It’s easy to poke holes in the cloud security effort known as the Federal Risk Authorization and Management Program (FedRAMP). Few, if really any, governmentwide programs don’t go through growing pains, including learning how to meet the needs of its customers.
FedRAMP is no different. No one would argue that it was perfect from the start. But many agency chief information officers and vendors will tell you Matt Goodrich, the director of the FedRAMP program management office, and his team are making real progress.
And FedRAMP’s 2016 accomplishments and 2017 goals are more evidence of the office’s efforts to listen, learn and evolve.
Federal News Radio got a sneak peek at FedRAMP’s 2017 plans and they are focused around three main areas:
Bringing on more cloud service providers for agencies to choose from
Continuing to transform the security authorization process
Maintaining and improving communications with industry and government partners
“After our explosive growth in 2016 — almost doubling the number of clouds authorized, introducing the high baseline requirements, and successfully introducing an accelerated authorization process — I’m excited to share our target goals for 2017,” Goodrich said in an email to Federal News Radio. “Over the next year, we plan to double the number of authorizations again, introduce a tailored approach for niche software-as-a-service (SaaS) solutions, and launch industry days for cloud service providers (CSPs) to pitch their services to potential agency customers through FedRAMP Connect.”
Among its successes in 2016, FedRAMP launched an accelerated approval program and a dashboard so vendors and agencies can see where the CSP is in the approval process.
In October, Ashley Mahan, FedRAMP’s agency evangelist, said during a webinar that the new approach has reduced the time to go from application to approval by 75 percent while not giving up any of the program’s rigor.
FedRAMP’s 2017 goals build on all components of those successes.
The program plans to increase the number of cloud services from 72 to 150 over the next year as well as increase the number of authorizations from 345 to 750 from.
Similar to the accelerated program, FedRAMP plans to launch a new effort focused solely on low-impact, low-risk SaaS products. Called FedRAMP Tailored, the program office wants to help vendors receive approval more quickly so they can be an option to the digital services teams across the government.
“We recognize that SaaS solutions, in particular, have a broad range of uses — and we want to make sure FedRAMP authorizations match how agencies use a service. FedRAMP Tailored will augment our current ‘one size fits all’ baselines to introduce tailored baselines for niche, specific use cases,” the program office said in the document.
FedRAMP also plans on redesigning the continuous monitoring process to be less time-consuming, more agile and smoother to run.
Over the past year, Mahan has been meeting with agencies to hear their concerns and struggles with the program. In 2017, FedRAMP will continue to expand those meetings with industry through a new program called FedRAMP Connect. The goal of Connect is to hold two industry days for CSPs to pitch to the government their capabilities.
The program also will host two agency-only roundtables to share best practices and challenges in using FedRAMP.
“We often hear that one of the biggest challenges of FedRAMP is developing security plans. To address this, we plan to publish detailed guidance on how to document all of the 421 National Institute of Standards and Technology controls within any of the FedRAMP baselines,” the document stated as part of its 2017 goal to improve communications.
Let’s be clear, there still will be speed bumps and even major challenges with FedRAMP in 2017 and beyond, but the evidence is clear the program heard the complaints and are trying to address them.