How FedRAMP Keeps Getting Faster

This story has been corrected to reflect that agencies have reused authorizations 492 times.

The Federal Risk and Authorization Management Program office received plenty of criticism from industry and feds in recent years, but metrics show the office has more than backed up its promise to speed up cloud computing authorizations.

During a Nextgov-hosted webcast Tuesday, FedRAMP Agency Evangelist Ashley Mahan shared some numbers behind FedRAMP’s improvements. The program—which turned 5 years in June—is charged with providing a governmentwide standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

Mahan said the program is doing it better today than ever before.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Since 2012, Mahan said, FedRAMP has doubled the number of cloud providers and authorizations year over year, culminating with 112 federal agencies now using FedRAMP-accredited services.

It isn’t just large cloud service providers going through FedRAMP, either. Mahan said 33 percent of the 86 FedRAMP-authorized cloud service providers are small businesses.

One of FedRAMP’s biggest potential returns on investment is reducing time to market for cloud service providers and federal agencies alike by encouraging the reuse of agency authorizations to operate. In short, if one agency OKs a FedRAMP-authorized solution, another agency can reuse part of all of that ATO.

Today, Mahan said, agencies have reused authorizations 492 times, which translates to an average of every authorization being reused slightly more than five times.

“We’ve continued to see that number escalate,” Mahan said, adding it’s one of the most important measurements of FedRAMP’s success.

Why is it so important?

Chad Sheridan, chief information officer at the Agriculture Department's Risk Management Agency, said during the webcast his agency recently reused an ATO, “reusing 60 to 80 percent of the controls, or maybe more.” That shaved months off the time it would have taken for the agency to accredit a new system, which he said can take some agencies up to two years to do.

“If we can get systems accredited, that is time to market, and taking an idea to capability and production,” Sheridan said. “If we want to be responsive to citizen and user needs, we’ve got to shrink that time [to accreditation] down. FedRAMP could maybe drive it down to weeks.”

FedRAMP is beginning to measure accreditations in weeks, Mahan said.

GSA is also working with the White House Office of American Innovation to explore the possibility of automating ATOs. GSA on Tuesday issued a request for information regarding "existing commercially available products and practices that the government could use to automate any portion of the ATO process." According to the RFI, GSA will use industry feedback to deliver recommendations to the Office of American Innovation in an effort to speed up the ATO process even further.

One of its strategic initiatives, FedRAMP Tailored, is designed for low-risk software-as-a-service offerings and can pair agencies with vendors in as little as four weeks. This approach stemmed from agency and vendor feedback suggesting a faster approach for solutions that deal with low-risk data, such as open data, public information or for collaborative purposes.

In other words, “If that data was out there, no one is really going to care about it,” Mahan said.

“We’ve gotten a lot of traction with Tailored,” she continued. “When you look at the data for individual risk appetites at agencies, a lot of teams out there are using SaaS in very low-risk capacities. It’s a risk-based approach giving agencies the ability or framework to do that tailoring to address risk commensurate to data going in.”

This flexibility is appreciated by CIOs and program managers.

“I don’t want to have to kill myself getting accredited,” Sheridan said. “If I can take advantage of a SaaS offering that improves the ability to collaborate around nonsensitive data, and I can get that in place in a couple months, then users are less inclined to find their own solutions. I can manage shadow IT instead of running away from it or trying to control it. It gives me options to work with my users and customers instead of trying to control them.”

Tailored is just one of several innovations FedRAMP introduced in recent months. FedRAMP Accelerated, another such example, has reduced ATO time frames from up to 24 months down to an average of four months, Mahan said.