Organizations pursuing authorization in the Federal Risk Authorization Management Program (FedRAMP) fall into two groups. One group includes cloud providers that are looking to complete the rigorous FedRAMP process -- which includes attaining a Provisional Authority to Operate (P-ATO) -- by the end of 2013 or early 2014. The second group is those cloud providers that will pursue FedRAMP over a longer time frame.
Those cloud providers focused on the shorter term -- that first group -- face significant challenges because most of them will need six to 12 months to prepare for the assessment. This preparation includes establishing a system that works, creating or revising documentation to meet the FedRAMP requirements -- System Security Plans (SSPs), policies, procedures, etc. -- and working with an accredited third-party assessment organization (3PAO) to establish assessment requirements and a timeline.
In some cases, cloud providers have undergone an assessment, submitted their assessment package for review by the Joint Authorization Board (JAB) and have been rejected (in some cases, numerous times). These rejections occur when the cloud provider has failed to meet a minimum acceptable standard, or as a result of the FedRAMP 3PAO performing an incomplete or inadequate assessment. These costly rejections have caused the cloud providers to look for additional help, sometimes hiring an independent 3PAO to advise them on how to improve before re-attempting the FedRAMP assessment process. Often, the level of improvement necessary to meet FedRAMP requirements can be drastic. For example, we have seen cloud providers start with SSPs of less than 200 pages, revise the documentation to meet FedRAMP requirements and finish with an SSP that ranges from 600 to more than 1,000 pages. The FedRAMP-provided templates alone are at least 300 pages, and the bulk of the documentation is built on a significant level of technical depth and detail for each security control.
The other major challenge associated with trying to complete the FedRAMP process within the year is that the program's administrators can work with only a limited number of cloud providers at any given time. FedRAMP also requires many levels of review and feedback throughout the process from the assigned FedRAMP information systems security officer, the FedRAMP Program Management Office and the JAB. These review periods can range from weeks to many months, depending on the quality of the product being reviewed. This includes periods to review the SSP, the Security Assessment Plan (provided by the FedRAMP 3PAO) and the Security Assessment Report (also provided by the FedRAMP 3PAO).
The prospects are better for that second group of cloud providers that will pursue FedRAMP over a longer time frame. Many are preparing for it by first understanding their current level of preparedness and building a plan to improve incrementally. These providers typically begin by updating their current FISMA documentation to leverage FedRAMP templates and include additional FedRAMP controls and enhancements (for their next assessment). They are taking time to educate themselves on the process and to learn how FedRAMP affects their company both technically and from a business perspective. Some are also electing to conduct their FISMA assessment with an accredited FedRAMP 3PAO. They are pursuing this as a preparatory measure to pursue FedRAMP sometime in 2014.
Upcoming deadlines for FedRAMP
The law and policies that drive and enforce FedRAMP and FISMA are still in progress, but here are some upcoming dates that federal agencies and cloud providers should be aware of:
- June 2014: All security authorizations for cloud services must be FedRAMP-authorized.
- Instances of cloud infrastructure in use by the government must be compliant with FedRAMP as of June 2014. Any commercial provider that offers cloud services to the government -- or in the acquisition process prior to June 5, 2012 -- must have a FedRAMP P-ATO.
- For more information: General Services Administration FedRAMP Standard Contract Language
- End of 2013 or end of 2015: Government agencies have to move one system to a cloud provider within 12 months of project start, and two more systems within 18 months of launch.
- Based on the fact that FedRAMP became operational in June 2012, we anticipate this to mean one system moved by end of 2013 and two by the end of 2014.
- Source: 25-Point Plan to Reform Federal Information Technology Management
About the authors:
Rob Barnes is a director at Coalfire Federal, an accredited FedRAMP 3PAO and subsidiary of Coalfire Systems Inc., based in Washington, D.C. In his role as national practice leader for federal assessments, he is responsible for planning and conducting assessments, as well as providing strategic guidance to commercial and government organizations.
Tom McAndrew is an executive vice president at Coalfire Federal. He is responsible for managing all aspects of Coalfire's federal, defense, intelligence and public sector operations. He is recognized as an industry expert in cloud security and assessment across commercial and federal sectors, particularly within the Department of Defense (DoD) and intelligence communities.
Coalfire Federal is an accredited FedRAMP 3PAO providing service to organizations pursuing FedRAMP, FISMA and DoD Information Assurance Certification and Accreditation Process authorization and continuous monitoring.