The Federal Risk Authorization Management Program this month is hitting the gas on new tools to help speed up the time it takes to authorize industry for cloud cybersecurity standards.
FedRAMP Director Matt Goodrich told Federal News Radio that in the next two weeks a program dashboard is going live that, among other things, will allow agencies and departments to view a vendor’s status in the authorization process.
“It’s going to be a really great tool for us, to be able to have a lot more transparency into which providers are being used, how to compare them, how to compare use across agencies, and also to be able to see which agencies are using FedRAMP greater than others, or some not at all,” Goodrich said.
The 60-day contract was awarded through an agile blanket purchase agreement contract with 18F. The launch date was originally suggested for December.
The dashboard launch comes just after FedRAMP released a Readiness Assessment Report [RAR] template that Goodrich says is the key part of the program’s Accelerated version.
“This is definitely the most fundamental part of FedRAMP Accelerated, to make sure that it works,” Goodrich said. “We need to have confidence that people have the right capabilities in place, and so this is definitely the thing that’s going to make Accelerated work and what’s proving to work with the vendors we’re currently piloting it with. So we’re excited to see it’s out there and now vendors can start to use this as a pre-assessment for their own internal use to make sure they’re ready, but also so we can make sure that when they want to come and work with us, that we can make sure they’re ready as well.”
While some vendors were working with the pilot, Goodrich said this iteration of the template is out and available for use.
Goodrich said the template saves time and effort for both sides of the authorization.
While the template is intended for vendors to find out early on if they’re ready for the FedRAMP authorization process, for the government “it’s going to allow us to know if we’re going to work with a vendor who has all the capabilities in place.”
“So when we actually enter into the process, we actually know there’s a high likelihood of success, we can actually know it will happen in a short amount of time and we can work with them,” Goodrich said. “It’s also important because we are looking at capabilities rather than documentation, so instead of having to have a vendor spend an inordinate amount of time documenting what they do, we can just have someone actually go out and validate that it’s there and give us a short report.”
Goodrich said what his officer heard from industry was that there was too much writing and not enough value in all of that extra paperwork.
“While that documentation will still be an end product of the overall process, instead of making the documentation the process, we’re making that sort of an output of the process,” Goodrich said.
The template does not replace the complete authorization process, but it will help highlight any deficiencies in an applicant’s documentation, so that part of the overall authorization can include an update of that paperwork, and the FedRAMP team can help.
The RAR template is built with industry feedback, including suggestions that Goodrich said even swing more toward subjective suggestions.
“Things that aren’t necessarily completely tied to security controls,” Goodrich said. “Things like understanding what the organizational structure is, who all is working on the system, how do you handle changes to your system … so we can understand the maturity of an organization supporting it, which don’t always relate directly to a security control, but something that’s really important to understand how effective a vendor’s going to be able to get through it and how quickly.”
Goodrich said the template also includes more plain language, and added a discovery scan requirement to the first draft.
“One of the hardest parts for vendors is to define their boundary and make sure their boundary’s defined appropriately,” Goodrich said. “One way that we can help them make sure that it’s defined appropriately, they’re not excluding things, that they’re including what they should, is to do a discovery scan.”
FedRAMP Accelerated launched in late March, with the goal of cutting the current 6-12 month time authorization wait time down to 3-6 months.
William “John” Hamilton, FedRAMP program manager for operations, earlier this year called the faster readiness assessment a game changer.
“This readiness assessment is going to allow [cloud service providers] to get to our FedRAMP marketplace faster,” Hamilton said. “Instead of months, even years in some cases — not many cases — it’ll take within weeks.”