The government rarely gets credit for listening and hearing when industry is concerned. But the Federal Risk Authorization Management Program (FedRAMP) for cloud cybersecurity services deserves credit for doing more than just giving lip service to long-standing vendor complaints.
Most of industry’s concerns center on the speed of the approval process by the Joint Authorization Board (JAB), which many vendors believe is the “gold standard.” On average, contractors are waiting 12 to 15 months to get a JAB approval. Currently, eight cloud service providers (CSPs) are awaiting final approval, but dozens of others are in the queue to get to that last step.
Matt Goodrich, the director of FedRAMP, has heard the complaints and is doing something about it. He said he too is concerned about the timeline to get JAB approval. To that end, Goodrich said one of the program office’s main goals for 2016 is to talk to and hear from its customers.
“We are talking to CSPs and third-party assessment organizations (3PAOs) as well as the JAB, my office and agencies,” he said Jan. 13 at the ATARC Federal Cloud Computing Summit in Washington. “We are hearing what their view of the process has been and will talk about our interactions and actions they have taken with the program.”
The long-standing complaint around the JAB is a lack of resources both in terms of people and money.
So the biggest difference this year is the JAB has defined funding for the first time. Goodrich said the need for more resources for the project management office has been a constant challenge.
“We will be looking back and figuring out where the pain points are and ways to revise the JAB process and focus on risk reviews and not so much on documentation,” he said. “We want to figure out how to increase the speed to receive an authority to operate (ATO) and less on documentation while keeping the same level of security.”
Goodrich was unsure how much funding it would get, but said the three JAB leaders — GSA and the departments of Defense and Homeland Security — received specific line items. He said historically the PMO received funding from OMB’s E-Gov fund.
Additionally, Goodrich said over the next six months, his team will be revamping the long-term strategy for FedRAMP. He expects that strategy to be influenced by a focused outreach effort led by Ashley Mahan, who is the Agency Evangelist for FedRAMP.
“Through our previous outreach, we realized that we were focusing on ambitious things that weren’t necessarily getting to the heart of what we need to do, so we have a few areas that we are going to focus on over the next six months,” Goodrich said. “Ashley will identify the FedRAMP lead at each agency and coordinate cross-government use of FedRAMP. We want to ensure we give timely feedback and increased response times to agency and vendor questions.”
Goodrich said agency and industry customers were clear that FedRAMP needs more transparency about the JAB process. Vendors want to know where they stand and a timeline for when they should expect completion, and agencies want to know similar things so they can make informed decisions.
One big challenge with transparency is the lack of metrics about cloud usage across the government.
Goodrich said the Office of Management and Budget will lead an effort to work with CSPs on collecting and analyzing how agencies are using cloud services.
He said once they collect the data, it will be displayed in a public dashboard, which the GSA’s 18F group is developing.
While resources will always be an issue, Goodrich said the PMO also is trying to address challenges within its control.
For example, he said four vendors are conducting a pilot to test out the high baseline. The pilot should be finished by the end of February or early March before the JAB releases the version 1.0 of the standards for systems that require more security under the Federal Information Security Management Act (FISMA).
“We didn’t get any dramatic comments about the draft high baselines standards and we got a smaller number than we expected, so we don’t expect it to change much,” Goodrich said. “It will require a lot more automation so we can reduce human error. We are trying to understand if automation can be done by cloud providers and provided to the government. That’s one of the conversations we are having as well as understanding differences.”
Goodrich also said related to the high baseline is a continuous monitoring pilot. He said the PMO is testing a tool to take all scan reports, including those from the Plan of Action and Milestones (POAM), deviation requests and similar security data, and report the data to the JAB about the cloud service providers. The goal is to ensure the CSP is continually meeting the cyber standards.
“We are going through the pilot to see what level of effort is for the PMO to take on for agencies,” he said.
Goodrich said the continuous monitoring pilot will finish this spring and the PMO will determine if they can expand it to CSPs.
Despite the frustrations by many agencies and vendors, the fact that Goodrich recognizes the challenges and is doing something about it should not only be lauded, but be rewarded with patience by industry.