Commentary|RICK BARNARD
RICK BARNARD is head of Huddle’s U.S. Public Sector.
Think FedRAMP is a bottleneck? Think again.
The Federal Risk and Authorization Management Program deserves praise, not criticism, and here are four reasons why
In recent months, members of industry and the media have loudly criticized the Federal Risk and Authorization Management Pro- gram. For example, security profes- sionals say FedRAMP’s security controls are not strong enough, and compliance alone does not ensure information security. Other critics say FedRAMP makes it harder for government agencies to move to the cloud.
However, those criticisms are false and not deserved.
Perhaps industry has lost sight
of all that we in the federal IT sector have accomplished since FedRAMP was established. With- out it, there would be no standard controls or processes in place for government agencies to evaluate or share. FedRAMP saves significant time, money and resources, and it provides enhanced security visibility through standardized continuous monitoring reports and risk-based security management.
We all owe a debt of gratitude for FedRAMP’s dedication in support of enabling federal — and state and local — agencies to adopt cloud ser- vices. Understanding the program’s impact is imperative.
Here are four reasons why FedRAMP’s accomplishments should not go unnoticed:
1. FedRAMP offers multiple routes to authorization. Cloud service providers have three paths to authorization. The most com- monly used is to gain provisional authority to operate (ATO) from
FedRAMP’s Joint Authorization Board. Alternatively, a company can be granted an ATO by an agency.
Lastly, although no companies have used this method to date, a CSP can work with a FedRAMP- accredited third-party assessment organization (3PAO) to complete all required documentation, testing and security assessments.
FedRAMP saves
significant time, money and resources, and it provides enhanced security visibility.
Costs tend to vary widely depending on the path, but all the approaches result in the same
end goal: FedRAMP authorization and an opportunity to sell cloud products and services in the federal market.
2. FedRAMP encourages built-
in security. There is a significant investment required for companies to meet the government’s secu-
rity standards, as there should be.
It takes time and money, but the size of that investment depends on how prepared a company is before embarking on the FedRAMP pro- cess. Services built with government security at their foundation can make it through FedRAMP approval
much faster and at much lower costs than commercial services that must be retrofitted.
3. FedRAMP makes it easy for agencies to share ATOs. CSPs go through the FedRAMP process only once. Government agencies have different information standards and requirements, and therefore, each will want to review a CSP’s ability to meet those needs. Fortunately, the FedRAMP portal offers a quick and easy way for government officials to review a CSP’s FedRAMP package, 3PAO assessment results, ATO let- ters from other agencies and more. 4. FedRAMP has broad appeal. FedRAMP is expanding beyond
only serving the federal govern- ment, with state and local agencies showing interest in the program. California officials are currently awaiting approval to use FedRAMP to minimize the risk to state data and constituent information and as a way to provide those constituents with a secure platform.
Many other state and local gov- ernments are beginning to follow in California’s footsteps, showing early indications of FedRAMP’s long-term accomplishments.
Although FedRAMP has devel- oped fast, it has remained com- prehensive. It has also served the intended goal of qualifying gov- ernment-ready service providers and sharing ATOs across agencies. Its accomplishments are real and should not be tarnished by those who are not ready or who want to make noise for financial gain. n
10 November/December 2016 FCW.COM