Recently, the U.S. Federal Government launched the Federal Risk and Authorization Management Program (FedRAMP) to enable security authorization for shared IT outsourced services. This program offers some high-impact benefits for federal agencies.
It will allow the government to utilize a leveraged security and acquisition authorization which will reduce costs significantly. The process before FedRAMP required each government agency to go through a complete acquisition process which is often a costly and lengthy RFP. Moreover, the agency had to select their own security controls and develop an agency specific certification and accreditation (C&A) package consisting of artifacts like a System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report and a Plan of Actions and Milestones (POA&M). In a recent study, the government spent $133M to C&A only 150 systems at the Department of State over the course of just 4 years – that is more than 222K per application per year!
Under FedRAMP, government agencies can leverage pre-authorized C&A packages and pre-approved applications which will reduce the duplication of effort that is occurring today to C&A the same application numerous times across the government. Agencies will still retain their responsibility and authority to ensure that the C&A of these applications meet any unique security needs for a specific agency.
FedRAMP also enables rapid acquisition of solutions – reducing the time to purchase an application from 3-12 months down to weeks. When trying to solve today’s problems, it can’t take 12 months to acquire a solution and then another 12 to implement it. Two years later the problem you were trying to solve is now yesterday’s issue. With FedRAMP once an application is FedRAMP “pre-authorized” and being used in other agencies across the government, it will be easier for an agency to adopt the same application without going through the RFP process.
The Federal CIO Cloud Computing Advisory Council, GSA and NIST hit a homerun with this program. I’m seeing the positive impact of FedRAMP and all the work of the Cloud Computing Advisory Council in my everyday meetings where the question is no long “if” a government agency is going to move to cloud computing it’s now “when” they are going to move.