The Joint Authorization Board of the Federal Risk Authorization Management Program (FedRAMP) is improving its approval process through a redesign that shortens timelines and takes full advantage of available resources.
Matt Goodrich, the director of the FedRAMP program office, said the cloud cybersecurity effort is gaining interest, and the JAB is looking to take advantage of that attention.
“It’s pretty exciting that we’re now finally getting to the point where we’ve seen the tipping scale,” Goodrich said. “We’re having a lot more agency ATOs [authority to operate] coming in.”
In the past six months, the board has approved 25 new authorizations, bringing the total between the JAB and other federal agency approvals to about 60.
“People know that it works and know that they have to do it and realizing it’s a partnership across all of government and not just the office that I run … doing those authorizations,” Goodrich said.
Goodrich credited the uptick to agencies’ realization that they have an equal stake in cloud computing, as well as the “#WheresAshley” campaign, in which Ashley Mahan — “GSA FedRAMP Agency Evangelist” — meets with federal agencies to help them “understand the responsibilities and matching up cloud providers.”
Making risk and capabilities the first step
Goodrich said his team talked not only to cloud providers and third-party assessors, but also to the JAB team, as it considered how to update its process.
The process as it stands now, Goodrich said, focuses on documentation rather than risk and capability.
“We’re looking at the process and figuring out how can we actually get those capabilities and that risk-view up front, and then focus on documentation later,” Goodrich said. “Documentation always has to be there, because you have to have a body of evidence to actually authorize, you have to have something to base it on.”
But the hope is to make sure JAB’s analysis at the beginning gets vendors the information they need, such as whether they can actually get an authorization.
Goodrich said if all goes smoothly, the approval process should take between 7-to-10 months. But not everything goes to plan, so time frames have been extended to roughly 10-to-15 months for most cloud service providers.
Under the new process, Goodrich said, “it’ll really dramatically change the time frame from 10-to-15 months being the average to being lower than what our fastest timeline has ever been.”
Goodrich said the hope is to try out the faster authorization process in the spring.
“One thing that we’re focusing on with the review process, we’ve gone out and done a lot of customer interviews and done a lot of visual mappings, customer journey mappings, as sort of what all of our stakeholders are going through, through this process,” Goodrich said. “We started to realize about a year ago this was beginning to take a lot longer than we wanted it to. We wanted to make sure we knew what was happening with everybody so we could really identify those pain points.”
Having the resources
Like any government program, performance comes down to available resources. But the fact that funding is available this year does help, Goodrich said.
“This is the first year those CIO shops are actually getting funding to support the authorization and development activities that we do,” he said. “Those teams and those authorizations that the JAB has been authorizing governmentwide, they will actually have a funded staff instead of volunteer staff that CIOs are pulling from other programs to actually work directly with FedRAMP. That impact will be really great because it’ll make sure we have enough resources to maintain those authorizations appropriately and really understand what [is] the total number of vendors that we can support at the Joint Authorization Board level and how we can truly scale the programs and still have funding — and not just my office.”
Goodrich said the focus will be to continue to look at those vendors that are meeting the JAB’s mission of govermentwide use “and then making sure those that aren’t truly governmentwide, we really match them up with those agency customers.”
“We’re really looking at how we can view the process with the JAB more effectively and efficiently,” Goodrich said. “We’re hopeful that means scaling even greater with the funds that we have. What we’re going to be doing while we’re doing that new process is really taking a closer look at what our pipeline can be, so that we can have really clear expectations of what it is and the total number that we can support. And also really be looking at making sure that we align our resources with the JAB with those vendors that are being used the most governmentwide.”