The Federal Risk and Authorization Management Program (FedRAMP)—which just launched on Wednesday, June 6th—is designed to drive efficiency. By standardizing the security assessment authorization process for cloud procurement, the program aims to reduce duplicative IT certification efforts and ensure a minimum standard of security for Federal cloud solutions. Now that it’s in play, does it live up to expectations? Unfortunately, FedRAMP’s potential success may be hindered by a lack of information sharing between its public and private sector participants. With these information asymmetries we may be putting the security of government information at risk. Before FedRAMP can effectively accelerate the Federal adoption of cloud-based technologies, these risks must be addressed.
The effectiveness of the FedRAMP program will depend upon the transparent and timely exchange of information between cloud vendors, third-party assessment organizations (3PAO), and the government. Federal department and agency IT decision makers should have access to FedRAMP information throughout the accreditation process, spanning from the initial queuing of cloud vendors for review to the detailed results of the 3PAO security assessment process and final FedRAMP certifications. Creating symmetrical information between the public and private sectors empowers Federal departments and agencies to make the most effective procurement decisions, including managing risk, and provides greater market certainty to the vendor community.
Without full and timely knowledge of the authorization process, departments and agencies could initiate duplicative efforts or lack a complete understanding of a vendor’s IT security qualifications. Much like Consumer Reports for cars or televisions, the FedRAMP program should make it easier for departments and agencies to “comparison shop.” To this end, vendors should provide public sector players with more comprehensive and transparent information about their products’ security capabilities and limitations. Otherwise, Federal CIOs may be at risk of settling on cloud products that do not fully meet their department or agency’s security needs.
Beyond the initial authorization process, other aspects of the FedRAMP program could prove worrisome for Federal departments and agencies. Despite requiring vendors to provide real-time threat monitoring capabilities, the government has not released uniform guidance governing automated threat information reporting between vendors and government—meaning that manual reports submitted on a quarterly, bi-annual, or annual basis and lagging risk management measures will still be the norm for the time being. Coming to a consensus about these processes and standards should remain a priority, with the goal of agreeing on and implementing automated reporting capabilities by the time the first FedRAMP vendors are certified.
Without adequate information exchange during the procurement process and following cloud adoption, the FedRAMP program cannot effectively overcome many of the last-mile hurdles that slow the adoption of cloud technologies. Only after public and private actors work collaboratively to enhance information sharing about needs and capabilities can FedRAMP reach its maximum potential.