The first two-and-a-half years of FedRAMP—the government’s program to jump-start adoption of cloud computing through blanket security authorizations for service providers—has been a success; but the Federal CIO Council has created a two-year roadmap to speed agency adoption of cloud services, increase the pool of certified service providers, and keep security requirements up to date.
By almost any measure, the first two-and-a-half years of FedRAMP—the Federal Risk Authorization Management Program—has been a success. The program jump-starts government adoption of cloud computing by providing a preliminary security authorization for cloud service offerings that can be used across agencies. Since its launch in 2012, 27 service providers have been certified as FedRAMP compliant and there have been more than 160 implementations of the services. The Federal CIO Council estimates that the government has realized $40 million in cost savings through a $13 million investment in the program.
FedRAMP has been “fantastic,” said Christian Heiter, CTO of Hitachi Data Systems Federal, a provider of virtualization and cloud management solutions. It has simplified the task of offering cloud services to agencies and reduced the cost to government. Federal spending on cloud services is estimated at from $2 billion to $4 billion annually and is expected to grow by up to 4 percent a year.
But, “I don’t think it’s big enough yet,” Heiter said. “I don’t think the government has enough choices.”
The Federal CIO Council has created a roadmap—FedRAMP Forward: 2 Year Priorities—to speed agency adoption of cloud services, increase the pool of certified service providers and keep security requirements for the program up to date. The plan, released in December, has three areas of focus: Increasing stakeholder engagement, improve efficiencies in the certification process, and staying aligned with the evolving cybersecurity threat landscape.
FedRAMP is a foundation of the administration’s Cloud First policy, under which agencies are to consider cloud solutions to IT needs when appropriate. One of the big challenges to cloud adoption was the Federal Information Security Management Act, under which all federal IT systems—agency owned or contracted—must be certified as meeting adequate security requirements. Having every agency certify their service providers would be a time-consuming, expensive, and could hinder the use of cloud services. In June 2012 FedRAMP established baseline security requirements for cloud providers, and has since accredited a number of Third Party Assessment Organizations that certify baseline compliance to this baseline.
Agencies still must certify that a cloud platform meets its specific security needs, but being able to start from the FedRAMP baseline rather than from scratch saves both agencies and service providers time and money. According to the CIO Council, the average FISMA security certification costs about $250,000. Estimates for the cost of a FedRAMP certification run from $250,000 to $1 million, so the ability to reuse a single government-wide approval can be a big savings.
Streamlining the process—not cutting corners on security, but making assessments more efficient, standardized and repeatable—could generate more savings. The current Security Assessment Framework for cloud service providers is complex and certification can take from four months to more than a year. Speeding the process could make the federal market more attractive to small and medium sized providers, resulting in greater choice and competition for agencies.
The current list of approved cloud providers [http://cloud.cio.gov/fedramp/cloud-systems] includes a variety of offerings that includes many of the big players who were early entrants—Akamai, AT&T, Lockheed Martin, Microsoft, Amazon and Verizon. But Heiter said there are many more providers that could enter the market, expanding the range of services and pricing options. He said HDS is considering standing up its own cloud offering. “We looked at it a year ago, but FedRAMP Forward will make it easier.”
In addition to streamlining, the plan also calls for reaching out stakeholders. “In order to reach the full breadth of cloud providers working with the Federal government as well as encourage new and innovative services to be available for use, stakeholder engagement with FedRAMP needs to increase,” the authors of the roadmap wrote.
The program also must keep abreast with security needs. “In order for FedRAMP to continue its growth, it is recognized that the cybersecurity landscape evolves constantly—practically on a minute to minute basis,” and FedRAMP must adapt to these changes in the application of FISMA, NIST standards, and DHS guidance.
The plan also includes continuous monitoring and reporting requirements for cloud resources, as well as developing a higher security baseline that is aligned with other federal IT initiatives, such as Trusted Internet connection, HSPD-12 for physical and logical access control, IPv6 transition, and Continuous Diagnostics and Mitigation.
FedRAMP Forward establishes 6, 12, 18 and 24-month goals for each objective in the roadmap.