The Federal Risk Authorization Management Program, which certifies the security of cloud-services providers, will launch a namesake website next month, www.fedRAMP.gov, as part of a new effort to woo cautious and confused agencies and vendors.
“We’ll be focusing on reaching a broader audience and get into the agencies and vendors who haven’t quite grasped what FedRAMP is and how it benefits them,” said FedRAMP Director Matt Goodrich at a panel Thursday in Washington sponsored by AFFIRM. “Using same message over and over again doesn’t work. At FedRAMP, we’ve been doing the same message for 2 1/2 years. We need to shake it up and say it again differently so we’re penetrating the different types of the market and agencies who haven’t quite gotten the message yet.”
The program’s current website is not very user friendly, Goodrich admitted. He asked agencies, vendors, and even friends to provide feedback on the site. They reported having trouble finding the information they needed. They also wanted to know more about the program itself than what they could find easily on the site. The new site will offer a better overview of FedRAMP and will be easier to navigate, he said.
FedRAMP also will launch a training program in the next couple of weeks to help newcomers jump into the process, Goodrich said. The first module will focus on the basics of the program and how to get started. Subsequent ones will help agencies and vendors test their understanding and skills. They will be more granular and include lessons learned, he said.
“Coming into the security process for any vendor is very difficult. And for many of the agencies, getting into the nuances of cloud is a little scary. It’s definitely a different way that you’re using IT services,” he said.
Agencies wonder about how their legacy applications will fit into a secure cloud environment. And applying security certification to software-as-a-service is particularly complicated. Goodrich hopes that by making FedRAMP’s process more public and by documenting it, it can help agencies learn from its lessons.
The engagement efforts come as FedRAMP matures from a startup operation into a mandated, established program. During its first years, many agencies hesitated to embrace FedRAMP because they weren’t sure it would last, Goodrich said. Now, the biggest stumbling blocks among those using FedRAMP seem to be the months-long certification process and confusion about how to incorporate certification requirements into contracts, he said.
While it can take nine months for FedRAMP to certify a contractor, the program has done 17 of the 29 authorizations in the entire government. Goodrich said he considers its process relatively speedy compared to agencies. They typically only certify vendors with whom they already have contracts. Agencies tend to view FedRAMP certification too narrowly, he said.
“We know agencies are required to enforce FedRAMP by their contracts but many times are doing it too strictly or too restrictive to allow adequate and fair competition,” he said. “Requiring FedRAMP at the time of an award is too early to have that as part of the requirements. In two years, maybe.”
The program is drafting guidance for contracting officers, program managers and authorizing officials. It will help them create contract requirements within solicitations that still promote competition, he said. Goodrich said he was editing the guidance just before leaving the office for the panel discussion. The document will be vetted by the Chief Acquisition Officers Council and the Chief Information Officers Council before a public comment period, he said.
Finally, FedRAMP is collecting public comment on a proposed baseline standard for security highly sensitive data, something it initially had been reluctant to do.
“You’re talking about financial ruin, life and death that can occur because of that data,” Goodrich said. But, “vendors are saying, ‘We can do it.’ Agencies are saying, ‘We need it.'”