Page 18 - FCW, May 15, 2016
P. 18

FedRAMP Timeline
FEB 2010
DEC 2010
DEC 2011 MAY 2012
JUN 2012 DEC 2012
MAY 2013
JUN 2014
DEC 2014 JAN 2015
FEB 2015 MAR 2016 MAY 2016
FedRAMP concept announced
Federal Cloud Computing Strategy published
FedRAMP policy signed
First third-party assessment organizations accredited
FedRAMP launches
First provisional cloud security authorization issued by FedRAMP Joint Authorization Board
Department of Health and Human Services grants first agency provisional authority to operate
Official deadline for agency FedRAMP compliance
FedRAMP Forward roadmap released
Defense Department announces cloud security requirements that build on FedRAMP
First CSP Supplied accreditation announced
Revised process for JAB approval released
CSP Supplied packages no longer accepted; guidelines on prioritization of JAB reviews expected
18 May 15, 2016 FCW.COM
FedRAMP
Resource constraints have been part of the problem: JAB is staffed by the CIOs from GSA and the departments of Defense and Home- land Security, and until this year, those agencies had no dedicated funding for FedRAMP efforts. What GSA found during discussions with more than 85 stakeholder groups, however, is that the documenta- tion-driven process is the primary culprit.
On the government side, Goodrich said, the FedRAMP team was looking at documentation “to try and understand a CSP’s system” and then using that to identify any gaps and instruct the CSP on chang- es required to provide the needed cloud capabilities.
For the CSPs, however, “you know what the capabilities are,” Goodrich said. Providers look at their systems, identify what they need to do to meet federal require- ments, implement those changes “and then you document.”
The new path to approval
“We will never trade rigor for speed, [but] we do want to see how fast we can make this happen.”
— MATT GOODRICH, GSA
The new approach is all about put-
ting the FedRAMP PMO on the same path that CSPs are using. “We want to understand capabilities upfront, too,” Goodrich said. The old approach’s emphasis on documentation of “notional systems” often accounted for 70 percent to 80 percent of the total review process, he added. “That’s a lot of time to be looking at paper and to not be looking at a system.”
Central to the new process is the FedRAMP Readiness Assessment Report — an upfront gap assessment of a cloud service’s security that Goodrich said most successful FedRAMP candidates already conduct over a span of a few weeks. CSPs that want to work with JAB will now need a third-party assessment organization, or 3PAO, to conduct that readiness assessment before diving into detailed documentation.
If the 3PAO gives the cloud service passing marks and the PMO agrees, that provider would be declared FedRAMP Ready.
The FedRAMP Ready designation was originally adopted in 2014 because GSA “wanted differentiators to show which vendors were serious about working with the federal government,” Goodrich said. The new front-end assessment, however, will make that label “really mean something,” he added, and give agencies confidence that the service would be approved for use in relatively short order.
A FedRAMP-ready CSP would be required to complete a full FedRAMP Security Assessment before moving on to JAB for approval. That, too, is a change from the current approach, which often involves multiple rounds
ZAID HAMID


































































































   16   17   18   19   20