Coming soon: A faster FedRAMP
The director of the FedRAMP cloud service authorization program offered a preview of what's on tap for the coming reboot.
The General Services Administration is retooling the Federal Risk and Authorization Management Program to make it faster for vendors to receive approval through GSA or the Defense Department's Joint Authorization Board. GSA also plans to rely more heavily on JAB for help with the process.
The FedRAMP office interviewed 85 stakeholders from vendors, agencies, third-party assessment organizations (3PAOs) and JAB to solicit input on enhancing FedRAMP, Director Matt Goodrich said during a March 23 presentation to the government's Information Security and Privacy Advisory Board.
GSA will detail the improvements in a daylong seminar on March 28, and topics include reducing the authorization time to six months or less, focusing on capabilities upfront without having to slog through sometimes deep and lengthy documentation, increasing the reliance on 3PAOs, and delineating clear rules of engagement for testing and documenting solutions.
In the past few months, vendors have become more vocal about the increasing wait times and uncertainty about the approval process. Goodrich said the more transparent and responsive process will remove some of the risk associated with unpredictable wait times.
He also said GSA has been testing the new process since early March, and he hopes JAB will become more involved in FedRAMP in the coming months. The board has been lending a helping hand by reviewing and providing joint provisional security authorizations for cloud solutions.
In an interview with FCW after his presentation, Goodrich said he does not consider GSA's plan for FedRAMP to be a redesign.
"The process is not broken," he said. "It has worked. We have the pieces. We put them together more efficiently."