Cloud Security
,
Government
,
Industry Specific
Analysts Praise FedRAMPs Speed Goals, But Worry About Unclear Execution Details
A plan to overhaul how cloud providers sell to the federal government promises a faster, more efficient path through red tape – but leaves vendors guessing on how it will actually fix the costly delays, vague directives and murky rules that control access to the world’s largest buyer.
See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.
The Federal Risk and Authorization Management Program was launched in 2011 under President Barack Obama to streamline how federal agencies assess, authorize and monitor cloud services. While it’s been credited with standardizing cloud security and accelerating adoption across government, FedRAMP has long been plagued by slow, expensive processes, agency sponsorship bottlenecks, backlogs and opaque, overlapping requirements.
FedRAMP 20x, a new initiative from the General Services Administration, aims to partner with the private sector to develop a cloud-native, continuous security assessment model that evaluates automated monitoring outcomes and enforces best practices to meet federal requirements. The program plans to apply industry-standard security frameworks and automate more than 80% of FedRAMP controls “without the need to write a single word about how it works,” according to its website.
The program office published in late March a blog post titled, “A New Roadmap for FedRAMP,” including four primary goals that include making security expectations clearer, simplifying the process for cloud providers, scaling a trusted marketplace and building a data-first, API-first foundation for FedRAMP. The blog said FedRAMP “will centrally take on more post-authorization monitoring and automate as much of it as possible.”
FedRAMP practitioners, federal cloud security specialists and cybersecurity professionals who spoke to Information Security Media Group welcomed the push to automate security assessments and streamline approvals. They warned that without clear details on execution, the changes risk creating new uncertainties in the process and disrupt companies midway through the exiting process. Program officials said they will establish a series of community working groups to serve as a platform for industry and the public to engage directly with FedRAMP experts and collaborate on solutions that meet its standards and policies.
“This is both exciting and scary,” said John Allison, senior director of federal advisory services for the federal cybersecurity solutions provider, Optiv + ClearShark. “As someone who works with clients on their FedRAMP strategy, this is going to open new options for companies – but I can see a lot of uncertainty weighing heavily on corporate leadership until more details are available.”
Automation may help reduce costs and timelines, he said, but companies mid-process could face disruption and agencies will shoulder more responsibility until new tools are in place. Allison said GSA could further streamline FedRAMP by allowing cloud providers to submit materials directly and pursue authorization without an agency sponsor.
Jacob Horne, chief cybersecurity evangelist for Summit 7, a managed security service provider for the Department of Defense, warned automation would have a downside if it omits critical controls.
“So far, the announced changes are mostly well-meaning goals that lack enough details to judge appropriately,” Horne told ISMG. “Terms like ‘hands off’ and ‘automation’ sound great when it comes to addressing the traditionally glacial and risk-averse FedRAMP process of the past.”
Working groups established to develop processes for automating assessments and applying existing frameworks “have yet to grapple with the ultimate goal of programs like FedRAMP: increased assurance.”
GSA – which administers FedRAMP – and the FedRAMP program office did not immediately respond to requests for comment. FedRAMP Director Pete Waterman said in late March that his office plans to clear the agency authorization backlog by the end of April.
Shrav Mehta, founder and CEO of Secureframe, said it appears likely FedRAMP will meet its goal of clearing the authorization backlog by month’s end, pointing to a recent surge in approvals. While only a few authorizations were typically completed each month in the past, Mehta said the pace has jumped to 8 to 10 per week.
“Automation eliminates tedious, manual documentation tasks so security professionals can focus on strategic risk management and threat response,” Mehta said, adding that FedRAMP’s proactive collaboration with the industry early in the process “has already proven highly effective.”