said FedRAMP Ready also was supposed to help vendors ensure they would get through JAB approval process more swiftly, but in the end that wasn’t happening.

So going forward, all new vendors wanting to go through the JAB process will have to get a 3PAO approval first.

“We are going to be requiring in order to kick off with the JAB to have a completed security assessment package done,” Goodrich said. “If you look at documentation, boundary, and services and capabilities, how can we do that differently and how can we have better certainty going through the process? If we are not going to focus on documentation and focus on capabilities up front, that changes the dynamic here. So, it was pretty risky for providers to go through and do a complete security assessment, and that’s because you aren’t working with the government to make sure we understand your system and system boundary. We believe if we can have this readiness capability assessment upfront that focuses on the key things to get through the process and you have an independent assessor look at it that says these are the boundaries, these are services and says these are the capabilities we saw as well, that removes almost all of the risk going through.”

He said it should take 3PAOs about 30 days to assess vendors’ FedRAMP Ready efforts.

Goodrich said the new process will not impact current vendors who have JAB approvals for their cloud services as well as those vendors already in the middle of the JAB approval process.

FedRAMP released the draft version of the new readiness capability assessment framework and is asking for comments by April 29.

He said contractors who received agency approvals or those going through or planning to go through the agency authorization process also will not be impacted by this change.

Goodrich said currently it takes 9-to-18 months for CSPs to get through the JAB process. He expects once this new approach gets going, the JAB certification process should take no more than six months.

“It’s pretty aggressive for us to say that we can make it happen in three-to-six months, but we feel really confident in the way we are looking at capabilities upfront that we can make that happen.”

Goodrich said FedRAMP is testing out the new process with Unisys, Microsoft and GSA’s 18F organization.

He said the new FedRAMP Ready process should take roughly 10-to-15 percent of the time and cost of the current approach.

Related Stories