Industry Group Weighs In: FedRAMP Needs Fixing

Nata-Lia/Shutterstock.com

The industry group’s recommendations mirror efforts announced by the FedRAMP office last week, which focused on speeding up authorizations as well as increasing transparency.

The Federal Risk and Authorization Management Program needs an overhaul to better make use of the “do once, use many times” cloud security certification process, according to an industry advocacy group report.

The report, released today by the FedRAMP Fast Forward group, outlines a six-point plan that could help make the government’s process for authorizing cloud services cheaper, more efficient and more transparent, the group argues.

Recommendations from the report:

  • Normalize the certification process. Cloud service providers can take several routes to an authority-to-operate, and not all are seen as equal. That fundamentally undermines the value proposition of the FedRAMP program, according to the industry group.
  • Increase transparency about the approval process, including what it takes to gain approval, and the time and costs involved.
  • Harmonize security standards, so cloud providers can meet some FedRAMP requirements through compliance with existing international and privacy standards.
  • Reduce the cost of continuous monitoring for cloud providers that have achieved an ATO.
  • Enable providers to upgrade their cloud environments while remaining compliant with FedRAMP requirements.
  • Help cloud providers map their FedRAMP compliance to Defense Department security requirements, rather than forcing them to start over again to obtain the ability to provide cloud services to DOD

The report is worth a read, and no doubt will carry some influence among federal officials, who share significant engagement with industry stakeholders through FedRAMP’s outreach efforts already.

The industry group’s recommendations mirror efforts announced by the FedRAMP office last week, which focused on speeding up authorizations as well as increasing transparency.

The group’s recommendations do, however, provide metrics that back the case that authorities to operate are far more expensive than they used to be and should be reduced.

Citing an external report, costs for FedRAMP ATOs as recently as two years ago were approximately $250,000 over up to nine months. They have since ballooned to more than $4 million with no reduction in time to market, according to the industry group.

(Image via /Shutterstock.com)