Industry advocacy group FedRAMP Fast Forward is calling on the federal government to improve the process for Cloud Service Providers (CSPs) to obtain FedRAMP Authority to Operate (ATO).
The group released a six-step plan on Monday, simply called Fix FedRAMP, to help vendors make educated decisions with increased transparency around the time and cost for obtaining a FedRAMP ATO.
Launched in 2012, FedRAMP is a program run by the General Services Administration that provides a standardized approach to security assessment and monitoring for cloud services. According to the group’s website, the approach uses a “do once, use many times” framework that saves an estimated 30-40 percent of government costs. FedRAMP Fast Forward believes that the program is in “need of a major face-lift…[its] process has become costly and time-consuming, and lacks transparency and accountability.”
According to FedRAMP Fast Forward, around two years ago, the time and cost associated with obtaining a FedRAMP ATO was nine months and $250,000. Today it can take two years and $4 million to $5 million.
The plan calls for normalization of the certification process, which today enables CSPs to “take several routes to an ATO, and not all are seen as equal, which fundamentally undermines the value proposition of the FedRAMP program.”
Currently there are three paths to achieving FedRAMP compliance for CSPs. Using FedRAMP mechanisms, other agencies can leverage an ATO for use in their agency, decreasing approval times, according to the Guide to Understanding FedRAMP.
The plan also calls for harmonized security standards so that CSPs can meet some FedRAMP requirements through compliance with existing privacy standards; a reduction of the cost of continuous monitoring for CSPs that have achieved an ATO; an allowance that would enable CSPs to upgrade cloud environments while remaining compliant with FedRAMP requirements; and help for CSPs to map their FedRAMP compliance to Department of Defence (DoD) security requirements, “rather than forcing them to start over again to obtain the ability to provide cloud services to DoD.”
The paper is based on 7-months of collaboration among CSPs, Third-Party Assessment Organizations, federal agencies and the Hill, according to the group.