Six months into FedRAMP Forward, a two-year initiative to improve agency adoption of cloud services, the program is citing success and continuing to fine tune policies.
The FedRAMP Program Management Office says that 82 percent of more than 1,400 federal cloud implementations have received FedRAMP authorization and that the program saves an estimated $70 million a year through use of the authorizations by multiple agencies.
At the same time, the program is continuing to fine tune its policies and operations to speed adoption of cloud services and to ensure the security of government data on commercial cloud computing platforms. Accreditation requirements for third party assessment organizations (3PAOs) are being updated to improve training and oversight, and a $250,000 competition has been announced to create tools to automate FedRAMP reviews.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in 2012 to jump-start government adoption of cloud computing by providing a reusable security authorization for service offerings. The program streamlines the process of ensuring that cloud services comply with the Federal Information Security Management Act by letting multiple customer agencies use the baseline authorization. This helps service providers by reducing the expense and time spent on security certifications, and helps agencies by simplifying and speeding the acquisition process.
In December 2014 the Federal CIO Council announced FedRAMP Forward, a two-year roadmap to further streamline the process. It focuses on increasing engagement with stakeholders, making the certification process more efficient and adapting to the evolving cybersecurity threat landscape. Federal spending on cybersecurity has decreased steadily since its peak in 2010, while the number of security incidents reported by agencies has steadily increased.
In the first six months of FedRAMP Forward, the number of service providers certified has increased 41 percent to 38, offering an estimated 700 compliant cloud systems. Forty-one 3PAOs have been accredited. 3PAOs are companies authorized to certify service providers for FedRAMP.
3PAO accreditation requirements are being updated for the first time, and a draft of the updated requirements was released for public comment in July. FedRAMP sets requirements for accreditation, and the 3PAOs are accredited by the American Association for Laboratory Accreditation. The updated requirements are intended to:
- Improve oversight of the program
- Ensure 3PAOs have adequate resources for their work
- Ensure that information from service providers being evaluated is secured
- Require adequate training
- Improve quality control
Comments on the update are due by Aug. 20.
Evaluation of service providers also is done by the FedRAMP Joint Authorization Board (JAB). To help the board keep up with demand, a competition has been launched at Challenge.gov to automate the JAB authorization process. The goal is to build an open source tool to automate quality reviews, with a total of $250,000 in prize money that can be split among up to three winners.
The reviews now take from 24 to 40 hours to complete and usually require three or four full-time personnel. “We believe 75-90% of this process can be fully automated,” the FedRAMP program office said. It expects the tools to be available within 12 months.