The role of FedRAMP in IT modernization: Agencies and industry call for automation, funding, and feedback
On July 17, 2019, Federal officials and IT executives testified before the House Subcommittee on Government Operations. They were calling for greater efficiency, more public feedback, and wider re-use of authorizations granted to cloud service providers through the Federal Risk and Authorization Management Program (FedRAMP). The program was created in 2011 to establish a uniform set of security protocols and monitoring processes for tech companies that use or store Federal data in the cloud.
“Cloud computing has the potential to help agencies modernize their information technology while saving taxpayers money by eliminating the costs to the government of building, operating, and maintaining those IT products themselves,” said Subcommittee Chair Rep. Gerry Connolly (D-Va). “Unfortunately, since the program began, cloud service providers, some of whom are our constituents, have expressed concerns regarding FedRAMP’s efficiency, effectiveness, and transparency.”
FedRAMP Enables Efficient, Secure Cloud Transitions
Anil Cheriyan, Director of Technology Transformation Services for the U.S. General Services Administration (GSA), Jack Wilmer, Deputy CIO for Cybersecurity at the U.S. Department of Defense (DOD), Joseph Klimavicz, Deputy Assistant Attorney General and CIO of the U.S. Department of Justice (DOJ), and José Arrieta, CIO of the U.S. Department of Health and Human Services (HHS), all testified that FedRAMP authorizations had allowed them to implement cloud solutions efficiently and securely.
According to testimony, DOD leveraged FedRAMP to integrate 145 cloud service offerings into its operations. Justice sponsored nine authorizations and uses an additional 18 services authorized through other agencies. And HHS takes advantage of 60 different FedRAMP-authorized offerings. That positive impact multiplies right across the government system.
“When factoring in the current average reuse of approximately eight times per authorization, the 143 cloud products we have today result in roughly 1,141 authorization reuses that can be used with an estimated $285 million in cost avoidance for the federal government, as well as the time and effort saved by CSPs,” Cheriyan explained.
Officials and industry experts still called for improvements in the authorization timetable, process transparency, and program reciprocity, to ensure that public sector cloud transformation keeps pace with technology innovation. And they found a sympathetic ear on the subcommittee. “We cannot leverage the potential if the process of acquisition is slower than the speed at which technology advances,” Connolly noted.
Infor: Leveraging FedRAMP for Secure Innovation
The testimony reinforced the design philosophy that has made Infor an early adopter and champion for FedRAMP compliance. For public sector executives determined to keep pace with innovation, applications within the Infor IGS authorization boundary undergo rigorous security controls testing against the FedRAMP moderate security control baseline.
Claiborne Collier, Director of Government SaaS at Infor, says the application onboarding process allows Infor to stay ahead of the legislation. “The way we are architected and governed enables Infor to rapidly apply significant changes in a rigorous fashion,” he explains.
Before any application or feature is deployed, it is first developed and tested in Infor’s commercial environment. Then each feature or application is further strengthened to meet FedRAMP standards. Coalfire Systems Inc., the third-party assessment organization that assesses Infor’s FedRAMP control implementation, thoroughly investigates the processes, procedures, and technical mechanisms in the System Development Lifecycle.
James Masella, Coalfire’s Director of FedRAMP and Assurance Services, says every new application must demonstrate a nimble response to risk, conduct ongoing security reviews and assessments, and adhere to security best practices. Penetration tests identify any vulnerabilities or risks, which are then prioritized, tracked, and remedied. Applications within the Infor authorization boundary are continuously monitored, and Security Assessment Reports are submitted to the FedRAMP PMO for analysis and approval.
“In order to meet Infor customers’ demands,” Masella stresses, “a Central Quality Assurance (CQA) Process serves as the development pipeline designed to provide a safe and organized means to deploy their applications within their respective commercial and GovCloud environments.”
The Next Wave of Improvement
At the hearing, industry leaders testified that FedRAMP could become that much more secure and efficient if resources were focused in several key areas: cutting the authorization time frame, encouraging re-use, increasing transparency, and expanding feedback loops.
“CSPs are rolling out new services in their private sector cloud marketplaces every day,” said Jonathan Berroya, Senior VP and Chief Counsel for the Internet Association, “but the lag time associated with expanding ATO boundaries means that the public sector is falling behind due to bureaucratic processes.”
One way to cut authorization time, some experts testified, is to clarify and codify the roles and responsibilities of various stakeholders. Douglas Barbin, Principal at Schellman & Company LLC, emphasized the need to protect the role of the assessor as an independent fact-finder.
“Some commercial compliance programs have blurred the lines between consultant, assessor, and decision-maker,” he said. But “these roles are defined in the FedRAMP program and should continue to be strictly enforced. Independence between the parties should always be maintained in both fact and appearance.”
Lynn Martin, Vice President of Government, Education, and Healthcare for VMware, proposed a second means of reducing the authorization time frame: automating key tasks in the assessment process. Martin testified that embracing automation would “allow for greater efficiencies in achieving ATOs for industry cloud services through increasing the capacity of the PMO, along with reducing costs” and boosting reciprocity.
Investing in Efficiency
Several industry witnesses also made a case for increased funding to empower the FedRAMP PMO and its agency sponsors.
Will Ackerly, founder and CTO of software security company Virtru, said a properly resourced PMO could streamline reassessments, make the process more transparent to companies pursuing authorization, and engage in community outreach.
“As a citizen who wants the government to leverage modern IT, and as a business leader in a startup that went through the FedRAMP experience, I believe that expanding the universe of companies that are able to meet FedRAMP controls does more than protect U.S. government data; it also improves the U.S. public and private security posture and improves data protection for all Americans,” Ackerly said.
“Making FedRAMP controls more accessible and the FedRAMP process more efficient for companies of all sizes would improve our national security posture and protect private citizens and US companies against corporate espionage.”
On July 24, 2019, Conolly and Ranking Member Mark Meadows (R-NC) introduced FedRAMP reform legislation, incorporating many of the best ideas brought forward at the July 19 hearing. The bill :
- Delineates the roles and responsibilities of the FedRAMP PMO, agencies, and independent assessment organizations;
- Requires new metrics for tracking compliance with FedRAMP;
- Establishes a presumption of adequacy that is sufficient across all agencies once FedRAMP authorization is achieved;
- Establishes a Federal Cloud Security Advisory Committee that can hear concerns and help solve industry problems collaboratively.
Following the hearing, the GSA announced the FedRAMP Ideation Challenge to “seek the power and insights of the cybersecurity community” in the ongoing effort to improve the program.