FedRAMP's doing well but there's room for improvement

If we were issuing a “report card” on the adoption of Federal Risk and Authorization Management Program (FedRAMP) cloud service offerings, we’d likely conclude in a summary statement that there has been “promising progress so far, but there’s much room for improvement.”

FedRAMP was launched in 2011 to establish a cost-effective, risk-based, standardized approach for the adoption and use of cloud services by the federal government, with an emphasis on technology modernization and security. Either agencies or the FedRAMP Joint Authorization Board (JAB) can grant sponsorships required for cloud service providers (CSPs) to receive Authority to Operate (ATO) or a Provisional Authority to Operate (P-ATO). To be considered for FedRAMP ATO or P-ATO, CSPs work with an accredited Third Party Assessment Organization (3PAO) to complete a readiness assessment and/or a full assessment of its offering.

Clearly, government leaders see the value in the program: Four of five federal IT and business decision-makers either prefer to use FedRAMP-authorized cloud services or exclusively use them. Benefits include enhanced ease of adhering to government mandates (as cited by 62 percent of these decision-makers); access to solutions which continuously monitor to resolve potential non-compliance (43 percent); long-term cost savings (41 percent); and the receiving of monthly reports on the security posture of applications and data (36 percent).

However, agencies are also struggling with challenges, including the need to acquire and/or designate internal personnel to validate the security of ATO solutions (as cited by 41 percent of these decision-makers) and the lack of enough solutions/services available in the FedRAMP Marketplace to meet organizational requirements (34 percent). More than one-quarter say it takes too long to get JAB authorization.

These bottlenecks are limiting government access to a large portion of the commercial software market, as there are just over 230 FedRAMP authorized offerings in the FedRAMP Marketplace (as of September 2020) out of the thousands of commercial cloud products in existence.

CSPs face difficulties in obtaining a government sponsor because, as indicated, many agencies do not have enough staffing or internal resources to support the ATO process and subsequent requirements to monitor products throughout their lifetime. It’s even harder to get a JAB sponsorship because the JAB can take on only 12 FedRAMP efforts every year.

To address this, we need to start a conversation about changing the model, with a shift of FedRAMP compliance oversight to the 3PAOs emerging as a key improvement point.

This would closely mirror the approach that the Department of Defense has adopted for its Cybersecurity Maturity Model Certification (CMMC) framework: The 3PAOs would be responsible for the full validation of the CSPs, while allowing the government to have final approval powers. As a result, CSPs would go through a full assessment to get FedRAMP authorization, without needing a sponsorship from an agency or a JAB. From there, their product can be listed in the FedRAMP Marketplace.

After all, agencies already rely on 3PAOs in deciding whether to authorize a CSP. Because they have limited to zero ability to directly test controls, they must “trust” that a 3PAO’s assessment is accurate. This new model would only result in greater scrutiny of 3PAOs, lending more credibility to their final decisions.

While in some ways this is similar to the current “FedRAMP Ready” program which allows CSPs to engage directly with 3PAOs without first finding a sponsor, FedRAMP Ready does not get CSOs to ATO, and does not reduce the burden on the sponsoring agency. FedRAMP Ready still carries with it the challenge of convincing an agency to take on the additional work of sponsoring a CSO’s initial FedRAMP ATO, which is one of the biggest bottlenecks to expanding the universe of FedRAMP ATOed solutions.

Additional benefits of the proposed model include:

• Lowering the barrier to entry for CSPs by allowing them to pursue FedRAMP authorization when they decide they are ready, rather than spend resources trying to find a customer sponsor before having a product available for sell in the federal market
• Reducing the burden on the government, with the JAB and FedRAMP Program Management Office focusing on thought leadership and guidance instead of arduous assessment work
• Improving compliance and scalability as agencies rapidly adopt innovative technologies because every approved solution is meeting all controls

In essence, this proposal isn’t much different from the way agencies authorize solutions that have already earned ATOs from other agencies. By removing the onus of initial sponsorships from agencies, they would simply have to conduct a high-level review of 3PAO recommendations instead taking on the current, demanding task of reviewing individual ATO packages in-depth. Thus, the next “report card” will likely say, “Major bottlenecks have been eliminated, positioning FedRAMP as a model program for technology acquisition for years to come.”