Government needs a massive investment in FedRAMP

As the Federal Risk and Authorization Management Program marks its 10th anniversary, it’s time to applaud FedRAMP’s accomplishments — but also explore ways to scale its operations so the government can more quickly adopt innovative software solutions.

FedRAMP is the much-needed standardized security process for companies that deploy software via the cloud to prove they adhere to Federal Information Security Management Act standards for protecting government networks and data. When a cloud product has been FedRAMP-authorized, it has received the stamp of approval that gives government agencies confidence that the product is likely safe to operate on their networks.

To date, there is no known cybersecurity breach attributed to a FedRAMP-authorized cloud product. In fact, although we don’t know all the details, if SolarWinds’ maintenance and patch server had been FedRAMP-authorized, the most recent cybersecurity crisis might have been detected earlier or avoided entirely.

FedRAMP is a great concept, but there are a few problems that cloud providers attempting to achieve an authorization will quickly point out. Most have to do with FedRAMP’s inability to scale to meet demand.

This is not the fault of the FedRAMP Program Management Office; it has a negligible budget. But a decade after the program’s debut, there are only about 200 FedRAMP-authorized products. The pace of authorizations has picked up in recent years, with about 50 products added annually, but this is just a drop in the ocean compared to the 15,000 commercial cloud products tracked by Gartner and the $300 billion-a-year cloud industry. Furthermore, it takes an average cloud company anywhere from a year to 18 months to complete an authorization.

Meanwhile, virtually all modern software deploys via the cloud distribution model. It’s a simple, sad fact: There’s an enormous universe of cloud products currently ineligible to participate in the government market for lack of FedRAMP authorization.

A tall order for under-resourced agencies

Part of the FedRAMP bottleneck has to do with limited resources and the complex journey that cloud providers must take. There are only two paths to authorization, and both have limitations. The first path is for the FedRAMP Joint Authorization Board to sponsor an authorization, but that team has very limited capacity and can only push through about 12 a year. The other path is for an agency to sponsor a cloud product. But when an agency chooses to do so, it does most of the heavy FedRAMP lifting itself.

Most agencies don’t have resources for shepherding a FedRAMP application and therefore will do so only in the rare circumstances when particular cloud services are essential to their missions. Remember, the current process can take a year or more, and FedRAMP is not a one-and-done proposition. Once a product receives an authorization, the agency sponsor must continue to monitor the product for lifetime compliance, which includes a continual flow of documentation and management. In other words, once an agency adopts a product to authorize, the relationship never ends. The sponsoring agency is a parent for life.

This is an obvious bridge too far for many agencies that are under-resourced even for their core missions; they simply have no budget for the lifetime cybersecurity management of a commercial software product. Yet, as we have seen from the ever-increasing threat of cyber intrusion from Russia, China and other malicious players, cybersecurity is appropriately the highest-order priority for the government.

At the same time, because of this security imperative and the government’s limited ability to process FedRAMP authorizations, many innovative and deserving commercial cloud products are locked out of the government market. Ironically, some of them might be useful to further enhance security.

The benefits of a FedRAMP shared service

So what can be done? One possibility would be to redirect some of the $1 billion Technology Modernization Fund to scale up and resource a governmentwide shared-services operation for the purpose of relieving agencies of FedRAMP authorizations. This shared service could be housed at the General Services Administration along with the FedRAMP Program Management Office, at the Department of Homeland Security or at another agency that is well-equipped to deploy a shared-services model.

A well-positioned and well-resourced FedRAMP shared service would deliver consistency and help commercial cloud providers get through the process in a more streamlined manner. Additionally and importantly, a shared service would create an ongoing central point for monitoring the continued security status of FedRAMP-authorized providers.

Furthermore, the shared service could do operational research to continually improve the process, seek automated tools to reduce time frames and own the entire life cycle of cloud product authorizations. Agencies that wish to do their own FedRAMP sponsorship could continue, but a properly resourced and expanded FedRAMP shared service — dedicated to ensuring proper security with the goal of rapidly increasing the volume of authorizations — would be extremely valuable.

FedRAMP is a well-thought-out approach to cybersecurity, but given the IT modernization and security imperatives, it is time to scale up the program to meet the growth and demand of cloud products. By analogy, it was the correct bridge to build 10 years ago, but that infrastructure investment needs to be at least quintupled to meet the realities of the current software market.

Scaling and creating operational efficiencies for FedRAMP that lower the barriers to entry and facilitate more rapid adoption of safe and secure innovative technologies are goals that are well worth exploring. Expansion of FedRAMP into a full-scale shared service is a logical place to make a high-impact, high-return infrastructure investment. If the government is serious about modernization, it should focus on addressing the FedRAMP bottleneck.