of iterative review — each with wait times for the JAB agencies’ attention. Previously, Goodrich said, a full assessment was not required because “it was pretty risky for providers” to make that investment without any certainty they could secure FedRAMP approval. But “the front-end assess- ment eliminates almost all of that risk,” he added, and “we believe it is now reasonable to ask for all this upfront so that we can make the pro-
cess predictable and certain.”
The window for public comment on the plan closed April 29, and the new process is now being tested with three CSPs: Unisys, Microsoft and GSA’s own 18F, which is seek- ing FedRAMP approval for Cloud.gov. Those trials will continue into June, and barring major problems, the new method would then be available for other providers seeking a JAB-issued
provisional authority to operate. Agencies, of course, are able to sponsor their own FedRAMP autho- rizations as well. The new approach is only for JAB reviews, Goodrich said. Agencies are not required to use the new approach, but he said officials hope they will see the benefits and
follow suit.
The third path to FedRAMP
approval, however — the so-called CSP Supplied process, where a pro- vider tests and documents without a government sponsor — has been abandoned. CSPs could submit completed packages until April 29 but now must either find an agen- cy sponsor or shift to the new JAB approach.
Does faster equal fixed?
Speed has not been the only friction point for FedRAMP. Vendors have complained, for example, that other common security and privacy stan- dards are not mapped to or recog- nized by the FedRAMP framework, forcing CSPs to duplicate costly cer- tification efforts. Many agencies have
been reluctant to shoulder the autho- rization burden themselves, adding to the JAB logjam.
Furthermore, DOD continues to explore changes to its own cloud security approach that builds on, but doesn’t always map to, FedRAMP controls.
Nevertheless, Rep. Gerry Connolly (D-Va.), whose district is home to fed- eral contractors large and small, has expressed cautious optimism about the FedRAMP changes. “I think they’d be a good improvement,” he told FCW. He described the old FedRAMP process as a “bureaucratic nightmare” — but one that’s not necessarily the FedRAMP team’s fault.
Agencies, worried about Federal Information Security Management Act compliance, “mucked up the works” by demanding their own reviews, Connolly said. There needs to be more “reciprocity through- out the federal family” on cloud, he argued — something he said demands trust among agencies more than it does any program changes.
Rep. Will Hurd (R-Texas) had a similar take. Agencies’ hesitation to embrace cloud frustrated him more than any FedRAMP inefficiencies. “If they have frictions, then we should be able to tweak and improve,” Hurd told FCW. But “the idea that an agen- cy is better prepared to defend their digital infrastructure than someone who does this for thousands of clients is still mind-boggling to me.”
Connolly said that, for now, he’s happy to let the FedRAMP PMO take the lead on reforms.
“I think this could be solved admin- istratively,” he said, but if feds can’t get the system working, he’s not afraid to step in.
“This current process is unaccept- able,” Connolly said. “Congress won’t accept it.” n
Mark Rockwell and Zach Noble contributed to this report.
What
agencies are
asking about
FedRAMP
FCW talked with FedRAMP evangelist Ashley Mahan about her role in helping agencies adopt cloud technology
BY MARK ROCKWELL
As the official Federal Risk and Autho- rization Management Program evan- gelist at the General Services Admin- istration, Ashley Mahan addresses federal agencies’ cloud computing and security concerns.
She does not simply laud the bene- fits of cloud computing and FedRAMP security, however. Mahan has the technical knowledge to back up her pitch to agencies and the collaborative skills to help them find the right cloud service provider.
Although she started as FedRAMP evangelist in October, she’s been helping get cloud service providers through FedRAMP’s Joint Authori- zation Board approvals since 2014, when she was an information security officer.
Before that, she served as a cybersecurity adviser for the federal government for 10 years. She also developed and implemented robust cybersecurity awareness training programs to educate federal work- ers about evolving cyberthreats and helped support agencies as they went through cybersecurity inspections.
According to Mahan, there are still misconceptions about how FedRAMP operates, but that’s why she’s working hard to explain the technology and the process. Her job involves creating a unified vision of cloud and security for all agencies.
And that mission of creating a uni- fied vision is infectious, she said. As one agency develops a cloud mis-
May 15, 2016 FCW.COM 19