Commentary|DAVE McCLURE
DAVE McCLURE is chief strategist at Veris Group.
FedRAMP Accelerated: Three wishes
The recently announced changes to one of the government’s most important security programs are a good start, but additional fixes are needed
When I led the design and initial implementation of the Federal Risk and Authorization Management Program, we knew it would be evolutionary and that changes were inevitable in order for it to scale.
So the recent announcements of forthcoming FedRAMP revisions are a welcome tune-up to one of the most important security programs in government.
After listening to industry, gov- ernment and third-party assess- ment organizations (3PAOs), the FedRAMP program management office is taking important steps to make the process more predictable, transparent and streamlined.
Here are the most notable changes:
• A FedRAMP Readiness Capabili- ties Assessment performed by an accredited 3PAO will be required
of all CSPs going through a Joint Authorization Board review. (See page 16 for more on the new JAB and FedRAMP Ready processes.)
• A FedRAMP high baseline is being tested and will be put in place shortly.
• Defense Department Security Requirements Guide levels are being mapped to FedRAMP moderate and high baselines, which will ensure greater congruence between the defense and civilian cloud assess- ment processes.
Those changes are clearly steps in the right direction. However, if
a genie granted me three wishes for additional FedRAMP changes, I would argue for the following:
1. All federal cloud service acquisitions must be grounded in FedRAMP certifications. It is admirable that some 80-plus cloud solutions have a FedRAMP-backed authority to operate, and many more are in the pipeline. But agen- cies are using hundreds if not thou- sands of cloud solutions without FedRAMP authorizations. That cre- ates market confusion and uneven ground in competition for cloud
An agency should not be starting from ground zero when doing a FedRAMP assessment on a cloud vendor.
services, and a huge disincentive for companies to spend the resources to obtain FedRAMP ATOs.
If FedRAMP is mandatory, then the Office of Management and Budget should enforce it (through TechStat, portfolio reviews and the budget process) and apply it to both new and existing cloud-based ser- vices in government.
2. Agency use of pre-existing FedRAMP Ready assessment packages must become manda- tory. This is not currently required, and it continues to undermine the original desire to have agencies do the bulk of cloud security assess-
ments under FedRAMP. Put simply, an agency should not be starting from ground zero when doing a FedRAMP assessment on a cloud vendor solution that has already received an ATO from another agency or JAB.
Yes, the risk profile of an agency might be different, and that is a legitimate reason for doing some additional or modified security con- trols testing. The baseline require- ments are the same. So throwing the baby out with the bath water should not be allowed. To do so would take us back to a Federal Information Security Management Act-like para- digm with duplicative assessments.
CSPs should have a hotline into the FedRAMP PMO and/or OMB’s e-government office to report suspected deviations, and OMB must be able to review and change agency directions if necessary.
3. The government should pro- vide more transparency and information on how JAB will pri- oritize its reviews of FedRAMP Ready solutions. CSPs must make business decisions about whether and when to pursue FedRAMP authorizations through JAB or
with an agency. Because the CSP Supplied route has been scrapped, companies with little or no past government business don’t have a clear option. They can go through the review process and become FedRAMP Ready, but without knowing how JAB is prioritizing its review queue, the CSP is put in a difficult position. n
May 15, 2016 FCW.COM 15