The team behind the Federal Risk Authorization Management Program [FedRAMP] is looking to cut wait times for the cloud cybersecurity effort by more than half thanks to a speedy readiness assessment process.
FedRAMP Accelerated is “going to change the game,” said William “John” Hamilton, FedRAMP program manager for operations, during a May 20 panel hosted by (ISC)² in Washington.
“This readiness assessment is going to allow [cloud service providers] to get to our FedRAMP marketplace faster,” Hamilton said. “Instead of months, even years in some cases — not many cases — it’ll take within weeks.”
While a weeks-long process might still be on the horizon, Hamilton and his teammates are actively working on reducing the current 6-12 month time frame down to 3-6 months.
The accelerated authorization comes out of listening tours and stakeholder interviews with cloud service providers [CSPs] said Claudio Belloli, FedRAMP program manager for cybersecurity.
“Naturally everybody always wants their authorizations to be faster. If you look at [the Federal Information Security Modernization Act], FISMA takes 6-12 months across the government, so we were looking at it in that sense; should it take 6-12 months, is there any way to get it down to 3-6 months perhaps, ” Belloli said. “A lot of it hinged on CSP readiness. The more ready a CSP is to go through the process, the higher success rate they would have in actually getting through in that six months. Our old process we engaged with a lot of CSPs that perhaps weren’t quite ready yet, and the ones that weren’t quite ready are the ones we needed a lot of back and forth work to help them understand the requirements, help them get their security authorization package document up to speed. Those cycles of working with them is what ended up in many cases stretching some of those out to the 12-month time frame.”
The readiness assessment requires short reports and reviews to identify any problems or answer any questions early on in the process, rather than wait until the very end to find out a vendor has to go back to square one.
There is also series of kickoff meetings that last several days, as well as a deep dive into things like architecture, engineering and cybersecurity capabilities, Belloli said, as well as question and answer sessions with the three Joint Authorization Board agencies [Defense and Homeland Security departments, and the General Services Administration].
Belloli said it made sense to incorporate this pre-assessment or pre-audit practice so that if a company is already showing signs of struggle before the official start, it might make an unprepared vendor think twice about trying to move forward on a provisional authorization, and save both sides of the process from wasting time.
“Doing that hopefully gets us good, strong, viable candidates that are ready to go through the process, who know what they’re doing and can get through the process hopefully in the 3-6 month time frame,” Belloli said.
Matt Goodrich, FedRAMP director, said the program has evolved from proving to agencies that cloud technology is secure, to changing the way authorizations are done and “actually go through and make this process more efficient, more transparent and easier not only for our agencies but our vendor partners as well.”
Goodrich said the focus now is on “capabilities.”
While before the FedRAMP team wanted to see a 1,000-page security plan, “that’s so not powerful,” he said.
“You’re looking at what people wrote down, you’re not actually talking about what the system actually is and understanding that,” Goodrich said.
Communication and transparency
Belloli said among the other lessons learned from stakeholder feedback is a need for more direct lines of communication during the FedRAMP process.
Rather than one-way communication where there can be confusion about requirements or getting questions answered, “it makes more sense to do it real time. As you’re going through the process, at least on a daily basis, as we kick off with a vendor we’re going to establish those rules and responsibilities for that communication channel.”
For example, a vendor might be required to be available every morning from 9-9:15 a.m. to answer questions from reviewers.
That way “the JAB review teams and the CSP and their third-party assessor kind of all work together and resolve things in real time to keep things going rather than waiting for a big hang up to stop the whole process,” Belloli said.
Belloli said transparency is also a best practice that will get attention. He said the hope is to develop by the end of the year FedRAMP website dashboard that would allow agencies and departments to view a vendor’s status in the authorization process, which can help with procurement planning.