Time for an update to FedRAMP?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The idea behind the Federal Risk and Authorization Management Program or FedRAMP is simple. A cloud services provider gets certified for its security. Then each agency wanting buy that service can avoid having to do its own certifying. Nearly a decade in, several voices are calling for FedRAMP reform. Among them, the Information Technology and Innovation Foundation. With more, ITIF’s research analyst Michael McLaughlin joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Mr. McLaughlin, good to have you on.

Michael McLaughlin: Thank you for having me.

Tom Temin: FedRAMP was supposed to speed up cloud service, as I said in the beginning, what are the issues? What does industry see is the problems with FedRAMP.

Michael McLaughlin: So the problem is right now is that the program still takes too long to authorize cloud services. It’s too costly for cloud service providers that are going through it. And it’s just applied too inconsistently across agencies. And what that means is that a cloud service provider can have a very different experience trying to get their service authorized at one agency compared to another.

Tom Temin: Yes, because there’s a system of authorizsers that are themselves authorized by FedRAMP, third parties that do this. Is their inconsistency among the way those third party certifiers go about their work?

Michael McLaughlin: So the third party assessment organizations is what they’re called, 3PAOs. They’re not necessarily the problem right now is they’re performing security reviews of the cloud service products offerings. They’re doing things such as penetration testing into a system, vulnerability scans. And they’re making sure that the cloud providers are implementing all the security controls that they have to do. What happens though, is that agencies have to review that work of third party organizations and then provide their own authorization. That’s really because of FISMA. FISMA requires them to take on the risk of authorizing a service. Different agencies will just have different processes for how they review those authorizations, sometimes a more elongated, sometimes they’ll also have their own government risk and compliance tools which they use in conjunction with FedRAMP, which futher elongates the process.

Tom Temin: So basically you’ve got a belt and suspenders situation going?

Michael McLaughlin: A little bit, yes. And the issue here really is that some agencies just have more expertise performing these reviews than others. So you can end up in a situation where a cloud service provider when they want to get their service federally authorized, that they might want to go to one agency over another simply because the agency is known for performing their reviews in a more expeditious manner, or at the same time, they’re known to have standards that other agencies trust. That’s really one of their problems here is that federal agencies are supposed to reuse the underlying security authorizations that other agencies provide. So for example, if the GSA authorizes one cloud service than DHS or something like the EPA should use the underlying authorization so they don’t have to redo all the work that GSA did. But the problem here is that there’s not trust between the agencies. They don’t want to trust the authorization and other agency provided and take on that risk, which then makes them go through the process. Too often they go through the process, again accepting the underlying authorization.

Tom Temin: So should it be FedRAMP that is reformed or should it be the agency’s approaches and maybe FISMA that needs reform?

Michael McLaughlin: Well, we can reform really inside the program. I mean one of the program’s biggest challenges right now is simply funding. The program management office, which handles the day to day operations of FedRAMP — it actually does a pretty good job considering the limited funding that they do get. Right now they don’t even have dedicated funding. They’re funding from the same pile of money that goes to things such as maintaining websites suchs as data.gov, and things of that nature. So that’s one of the things that a bill sponsored by Gerry Connolly and Mark Meadows in Congress right now will do is provide the program dedicated funding to really help them increase the amount of reviewers that they can actually have. And that’s one of the issues here is that there’s simply just not enough people to perform these reviews expeditiously, an expert.

Tom Temin: Alright, so they have a financial problem, but that gives them greater capacity. But is the program stuctured fundamentally the way it should be FedRAMP.

Michael McLaughlin: One of the things we say FedRAMP should try and report is this new pilot way to pilot how they could perform reviews. So FedRAMP categorizes cloud systems as having a low, moderate or high impacts. And that’s based off the type of data that they’re going to store. And as you can imagine, the security controls that are required at low or lower than what you would require at high with these controls actually build off each other. So for example, it was about 300-something controls that cloud service buyers have to implement at the moderate level. At the low level, there’s about 125, those moderate level includes all those controls from the low level and then builds off them at the moderate level on then off the high. So one of the things we’ve advocated for is that FedRAMP should pilot a basically a tiered authorization approach, that their first review the controls at the low level, and then they authorize the cloud service provider at that level and then go on to the moderate and high and what that will do is that reduces some of the risk for the cloud service provider if they ended up in this protracted authorization process that can sometimes take well more than a year, and they’re spending hundreds, thousands or more than a million dollars to get authorized. At the very least, if they get authorized, say for a low level, they can start selling that service. And that can reduce some of the risk of entering a process where if they could authorize that doesn’t guarantee lots of demand, that just means that they are authorized to use the federal government — doesn’t mean that other agencies will actually use them.

Tom Temin: And you do have some other suggestions for the program itself. Mandatee that agencies receive exemptions to not reuse the authorizations and I think that’s one of the big problems you said fundamentally is that agencies don’t trust FedRAMP itself, and so they would have to have some rigmarole to get around it, basically.

Michael McLaughlin: Yes, that builds off something that’s in the Connolly bill which would create an presumption of adequacy that all authorizations have assumptions of adequacy, and that other agencies should use them to issue their own authorizations. Now to kind of strengthen that what we would do or what we’re suggesting is that any agency that doesn’t want to use the underlying security package of an other agency for an already authorized cloud service, what they would have to do is they would have to essentially get an exemption from the program management office. And hopefully that would start encouraging agencies to continue to reuse authorizations more often.

Tom Temin: Got it. And then there’s a lot of ideas here, but there are a few that caught my eye. One was drawing NIST, the National Institute of Standards and Technology, presumably it’s computer lab, into the whole process.

Michael McLaughlin: So the standards the security standards in FedRAMP are already based off standards that NIST has set, they’ve basically taken certain controls that they think are important for federal agencies to have for the cloud systems, and they’ve molded them for the FedRAMP program. So what we think should happen is that NIST should have access to these underlying security packages so that they can review them, they can see how federal agencies and cloud providers are implementing these security controls that they deem are important. And then over time, they can start to reform, they can start to reform their own controls, and they can start to identify potential weaknesses in how agencies and cloud service providers are actually implementing these controls. And the idea there is ultimately just increase the security of the cloud systems agencies are using.

Tom Temin: And then there’s one here at the end, kind of, I don’t know whether you mean, this should be mandatory, but it says create a mechanism to ensure agencies are using FedRAMP. I guess this idea has been bandied around by others, including GAO. But, you know, mandatory of anything in the federal government has almost never worked, because there’s always an exemption mechanism and so it eventually dissolves. What are you saying here?

Michael McLaughlin: So FedRAMP for almost every cloud service that a federal agency would implement it right now, is actually already mandatory for cloud agencies to use. What the GAO found in one of the reports they recently did is that a lot of agencies despite actually being required to go through the FedRAMP process to authorize cloud service, still were not actually doing it. They were not doing that for a variety of reasons. For example, one agency, it was simply taking too long, and they wanted to use the service so they issued their own authorization outside the program. And the Government Accountability Office gave a recommendation that OMB needs to create a mechanism to actually enforce compliance with using the FedRAMP process. OMB responded that that mechanism didn’t exist and really one should be created ultimately to ensure that agencies are actually using this because the program was created to ensure the security of cloud services that the government’s using, and if agencies aren’t using it, it’s kind of defeats the whole purpose of having a program.

Tom Temin: Sure. And in putting together all of these ideas, did you simply listen to what industry would like because they’d like to get faster contracts and faster deals or did government needs and requirements and worries also kind of bake into this also?

Michael McLaughlin: It did. So we talked to people both within the federal government involved in this process, as well as people within industry, and then simply just using the publicly available data that’s out there. So that’s things such as looking at the authorization data and timelines that’s on FedRAMP’s website, and looking through past GAO reports to kind of get a comprehensive review of all the different sides and how they feel about this process. At the same time reviewing the testimony that individuals had provided at a hearing last summer in Congress about the program.

Tom Temin: Alright. Well, now it’s in Congress’s hands then basically?

Michael McLaughlin: It is. The house federal Authorization Act, which would implement some reforms but also codified the program, passed the House in February but their has not been any movement since.

Tom Temin: Alright, well common story I guess. Michael McLaughlin is a research analyst at the Information Technology and Innovation Foundation. Thanks so much for joining me

Michael McLaughlin: Thank you for having me.

Read the full report.