The General Services Administration (GSA) recently announced a restructured and streamlined approval process that will enable vendors to more quickly achieve a Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO). While FedRAMP’s stringent review process is critical in assuring federal users that cloud solutions meet the high security needs of government systems, the process has traditionally been laborious, taking anywhere from 9 to 18 months to complete. Even more, each subsequent update to the original platform also has to be re-approved by the FedRAMP board before it can be released for agency use. This delays the release or development of many projects and is working against leadership’s “cloud first” push. The new review process, called FedRAMP Accelerated, promises to speed the inclusion of new solutions into the FedRAMP system without sacrificing security strength.
In this new model, Cloud Service Providers (CSPs) can get an initial capabilities assessment, or pre-qualification, through a third-party rather than having to go immediately to government review. The pre-qualification determines whether or not the solution is ready to proceed to FedRAMP review, allowing the review board to focus their attention on solutions that are most likely to be approved. The evaluating party then issues a report to the FedRAMP Office where the request is either accepted or denied based on the findings. Passing an initial assessment does not, however, exempt a CSP from having to undergo the required full testing of the solution and security assessment report in order to receive a provisional ATO from an agency or the Joint Authorization Board (JAB). GSA estimates the entire process should now be completed in no more than six months, compared to the original 9 to 18 month timeframe.
David Shire, CIO at GSA, recently acknowledged the challenge ahead of GSA and federal government in creating the positive change in the FedRAMP program that industry and government stakeholders have been asking for. While FedRAMP has created a powerful cloud security standard for government, Shire and his team are eager to make the program more effective for everyone. The current goal is for a CSP to be able to obtain a FedRAMP ATO in just 90 days, regardless of the cloud service’s complexity. While still in its infancy, Shire says that the early feedback from the FedRAMP Accelerated program is very positive.
Moving forward, the success of the new FedRAMP program will be measured by both classic adoption numbers, such as the number of CSPs in process and number of ATOs achieved, as well as nontraditional metrics such as the current state of security in federal IT in general. GSA promises to be transparent about adoption rates and is open to suggestions from industry and government stakeholders on how to improve their measurement methods and goals. Shire says, “Ultimately, it’s about agility, better functionality, improved security, cost savings, and a government that works better.”
While this new process will open the door for more vendors to enter the federal cloud market, Carahsoft is proud to work with a number of cloud solution companies that have already been FedRAMP approved and are delivering secure cloud solutions to the government today. Our CSP partners include:
- Acquia Managed Cloud Service tuned for Drupal
- Adobe Software as a Service Platform
- Akamai Content Delivery Services
- BlackMesh Flexible & Affordable Web Hosting Solution
- BMC Cloud-based IT Service Management Solution
- Box Cloud Content Collaboration Platform
- CGI Federal Virtual Machine and Web Hosting Services
- Clear Government Solutions Cloud Computing and Infrastructure Services
- COPT Innovative Management and Technology-Based Solutions
- General Dynamics Information Technology Secure Cloud Computing
- Google for Work Solution
- GovDelivery Proprietary Network & Secure, Cloud-based Platform
- HPE Application Security Testing Solution
- Lockheed Martin SolaS-I Cloud Computing Platform
- Salesforce Government Cloud
- Skyhigh Cloud Access Security Broker
- SoftLayer High Performance High Security Cloud
- ServiceNow Automation Government Cloud
- Virtustream Secure, High-Performance Cloud
- vCloud Government Service provided by Carpathia
As more solutions enter the marketplace under the banner of the FedRAMP Accelerated program, we’re excited to see all the new solutions and innovations that government agencies will be able to enact. Learn more about all of our FedRAMP partners here.