Four months will get you through a third of the calendar, halfway to Mars, or in the case of one FedRAMP Accelerated provider, fully authorized for cloud cybersecurity services.
The first provider to go from “kickoff to authorization” is set to make it through the process in the next few weeks, FedRAMP Director Matt Goodrich said, cutting two months off the fastest authorization time and proving that the Federal Risk Authorization Management Program’s shot at speeding up the process hit the bulls-eye.
“We’re actually able to prove the process we thought would work, and now we know that it will work,” Goodrich said during a General Services Administration forum hosted at a Sept. 13 MeriTalk event in Washington. “Now we’re actually transforming that work into something that’s faster and really making sure that we can make that more efficient not only for government but for our vendors as well.”
That progress is a step in the right direction for the program, which has drawn multiple angles of criticism for its slowness.
“I spoke at the MeriTalk conference on this subject in March, and what struck me is that the only people in the room who thought things were going well were the government folks involved in managing it. That’s not an acceptable situation,” said Rep. Gerry Connolly (D-Va.). “If GSA can’t fix this, then Congress will. The problem with that is Congress is always a blunt instrument.”
Congress will choose between Joint Authorization Board [Defense and Homeland Security departments, and the GSA] certifications that are good enough for everybody, Connolly said, or requiring a vendor get certified from each agency they are working with.
“I predict Congress will go for the former,” Connolly said. “Only the government can take a process designed to streamline, limit costs and to try to expedite the process so that we’re up and running — remember the goal is up and running, it’s not the process — yet this process has become an extra layer and burden for industry.”
The authorization process was designed to take about 6 months and cost about $250,000, Connolly said.
“It’s now two years plus, it’s millions of dollars, it’s clunky and in some cases it’s a two-step process,” he said. “GSA has to fix this or we will. I guarantee you we will, and we won’t do it as well as you could do it. So fix it, and quickly.”
Steve Cooper, Commerce Department CIO, said during his panel at the MeriTalk forum that he’s also heard that the FedRAMP process takes too long.
Cooper said he’s introduced an “authority to use,” or ATU, in his office, which is not meant to replace FedRAMP, nor is it applied within information security boundaries, but it allows people to use IT like GitHub or Python and also keep management in the loop on what they’re doing so they can offer appropriate guidance.
“I’m dying in some cases, because I want to use technology that I’ve taken a look at, evaluated, we know it’s good, we know it can add value, and the acquisition time frame does take longer in some cases than all of us would prefer,” Cooper said.”Not because any acquisition officials are doing something ‘wrong,’ but it’s simply the way the process is set up.”
On average, it costs $2.2 million to successfully make it through the authorization process.
Goodrich said the accelerated program will reduce that price tag because vendors will have a better idea ahead of time of what they’ll need to bring to the table for authorization.
GSA Chief Information Officer David Shive said that when it comes to GSA and the Technology Transformation Service, when a process is deemed too slow or two expensive, “we owe it to you [industry], we owe it to the stakeholders, we owe it to the taxpaying citizens to fix that.”
“But we don’t just fix it and say we hope it’s going to work then we actually try it out,” Shive said, adding that this first group of providers going through the accelerated process show early indicators that “it looks very good.”
FedRAMP Accelerated launched in late March, with the goal of cutting the current 6-12 month authorization wait time down to 3-6 months. A FedRAMP dashboard also launched this summer, which provides a way to see the status of a vendor’s authorization.
Goodrich said the vision of FedRAMP when it started was that a majority of authorizations should go through the agencies, rather than a joint authorization board.
The JAB has limited funding, and agencies told the program leaders they wanted to have some control over what IT they bought and used, he said.
Goodrich said in the past year there’s been a “dramatic increase” in the number of reused authorizations in agencies.
“We want agencies to be able to use cloud providers but also make sure they use them securely,” Goodrich said, adding they also want to make sure they’re done right so they can be used again.
“Over the last 60 days we’ve seen 30 new authorizations from agencies reusing authorizations within FedRAMP,” Goodrich said. “So we’re seeing that mission and what’s happening there is it’s actually come true.”