48
May 2021 FCW.COM
Ideas
Government needs a
massive investment in
FedRAMP
A well-funded shared service could relieve an authorization bottleneck and bring essential cloud services to the government market
BY MICHAEL GARLAND AND GAURAV “GP” PAL
As the Federal Risk and Autho- rization Management Program marks its 10th anniversary, it’s time to applaud FedRAMP’s accomplishments — but also explore ways to scale its operations so the government can more quickly adopt innovative soft- ware solutions.
FedRAMP is the much-needed stan- dardized security process for compa- nies that deploy software via the cloud to prove they adhere to Federal Infor- mation Security Management Act stan- dards for protecting government net- works and data. When a cloud product has been FedRAMP-authorized, it has received the stamp of approval that gives government agencies confidence that the product is likely safe to oper- ate on their networks.
To date, there is no known cyberse- curity breach attributed to a FedRAMP- authorized cloud product. In fact, although we don’t know all the details, if SolarWinds’ maintenance and patch server had been FedRAMP-authorized, the most recent cybersecurity crisis might have been detected earlier or avoided entirely.
FedRAMP is a great concept, but there are a few problems that cloud providers attempting to achieve an authorization will quickly point out. Most have to do with FedRAMP’s
inability to scale to meet demand. This is not the fault of the FedRAMP Program Management Office; it has a negligible budget. But a decade after the program’s debut, there are only about 200 FedRAMP-authorized prod- ucts. The pace of authorizations has picked up in recent years, with about 50 products added annually, but this is just a drop in the ocean compared to the 15,000 commercial cloud prod- ucts tracked by Gartner and the $300 billion-a-year cloud industry. Further- more, it takes an average cloud compa- ny anywhere from a year to 18 months
to complete an authorization. Meanwhile, virtually all modern soft- ware deploys via the cloud distribution model. It’s a simple, sad fact: There’s an enormous universe of cloud prod- ucts currently ineligible to participate in the government market for lack of
FedRAMP authorization.
A tall order for under-resourced agencies
Part of the FedRAMP bottleneck has to do with limited resources and the complex journey that cloud provid- ers must take. There are only two paths to authorization, and both have limitations. The first path is for the FedRAMP Joint Authorization Board to sponsor an authorization, but that
team has very limited capacity and can only push through about 12 a year. The other path is for an agency to sponsor a cloud product. But when an agency chooses to do so, it does most of the heavy FedRAMP lifting itself.
Most agencies don’t have resources for shepherding a FedRAMP applica- tion and therefore will do so only in the rare circumstances when partic- ular cloud services are essential to their missions. Remember, the cur- rent process can take a year or more, and FedRAMP is not a one-and-done proposition. Once a product receives an authorization, the agency sponsor must continue to monitor the product for lifetime compliance, which includes a continual flow of documentation and management. In other words, once an agency adopts a product to authorize, the relationship never ends. The spon- soring agency is a parent for life.
This is an obvious bridge too far for many agencies that are under- resourced even for their core missions; they simply have no budget for the life- time cybersecurity management of a commercial software product. Yet, as we have seen from the ever-increasing threat of cyber intrusion from Russia, China and other malicious players, cybersecurity is appropriately the high- est-order priority for the government.