Microsoft first company through FedRAMP Accelerated
After 15 weeks, Microsoft is the first cloud security provider to complete the accelerated route through GSA's cloud security authorization program.
Microsoft is the first graduate of the FedRAMP Accelerated program, receiving its provisional authority in just a few months, according to the director of the General Services Administration's government-wide cloud security program.
The Joint Authorization Board (JAB) issued a Provisional Authority to Operate to Microsoft Customer Relationship Manager Online on Sept. 22, FedRAMP Director Matt Goodrich told FCW. Microsoft took 15 weeks to complete the FedRAMP Accelerated process Goodrich told FCW in an interview.
"That's almost seven times faster" than the average, he said.
In August, Claudio Belloli, FedRAMP program manager for cybersecurity, told FCW that Microsoft's CRM would probably be the first to be approved via FedRAMP Accelerated. Belloli was less clear about when Unisys' Secure Private Cloud for Government and 18F's Cloud.gov would get their ATOs, saying that they would they would be cleared in the fall.
The timeframe for those two providers seems to have slipped a bit. Goodrich said the two authorizations are on track to be completed by the end of the calendar year.
FedRAMP's approval process has sometimes frustrated cloud service providers and agencies alike, largely because of the time and cost involved in securing a provisional authority to operate. The JAB review has been especially lengthy, and FedRAMP Accelerated process is focused there. (Cloud providers can also work directly with an agency for an Authority to Operate certification; Goodrich has said previously that he hopes agencies will emulate the new streamlined JAB process.)
In response to complaints about the time it has taken past authorizations, FedRAMP began testing the new accelerated process with three providers -- Unisys, Microsoft and 18F -- back in the spring.
Before FedRAMP Accelerated was launched, the fastest approval took five months, according to GSA. Agency officials have said the average review time was nine to 18 months. At least one authorization, according to Goodrich, took two years.
Goodrich and his team have been pushing to get the approval cycle to within three months since FedRAMP Accelerated was announced.
According to Goodrich, Microsoft completed the process quickly because it did a lot of preparatory work before beginning the formal process, including completing capabilities assessments and an iterative review through a 3PAO. He credited the FedRAMP Readiness Assessment, which the agency introduced in March, for Microsoft's quick completion. That assessment shifted the emphasis from documentation review by the FedRAMP Program Management Office to a capabilities review process through a third-party assessor.