The Federal Risk Assessment and Management Program (FedRAMP) is poised to take a major step forward as the House and Senate take up of the National Defense Authorization Act (NDAA) of 2021 – a high priority post-election. This must-pass legislation authorizes appropriations and establishes policies for the Defense Department.
The House version of the NDAA includes an amendment that would codify FedRAMP into law, giving the program a statutory foundation and formal standing for congressional review. The amendment is the entire text of the bipartisan FedRAMP Authorization Act, introduced by Rep. Gerry Connolly, D-Va., and then-Rep. Mark Meadows, R-N.C. Its inclusion in the NDAA improves its chances of becoming law.
Connolly, chairman of the House Government Operations Subcommittee, has said the amendment will streamline cloud acquisition and enable more providers to offer cloud solutions to Federal agencies.
The FedRAMP program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Since its launch in 2011, the program has increased the pace at which cloud solutions are approved for use in Federal agencies and worked to streamline the authorization process. However, government and industry leaders say the process of gaining Authority to Operate (ATO) is still too slow and cumbersome, which hinders the government’s ability to take advantage of innovative cloud services.
The amendment is designed to address shortfalls of the FedRAMP program, including the reluctance of some Federal agencies to accept ATOs granted to cloud services by other agencies. While FedRAMP was designed to accelerate adoption of secure cloud solutions through reuse of assessments and authorizations, in practice, agency reuse of ATOs is limited.
“There’s a lot of talk about reciprocity in the government. In practice, though, many times agencies want vendors to go through their own process,” said Lorenzo Winfrey, senior product manager at Rackspace Technology, who spent 12 years at the Defense Intelligence Agency, where he was chief of architecture and standards, as well as the lead of the agency’s C2S Cloud Broker team. “If FedRAMP gets codified into law, much of the [authorization] process will become more easily repeatable and predictable.”
Reluctance to accept other agencies’ ATOs is rooted in a review process that is becoming less standardized across agencies, as well as varied risk management approaches. Authorizing officials at one agency do not necessarily trust the authorizing processes at another agency, or even across internal organizations within the same agency, according to a February 2020 report from the Center for Cybersecurity Policy and Law, “The Future of FedRAMP.”
The NDAA amendment addresses reuse of authorizations by establishing a presumption of adequacy for FedRAMP authorized cloud services. In addition, the amendment addresses resource challenges by providing $20 million annually to the FedRAMP Program Management Office and the Joint Authorization Board. The amendment also addresses lack of enforcement by requiring the Office of Management and Budget (OMB) to ensure all agencies get authorizations for cloud services.
In a 2019 report, the Government Accountability Office (GAO) noted that 15 of 24 agencies surveyed said they used cloud services that were not authorized through FedRAMP. GAO observed that OMB has not monitored agencies’ compliance or held them accountable to the requirement to use FedRAMP for authorizing cloud services.
Of the 15 agencies that used unauthorized cloud services, “one agency reported that it used 90 cloud services that were not authorized and the other 14 agencies reported using a total of 157 cloud services that were not authorized through the program,” Winfrey noted. “That gets away from the Cloud Smart concept. If FedRAMP is codified into law, it will increase the pool of solutions that government could utilize.”
Increasing the pool of FedRAMP-authorized solutions is essential to enabling agencies to take advantage of modern, emerging technologies such as the Internet of Things (IoT) and artificial intelligence (AI), the Center for Cybersecurity Policy and Law noted in its report. Both are reliant on cloud services to support their operation.
“ … agencies will continue to feel pressure to increase and improve their capabilities through the use of IoT. This, in turn, will mean that more cloud products and services will need to be authorized,” the center said. It also noted: “Often, the ability to leverage AI capabilities is predicated on being able to utilize the cloud services where they are hosted, which may be outside what an agency has determined to be its cloud security boundary. Replicating such services inside that boundary can be cost-prohibitive, leaving innovations that could benefit agency missions inaccessible.”
“The Future of FedRAMP” recommends several steps designed to enable the Federal government to leverage emerging innovation in cloud computing, including a study of how to accelerate the secure adoption of IoT- and AI-enabled cloud services and software.
Winfrey agrees action is needed. “We’ve seen FedRAMP authorizations double in the last few years, which is commendable,” he said. “But at that current rate, it may be close to a decade before we approach an ideal volume of solutions getting authorized on a yearly basis. Looking at what’s happening in AI, DevSecOps, IoT, and machine learning, that’s too late. We have to figure out how to get these solutions into the hands of the people that need them, faster.”
“As the FedRAMP program continues to evolve, FedRAMP Connect must become a more integral part of the program through increased transparency and collaboration with industry and government stakeholders to continue to help accelerate the journey of the highest-value solutions to FedRAMP compliance,” Winfrey suggested. “The Federal government’s ability to leverage these technologies and approaches will be critical to our country’s ability to deliver technical capability when and where the mission demands.”