Microsoft first company through FedRAMP Accelerated
Editor's Note: This article originally appeared on FCW.com
- By Mark Rockwell
- Sep 29, 2016
Microsoft is the first graduate of the FedRAMP Accelerated program, receiving its provisional authority in just a few months, according to the director of the General Services Administration's government-wide cloud security program.
The Joint Authorization Board (JAB) issued a Provisional Authority to Operate to Microsoft Customer Relationship Manager Online on Sept. 22, FedRAMP Director Matt Goodrich told FCW. Microsoft took 15 weeks to complete the FedRAMP Accelerated process Goodrich told FCW in an interview.
"That's almost seven times faster" than the average, he said.
In August, Claudio Belloli, FedRAMP program manager for cybersecurity, told FCW that Microsoft's CRM would probably be the first to be approved via FedRAMP Accelerated. Belloli was less clear about when Unisys' Secure Private Cloud for Government and 18F's Cloud.gov would get their ATOs, saying that they would they would be cleared in the fall.
The timeframe for those two providers seems to have slipped a bit. Goodrich said the two authorizations are on track to be completed by the end of the calendar year.
FedRAMP's approval process has sometimes frustrated cloud service providers and agencies alike, largely because of the time and cost involved in securing a provisional authority to operate. The JAB review has been especially lengthy, and FedRAMP Accelerated process is focused there. (Cloud providers can also work directly with an agency for an Authority to Operate certification; Goodrich has said previously that he hopes agencies will emulate the new streamlined JAB process.)
In response to complaints about the time it has taken past authorizations, FedRAMP began testing the new accelerated process with three providers -- Unisys, Microsoft and 18F -- back in the spring.
Before FedRAMP Accelerated was launched, the fastest approval took five months, according to GSA. Agency officials have said the average review time was nine to 18 months. At least one authorization, according to Goodrich, took two years.
Goodrich and his team have been pushing to get the approval cycle to within three months since FedRAMP Accelerated was announced.
According to Goodrich, Microsoft completed the process quickly because it did a lot of preparatory work before beginning the formal process, including completing capabilities assessments and an iterative review through a 3PAO. He credited the FedRAMP Readiness Assessment, which the agency introduced in March, for Microsoft's quick completion. That assessment shifted the emphasis from documentation review by the FedRAMP Program Management Office to a capabilities review process through a third-party assessor.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.