The General Services Administration is working overtime to get the first set of cloud-computing services through their cyber hurdles.
The Federal Risk Authorization and Management Program (FedRAMP) is five months into its initial operating capability of reviewing and offering preliminary approval to vendors which meet the cyber standards for cloud services. And the list of agencies and companies wanting to take part is growing faster than expected.
“We’ve got over 50 applications from cloud service providers. We’ve got six in the queue, and we have a target of issuing three [vendors a] Joint Authorization Board-approved authority to operate by the end of the calendar year,” said Kathy Conrad, GSA’s principal deputy associate administrator in GSA’s Office of Citizen Services and IT, which runs the FedRAMP program office. “We’ve also got 15 accredited third-party assessment organizations and more in the queue.”
Conrad, who spoke last month at the Information Security and Privacy Advisory Board meeting in Washington, said the interest isn’t only from vendors. GSA surveyed agencies to find out how they want to use FedRAMP.
“We found that there were 80 opportunities to leverage cloud-based ATOs across government, which again is a great validation of demand,” she said. “The JAB prioritizes the applications we’ve received according to a number of criteria, including the extent to which they have acquisition vehicles like GSA’s blanket purchase agreements for infrastructure-as-a-service or email-as-a-service to move them quickly into the federal market.”
Webinar on FedRAMP Nov. 7
But Conrad said the JAB also wants a diverse set of approved cloud services because the demand among agencies is growing.
GSA is holding a FedRAMP webinar Nov. 7 to help vendors with the review process.
Conrad said the first five months of FedRAMP has given the program management office several new challenges to address and areas to improve upon.
She said it’s critical for vendors to make sure they are ready to go through the third-party assessment. GSA is trying to help them ensure they are prepared before submitting an application.
“We’ve put together a very thorough checklist that is available on FedRAMP.gov that helps cloud providers understand what they really need to do to move successfully through this process,” Conrad said. “We’ve also adjusted the definitions and requirements so we can do more in parallel. We are interviewing cloud providers to really help understand…the extent to which the cloud provider already has in place the kind of robust, rigorous documentation that’s necessary to validate the way in which they implement the controls.”
Another important lesson GSA is focusing on is not trading speed for rigor. Conrad said the rigor of the FedRAMP process is central to the entire effort.
Multiple paths to an ATO
GSA also is trying to encourage vendors to look at the multiple paths through FedRAMP.
Conrad said going through the JAB is one way, but vendors also can go through their agency customer to get an ATO and then put their documents in the FedRAMP repository for others to use.
“We are putting in place our secure repository. We are looking to accelerate and streamline the review process,” she said. “We are looking to learn along the way to improve the way the program is operationalized, but do so with integrity and rigor throughout.”
Conrad added the PMO also is finding another issue, the need for cloud providers to have background investigations. The JAB is just beginning to understand what this means for FedRAMP.
The JAB also is watching how the National Institute of Standards and Technology (NIST) is updating the security controls publication, SP-800-53. Conrad said the JAB bases its security controls on the NIST publication.
NIST currently is reviewing revision 4 of the document and expects to finalize it in the coming months.