The Biden administration's recently released cybersecurity-focused executive order mentions a key cloud security program known as FedRAMP several times as it emphasizes the need for federal agencies to quickly but securely adopt cloud computing.
Section 3 of the executive order, titled “Modernizing Federal Government Cybersecurity,” states that within 60 days of the order, the General Services Administration in consultation with the director of the Office of Management and Budget and heads of other agencies shall begin modernizing the Federal Risk and Authorization Management Program. This includes “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.”
FedRAMP validates the security of cloud products—infrastructure, platforms, software applications—being sold to federal agencies. If a product meets FedRAMP’s controls, it gets certified with a provisional authority to operate, or P-ATO.
But it's no secret that FedRAMP—best intentions aside—has long served as a bottleneck to getting innovative cloud service offerings to federal system/mission owners and agencies. FedRAMP began in 2011, roughly a decade ago, and currently has about 225 authorized cloud service offerings listed on its marketplace. To put this in perspective, there are roughly 15,000 software-as-a-service companies in the market.
FedRAMP timelines vary depending on several factors—some related to the cloud service providers themselves, and others related to the FedRAMP Joint Authorization Board and program management office, or sponsoring agencies. That said, general timelines for a FedRAMP JAB P-ATO can take seven to nine months to complete. Agency authorizations can take anywhere from four to six months to complete. Some case ..
Support the originator by clicking the read the rest link below.
