The Biden administration’s recently released cybersecurity-focused executive order mentions a key cloud security program known as FedRAMP several times as it emphasizes the need for federal agencies to quickly but securely adopt cloud computing.
Section 3 of the executive order, titled “Modernizing Federal Government Cybersecurity,” states that within 60 days of the order, the General Services Administration in consultation with the director of the Office of Management and Budget and heads of other agencies shall begin modernizing the Federal Risk and Authorization Management Program. This includes “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.”
FedRAMP validates the security of cloud products—infrastructure, platforms, software applications—being sold to federal agencies. If a product meets FedRAMP’s controls, it gets certified with a provisional authority to operate, or P-ATO.
But it’s no secret that FedRAMP—best intentions aside—has long served as a bottleneck to getting innovative cloud service offerings to federal system/mission owners and agencies. FedRAMP began in 2011, roughly a decade ago, and currently has about 225 authorized cloud service offerings listed on its marketplace. To put this in perspective, there are roughly 15,000 software-as-a-service companies in the market.
FedRAMP timelines vary depending on several factors—some related to the cloud service providers themselves, and others related to the FedRAMP Joint Authorization Board and program management office, or sponsoring agencies. That said, general timelines for a FedRAMP JAB P-ATO can take seven to nine months to complete. Agency authorizations can take anywhere from four to six months to complete. Some cases have taken much longer than this.
Part of the issue is that the FedRAMP JAB can only handle so many authorizations a year. On average, the JAB prioritizes 12 cloud service offerings each year. It evaluates cloud service offerings through a process called FedRAMP Connect, which they use to prioritize what cloud service offerings will be selected for the given year.
Among other methods, the executive order opens the door for considering relevant compliance frameworks mapped to FedRAMP and allowing them to serve as a substitute for relevant portions of the FedRAMP process
With this clear challenge between the number of as-as-service offerings in the market and FedRAMP’s limited ability to scale to authorize, other compliance frameworks are being considered. But it’s yet to be determined what those alternative frameworks may be and what could be the challenges associated with them.
Some cybersecurity professionals have suggested one such alternative may be the Cloud Security Alliance’s Cloud Control Matrix (CCM), which provides 197 controls and 17 domains. It is also mapped to industry frameworks, including FedRAMP. However, some challenges associated with CCM is that it does not have the same third-party assessor rigor that FedRAMP has and allows for companies to self-attest their products meet the standards.
There are also cascading effects of opening the door to FedRAMP alternatives within the defense industrial base. Defense companies have to deal with regulations such as the Defense Department’s vendor certification program called Cybersecurity Maturity Model Certification and acquisition rule 7012, which provides guidance to defense contractors using cloud services when dealing with covered defense information. There has been no shortage of talk of reciprocity between FedRAMP and CMMC. If FedRAMP opens the door for reciprocity with other control frameworks, this then creates a potentially transitive situation with anything FedRAMP would use as an alternative framework. In other words, if alternative frameworks are accepted in place of FedRAMP for federal cloud use, then theoretically FedRAMP alternatives would also potentially have reciprocity with CMMC. This creates a lot of questions and challenges for the Defense Department, the defense industry and CMMC that would need to be explored.
While there are no easy answers, it is clear that the government’s consumption and utilization of cloud service offerings are only accelerating and were further exacerbated by the COVID pandemic. Given this reality, it is clear that the current model of authorization and approval of cloud services simply hasn’t—and won’t—scale to meet the demand and creates a situation to explore alternative options. That said, alternatives can’t come at the expense of the security of federal and defense data.
Chris Hughes is an industry consultant, an adjunct professor with the University of Maryland Global Campus and Capitol Technology University, and co-host of the Resilient Cyber podcast. He previously served in the U.S. Air Force, as a federal civilian with Naval Information Warfare Systems Atlantic, and as a member of the General Services Administration’s Joint Authorization Board for FedRAMP.