FedRAMP has slashed the time it takes to complete the security authorization of cloud services for federal agencies from 12-24 months to six months.
The results of the “FedRAMP Accelerated” initiative, devised last year to speed up authorizations, are revealed in a newly-released white paper.
The FedRAMP program started in 2011 to establish a framework for federal agencies to secure cloud services and products that comply with White House and NIST security requirements. Within four years, though, concerns had been raised that security authorizations were taking too long so in 2015 FedRAMP began collecting stakeholder feedback. Complaints included JAB authorizations taking too long, rigorous reviews not always adding value to a system’s security, and a lack of clarity about program expectations among stakeholders. Vendors also felt that the program sometimes required a prohibitively large amount of resources, which sometimes prevented them from doing business with the federal government. There were some positives, though, with stakeholders commenting that the FedRAMP standards were some of the best for cloud security, and rigorous enough to protect federal information.
After the results were shared with the Joint Authorization Board, targets for change were agreed upon including cutting authorization times to six months and adding greater transparency and predictability to the process. “Other than speed, all of the goals aligned with what had made FedRAMP’s growth successful to date: solid risk assessments of CSPs, well documented system plans and assessment results, an effort to efficiently use team resources, and to be as transparent as possible,” says the report.
The research identified three focus points for FedRAMP, which were finding a better way to understand the system, finding a way to have an ongoing view of a cloud service provider’s practices and finding a better delineation of work between the JAB and PMO systems. Once the areas for improvement were identified, FedRAMP worked on transforming the authorization process through designing a four-step process. These were a Readiness Assessment, a FedRAMP ready determination, a security assessment and the JAB authorization process. “Instead of working in a waterfall approach, the new process employs a more agile, iterative approach that allows for drastically decreased time to review a CSP’s capabilities and security,” says the report.
The completed design of the new process was tested with three vendors of varying sizes, and all three were able to get an authorization decision within 20 weeks. FedRAMP says that some of the key reasons the new process has worked are that the readiness assessment allows vendors to align their expectations, the JAB was able to receive the full documentation and testing from the CSP and 3PAO at the beginning of the process and the updated JAB Charter ensured that resources were aligned correctly in order to make clear decisions throughout the authorization process more quickly.
The white paper states that FedRAMP Accelerated is now considered to be complete and successful — less than 18 months after testing the process, authorizations have ranged from 12-19 weeks. FedRAMP has also released an Agency Authorization Playbook, an actionable guide for agencies to complete authorizations within the same timeframe. It has also changed the process for selecting vendors to work with the JAB, launching its FedRAMP Connect process where vendors are publicly prioritized for working with the JAB through a collaboration with the CIO Council and the White House.