It’s a refrain echoed over and over in discussions around shifting from legacy infrastructure to the cloud: the need and desire are there, but the path is challenging.
One function of the FedRAMP program office is to streamline that process, providing a standardized approach to security for cloud. Acting Director Ashley Mahan recently talked with WashingtonExec about how the Federal Risk and Authorization Management Program has grown and evolved since she came on board as an evangelist in 2014 before moving to her current position within the last year.
Before FedRAMP, Mahan worked for many years as an information assurance specialist in various programs under the Defense Department as well as in the intelligence community and law enforcement.
“I saw first-hand how technology greatly impacted the effectiveness of various high-stake government missions and realized the importance of cybersecurity,” she said, explaining she had her eye on the FedRAMP program for some time before joining.
She’s also seen the power of reciprocity as cloud technology allows for the same security controls that protect data at one agency to do likewise at others.
“This allows vendors to go through the security process one time, adhere to a single set of security requirements, and any agency can ‘reuse’ the security package, accept risk, and issue their own authority to operate,” Mahan said. “This is hugely beneficial for both vendors and agencies in terms of saving time and resources.”
The program management office within FedRAMP provides guidance for both parties.
As an evangelist, Mahan led efforts to grow the number of participating agencies from roughly 60 to well over 150 and the number of FedRAMP-authorized cloud service offerings from 63 to over 130.
“Additionally, my work with agencies helped increase authorization reuse from 91 to 1,007, reinforcing the ‘do once, use many’ mantra of FedRAMP and helping the federal government realize more than $240 million in cost avoidance,” Mahan said. “The agency authorization path truly allows the program to scale — so it is critical that we continue our efforts to educate agencies and evangelize about FedRAMP.”
While participation has grown significantly within the past two years, dubbing 2018 as “the year of the SaaS,” there is still a lack of understanding in some cases about how FedRAMP can streamline rather than unnecessarily complicate cybersecurity, Mahan said. FedRAMP’s list of authorized cloud service providers provides a starting point from which agencies can tailor their efforts.
“Occasionally, agencies impose additional requirements upon cloud service providers that are above and beyond the FedRAMP baselines,” she said. “While in some cases these requirements are warranted due to unique mission sets, in others, they are covered by the FedRAMP baseline and create unnecessary burden for the cloud service provider. FedRAMP is here to help agencies navigate the FedRAMP process and make it work for them.”
Besides that, Mahan said, there is a belief among some agencies that the initial authorization process is much more burdensome than it actually is.
“Prior to cloud, agencies were on the hook for creating the security package, testing and accepting risk,” she said. “With FedRAMP, much of that work is done by industry; the cloud provider creates the security deliverables and engages with a third party assessment organization to complete testing.”
The agency’s responsibilities are streamlined in determining if the cloud service providers’ security implementations are acceptable, understand and implement their roles and responsibilities associated with the security requirements and issue an authorization for the agency to use the product. Post-authorization, there are continuous monitoring activities the cloud vendor and agency jointly work on.
Nor is the program geared only toward large organizations. Some 34 percent of cloud service providers that have received FedRAMP designations (FedRAMP Ready, FedRAMP In-Process, FedRAMP Authorized) are in the small business category.
So where has FedRAMP been, and where is it going?
In 2018, the office streamlined and simplified the authorization process and increased adoptions of secure cloud technologies through several approaches, Mahan said. FedRAMP Tailored, a simplified risk management approach around low-impact Software-as-aService, reduced authorization timelines by 75 percent, in some cases allowing agencies to receive authorization in as little as a month.
A partnership with the Baltimore Cyber Range resulted in the first-ever industry standard for certifying individual assessors. Last year alone, FedRAMP introduced 40 new cloud service offerings that are now available for agencies to reuse.
“Over the next 12-18 months, we are focused on introducing innovative and emerging technology to the FedRAMP portfolio, enhancing FedRAMP’s customer experience by providing comprehensive on-demand and in-person learning opportunities to our stakeholders, and continuously improving the authorization process and program by embracing the voice of our customers,” Mahan said. “We’re working to automate the authorization process through machine readable language and robotics process automation, which will allow our customers to focus on security rather than compliance.”
Mahan said her proudest moments in her role revolve around seeing the impacts FedRAMP and cloud technology bring to the federal community as well as citizens.
“I am very thankful to be a part of an incredible team at the General Services Administration, the opportunity to serve others and to work with amazing technologists, security practitioners and mission owners from across the public and private sectors,” she said.
“Since 2014, the number of FedRAMP Authorized public cloud environments has increased fivefold to 133 cloud services today. This increase is significant because public clouds are available to non-government customers, providing FedRAMP security requirements beyond the scope of federal information systems, thus raising the security for all cloud services that are in use by the public.”