FedRAMP authorization process changes, 'high' security baseline pilot in the works

Tools

The General Services Administration-led program that aims to speed up and standardize agencies' security assessments for cloud computing technology plans to roll out major changes in the coming weeks and months.

The Federal Risk and Authorization Management Program, or FedRAMP, plans to speed up the authorization process by putting more focus on capabilities and evidence up front, rather than documentation throughout, said FedRAMP Director Matt Goodrich in a Jan. 20 GSA blog post.

"We believe this will allow FedRAMP to scale not only for government, but for industry as well," said Goodrich.

The program also plans to increase transparency by making information on authorized and authorization-in-progress cloud service providers, agencies using FedRAMP and additional services searchable, downloadable and easy to find, wrote Goodrich.

The program also plans to finalize FedRAMP for systems meeting its high-impact security systems' requirements by the spring, and pilot the effort with a handful of vendors through the Joint Authorization Board.

"You told us that CSPs can provide higher level of security than FedRAMP authorizes now and that agencies want to use those services," said Goodrich.

Earlier this month, the deadline for comment on the latest draft version of cloud computing standards for high impact systems under FedRAMP closed. The "high" baseline refers to systems housing the most sensitive information and relates to requirements for confidentiality, integrity and availability in accordance with Federal Information Processing Standard, or FIPS, 199.

The General Services Administration's FedRAMP Program Management Office recently issued a second release of the draft – focused specifically on controls – building on an original draft released for public comment in March 2015.

Finally, Goodrich said the program will do more to promote FedRAMP reuse by better matching CSPs with agency needs. Ashley Mahan, the program office's newly appointed FedRAMP evangelist, is visiting every agency to identify how they're using FedRAMP and understand the types of CSPs they want to use, according to the post.

For more:
- read the blog post

Related Articles: 
GSA begins planning for new cloud support portfolio 
Customer satisfaction survey highlights implementation challenges with FedRAMP, other GSA programs 
Spotlight: FedRAMP reform bill in the works