The Federal Risk and Authorization Management Program (FedRAMP) was launched in 2011 to drive forward the U.S. Government’s Cloud-First strategy. FedRAMP eliminated duplicative security assessment efforts by establishing a common accreditation for cloud service providers (CSPs). Once a cloud service offering (CSO) is FedRAMP-certified, any federal agency is permitted to use that service, without developing its own separate assessment. FedRAMP security requirements are based on NIST SP 800-53 security controls, with more stringent parameters specific to cloud computing risks, ensuring robust security for federal cloud operations.
To achieve accreditation, a CSP must demonstrate compliance to either a sponsoring federal agency or the Joint Authorization Board (JAB). This process requires partnership with a FedRAMP-accredited third-party assessment organization (3PAO) that will assess the CSO’s risks and security controls, enabling the federal agency or JAB to make an informed authorization decision.
In the decade since FedRAMP was put in place, the program has marked many successes, while still struggling with persistent inefficiencies.
In a vote of confidence for the program, the General Services Administration released its 2014 FedRAMP Forward roadmap, which estimated that FedRAMP had already saved the federal government $40 million dollars. The two-year plan focused on increasing program awareness, speeding up authorizations, and adapting to changes in the cybersecurity field.
FedRAMP Accelerated was launched in 2016 to further streamline the authorization process. By leveraging 3PAOs to perform a preliminary readiness assessment, CSPs and 3PAOs can address key security problems, conduct testing, and prepare documentation packages prior to the full assessment, contributing to a reduction in authorization times.
Keeping Up With Demand
There are currently 236 FedRAMP authorized CSOs in the FedRAMP Marketplace, with approximately 50 being added each year. The government’s Cloud-First strategy appears to have hit its stride: reuse of FedRAMP-authorized CSOs among federal agencies has increased 85% during the pandemic, and the demand among federal agencies for cloud services grew by 60% in the first half of Fiscal Year 2021.
However, this rising demand has exacerbated the program’s long-standing problems. Despite improvements over the years, the authorization process is still lengthy due to bottlenecks at the JAB and sponsoring federal agencies. Additionally, the cost to CSPs seeking authorization remains elevated at $500,000 to $1 million, effectively pricing small companies out of the market.
The FedRAMP Program Management Office (PMO) aims to mitigate these shortcomings by rolling out an automation strategy. Among other initiatives, the program is using OSCAL to enable machine-readable documentation, including control catalogs, control baselines, system security plans, assessment plans and results. OSCAL allows reviewers to provide rapid feedback, using structured markup, and even enables CSPs to perform their own automated self-tests. The PMO also created a web services API specification that allows CSPs to efficiently transfer compliance data to and from a secure repository.
As FedRAMP automates to meet demand, MBL Technologies continues to guide companies through the complex authorization process. Contact us for readiness assessments, full assessments, continuous monitoring and expert consulting.