The forecast is looking brighter for FedRAMP.
The FedRAMP Project Management Office (PMO) has worked to make the cloud procurement more transparent and more efficient. At June’s Cloud Brainstorm event, Congressmen Will Hurd (R-Texas), Gerry Connelly (D-Va.), and FedRAMP leadership from the General Services Administration (GSA) shared perspectives on progress to date and what’s ahead.
Most agree that the FedRAMP Accelerated program, which modified how the FedRAMP Joint Authorization Board (JAB) authorizes cloud service providers (CSPs) to make the process significantly faster and more predictable, has eased concerns and is driving positive change. Rep. Connolly said legislators are pleased with FedRAMP’s progress, sharing, “It wasn’t that long ago that we were feeling pretty dire about how FedRAMP was proceeding. Significant improvements have been made.”
An independent study of FedRAMP from May 2017 found that six agencies have used at least 20 CSPs approved under FedRAMP, and that there was an 80% growth in the use of FedRAMP certifications.
That said, industry representatives continue to see the reluctance of one agency to accept another agency’s Authority to Operate (ATO). While agencies are willing to go through the process to get a CSP approved by FedRAMP, contributing to the overall growth in certifications, one agency doesn’t necessarily trust a CSP brought through the process by a different agency, as each agency IT head has a different set of internal standards and guidelines. This is a significant issue, but leadership recognizes the challenges are driven by factors beyond the FedRAMP program.
Matt Goodrich, FedRAMP program director, says that given FedRAMP’s budget, it is neither realistic nor prudent for every vendor to go through Joint Authorization Board (JAB) approval. JAB must be reserved for cloud services that are truly government-wide.
Under the Federal Information Security Act (FISMA), the CIO is the sole individual responsible for accepting cyber risks for their own agency. Acceptable risk for one agency may not translate to acceptable risk for another.
What’s ahead for FedRAMP? The goal is to get to a point where a vendor holding one ATO can go through an even more accelerated process as they apply for the next. Hopefully, the FedRAMP program will continue to streamline and evolve.
FedRAMP can also serve as a driver for cloud adoption beyond federal agencies. Joe Moye, senior vice president of public sector, Virtustream, says, “The state and local government market creates an opportunity to leverage the FedRAMP platform beyond federal agencies. The focus on expediting some of the process is crucial.”
FedRAMP will play a vital role as agencies focus on digital transformation and modernization. It’s important we continue to engage in productive public/private dialog and work together to ensure agencies have the best and most secure cloud options.
Learn more about Dell and Dell Technologies FedRAMP-approved cloud services: http://www.dell.com/learn/us/en/uscorp1/press-releases/2016-04-25-dell-cloud-for-us-government-meets-security-standards and http://www.virtustream.com/cloud/virtustream-federal-cloud/.