Cloud service providers that deliver services to U.S. government agencies are required to gain FedRAMP accreditation...
by the upcoming June 5 deadline, yet dozens of CSPs are stuck in a slow-moving security-driven approval process that could result in fewer providers competing for the government's cloud computing contracts.
Originally announced in 2011, the Federal Risk and Authorization Management Program (FedRAMP) was created to standardize security requirements for cloud service providers (CSPs) vying for contracts with federal agencies. The intent with FedRAMP is to reduce the time and money agencies spend on redundant cloud provider security assessments in favor of a single accreditation.
The reality is, the government is not going to function without this technology.
Director, Public Sector Practice Leader, Coalfire Systems Inc.
Interested CSPs can apply for an authorization to operate (ATO) via either the FedRAMP Joint Authorization Board (JAB), under the General Services Administration umbrella, or directly through the government agency utilizing the services. To date, more than a dozen cloud providers have successfully attained FedRAMP approval, including Amazon Web Services, Microsoft and Hewlett-Packard Co.
The U.S. government's FedRAMP website lists dozens of additional CSP requests still working toward authorization, including Google, Salesforce.com, Verizon and other major cloud providers. In fact, the requests of eight providers -- AT&T and Dell among them -- are listed as "ready for kickoff," meaning they have yet to begin their review processes.
Waylon Krush, CEO of Arlington, Virginia-based Lunarline Inc., a certified FedRAMP third-party assessment organization (3PAO), said he was surprised that more CSPs haven't successfully navigated the process, especially considering the government has been actively warning that the FedRAMP deadline was approaching.
Krush said CSPs may have been slow in their uptake of FedRAMP because government-based cloud customers had not been forceful enough in requests that providers adhere to the guidance, though he saw that attitude shift toward the beginning of 2014.
"These CSPs aren't necessarily going to go out and invest in the necessary infrastructure and the ability it takes it to secure their infrastructure for FedRAMP unless it's required to make a dollar," Krush said. "We're seeing a lot more inquiries now because CSPs are finally hearing customers say, 'No, you do need to go through FedRAMP, and if you don't, there's a chance you may not get this contract.'"
FedRAMP deadline consequences
Though dozens of CSP requests are currently in the FedRAMP queue, Robert Barnes, a director and public sector practice leader with Coalfire Systems Inc., a certified FedRAMP 3PAO based in Louisville, Colorado, tempered expectations for a tidal wave of authorization approvals before June 5.
That's because the review process can take several months to complete on average, with the assumption that no significant issues are encountered.
Why so long? Barnes said the FedRAMP review team -- composed of six information system security officers (ISSO) and a limited number of JAB technical representatives -- only has so much bandwidth available to handle CSP requests. That bandwidth is further restricted by the fact that CSPs who currently have an ATO must also be reassessed on a yearly basis, and according to current FedRAMP guidance, those providers will take precedence over other, as-yet-uncertified CSPs in the queue.
Furthermore, a CSP's authorization process may be delayed if it is unprepared to meet the demanding FedRAMP requirements, Barnes said. For instance, if an assessment uncovers "high-risk" vulnerabilities in a provider's environment, it could take weeks or months to remediate the flaws and then schedule a 3PAO reassessment.
Between six and nine months is typically required to navigate the JAB-based FedRAMP process, according to Barnes, while going directly through a government agency still takes between four and six months. The agency route tends to be slightly timelier, he noted, because agency reviewers are independent of the JAB and are typically able to assign more resources to the review process, shortening the timeline.
All told, it could take years just to clear the current FedRAMP JAB queue, Barnes said, without counting the CSPs that have yet to even begin the process.
"It truly is a marathon. You've got cloud service providers who trained up. They have a nice program and risk-management framework in place; they've got the controls; they've got the documentation; they did all the preparation and training. And then they went through the process that took them six to nine months to gain that ATO at the end of the race," Barnes said. "Those that are actually in the queue today are actually in really good shape, as opposed those that are just starting to think about what is FedRAMP."
The FedRAMP JAB did not respond to SearchSecurity's request for comment prior to publication.
What then happens to those CSPs that don't win a coveted ATO before June 5? Will the federal government bar them from providing services to federal agencies? That, too, is not entirely clear.
Barnes emphasized that FedRAMP is tied to President Barack H. Obama's "cloud-first" policy, which grants leeway to agencies seeking out the best cloud provider for their needs. If an agency chooses a CSP that isn't authorized under the FedRAMP program, FedRAMP isn't intended to be a barrier, as the provider can apply for FedRAMP approval through the agency. Government agencies retain this wiggle room, Barnes said, because there may not be a viable, FedRAMP-certified option available to them, or they could claim a CSP currently in the FedRAMP process may fit the bill.
"Providers think, 'Well, I can no longer work with the government on June 5th if I'm not a cloud service provider that has made it through FedRAMP,'" Barnes said. "The reality is, the government is not going to function without this technology."
Still, even if the June 5 FedRAMP deadline isn't a hard cutoff for CSPs, both Krush and Barnes warned that financial penalties may come into play for those providers that have yet to undergo the approval process.
First, Barnes said government agencies themselves may endure some form of punishment for contracting with an unapproved CSP after June 5, noting that in the past agencies' budgets have been changed or redirected based on how they selected technologies. He said government CIOs and CISOs may be wary to choose an unapproved provider for fear of the uncertain consequences.
From the CSP perspective, Barnes said providers that haven't gained a FedRAMP ATO are simply not going to be competitive for government contracts going forward.
"We've heard from cloud service providers that contracts are now very much reflecting FedRAMP as a standard or requirement, that business can't be won or achieved without receiving an ATO, and that's starting to become a reality for a lot of these companies that didn't necessarily start two years ago when the FedRAMP program was initiated," Barnes said. "Those who have existing contracts though, or are looking to expand on the business they already have, they could lose business -- either to [a] competitor that has a FedRAMP authority to operate, or to those that are ahead of them in the queue."
More FedRAMP changes coming
Before the FedRAMP deadline even arrives, the cloud-focused federal security guidelines are set to undergo a significant change.
The original FedRAMP security control baselines and documentation templates were based on revision three of the NIST 800-53 guidelines -- the benchmark security controls that must be applied to all federal information systems -- but on or around June 1, the FedRAMP program management office will be transitioning over to revision four, a move that Krush and Barnes said could bring dozens of new security controls while clarifying or eliminating others.
Those CSPs that fail to kick off the process will need to adhere to those new guidelines, dubbed FedRAMP 2.0, from the start, though providers already in the queue will have until their first yearly review to do the same. Barnes said Coalfire saw the same beginning-of-the-year spike in interest as Lunarline from cloud providers trying to beat the June 5 FedRAMP deadline, and that much of that interest stemmed from beating the guideline switch as well.
"The reality is that your documentation is going to have to change, the controls you've implemented or are implementing are going to change," Barnes said. "It could be a substantial level of effort change for your organization if you didn't plan for revision four."
The possibility of being locked out of bidding for government contracts combined with the upcoming FedRAMP guidance changes may result in a desire from some CSPs to rush through the process, but Krush warned such organizations that FedRAMP requires an "eye-opening" cultural change from a security perspective, and that can't be hastened.
"CSPs need to know this doesn't happen in a day. This is not one of those fire and forget processes, meaning you can just put a jumble of documentation together, throw it at the FedRAMP JAB or organization sponsor and expect to be authorized," Krush said. "This requires ongoing and continuous monitoring. This requires you to have a very strong configuration management control process, content scanning and patch updates at a level that is surprising even to organizations that are used to dealing with the depth and rigor of government controls."