Rundown: The Cloudy Role of FedRAMP

July 22, 2019 Douglas Barbin

On Wednesday July 17th, I had the distinct honor of providing the assessor perspective at a FedRAMP hearing held by the Subcommittee on Government Operations—a subset of the House Oversight Committee.  It is always a pleasure to go to our nation’s capital, and it was an honor to be invited to testify.  The experience was profoundly interesting—the House Oversight Committee also archived the hearing in full, including the entire video broadcast.

 

Why a Hearing on FedRAMP?

For those less familiar, FedRAMP is a program whereby cloud computing providers that want to sell to a very large market of government agencies are required to undergo a rigorous assessment of their cybersecurity controls.  Since its inception in 2011, the program was designed to drive efficiencies by having cloud providers go through a single audit that can be re-used by many agencies looking to authorize them for services.  This is in contrast to pre-FedRAMP practices when every agency did its own such assessments, and often did so in an inconsistent manner—the new program was meant to streamline and strengthen that process.

Though everything points to the positives yielded from the introduction of FedRAMP, the program is remains an unofficial administrative solution that could be altered or wholly done away with through an Executive Order or change in program leadership.  With that being said, Chairman Connelly and Ranking Member Meadows are attempting to change that, as they are currently at work drafting a bill to code FedRAMP into law.  Given that 147 providers that have received more than 1,000 authorizations from different agencies, the Chairman and Ranking Member have taken the initiative to protect what FedRAMP has already achieved while also seeking feedback on areas for improvement—hence, the hearing.

 

Why Schellman?

A few weeks ago, a staff member from Chairman Gerry Connelly’s office reached out to the firm to gauge our interest in participating.  Schellman is the number two provider of FedRAMP assessments across the entire program, and we also provide the unique perspective of a top 100 CPA firm whose exclusive focus is providing technology audit and compliance assessments across most major commercial compliance frameworks from SOC 2 to PCI DSS and ISO 27001.  But it was Schellman’s broad experience in FedRAMP that the committee deemed was best able to compare and contrast to other U.S. and international frameworks, and soon I was on my way to Washington.

 

Opening Statements and Feedback from Government Panel

The hearing started with opening statements from Chairman Connelly and Ranking Member Meadows.

  • Chairmen Connelly stated that the goal is to codify FedRAMP.
  • Mr. Connelly also noted that FedRAMP is intended to reduce cost and efforts, but is still hearing feedback from his constituents that it does otherwise—some say that FedRAMP evaluations took years and cost some providers more than $1 million to attain.
  • Mr. Connelly also stated that he heard concerns that agencies were not reliant on FedRAMP assessment results where FedRAMP should, in fact, have a “presumption of adequacy,” especially a Joint Authorization Board (JAB) provisional authorization. 

Ranking Member Meadows highlighted that while there remains room for improvement, he did feel that the program was working and most importantly provides a means for the government to adopt “transformative cloud technology.”

 

Feedback from Government Panel

All of the opening remarks from each panelist can be found on the Oversight website.

The government panel included: Anil Cheriyan - Director, Technology Transformation Services General Services Administration (GSA); Jack Wilmer - Deputy Chief Information Officer for Cybersecurity, U.S. Department of Defense (DOD); Joseph Klimavicz - Deputy Assistant Attorney General and Chief Information Officer, U.S. Department of Justice (DOG); and Jose Arrieta - Chief Information Officer, U.S. Department of Health and Human Services (HHS).

Key statements made during the panel included:
  • Mr. Cheriyan (GSA) reiterated FedRAMP’s goal of applying a consistent standard for the assessment and authorization of cloud service providers (CSPs).  He touted the program’s success in the near 150 FedRAMP authorizations, along with the more than 1,000 agency authorizations—prior to FedRAMP, the desired evaluations would’ve meant 1,000 individual assessments (versus 150). 
  • Separately, Mr. Cheriyan also spoke to the desire to mature FedRAMP and invoke a “Threat-Based Approach” to conducting assessments in the future.  
  • Mr. Wilmer (DOD) concentrated heavily on the partnership between FedRAMP and the DoD--he believes that FedRAMP is working and that there will be increased reciprocity for FedRAMP moderate authorizations, where 38 additional controls will become requisite for testing in order to meet DoD requirements.
  • Mr. Klimavicz (DOJ) focused on the inefficiencies related to 3PAO manual testing, and argued that a more automated security assessment methodology is needed to make FedRAMP more efficient to the point where it would provide more of a “real-time” basis for compliance.  
  • Mr. Arrieta (HHS) spoke to the fact that his agency was the first to issue FedRAMP Authorities to Operate (ATOs) and argued for making FedRAMP a necessity, as his agency is reliant daily on the hundreds of certified cloud applications.

After the opening remarks, several members had questions for the group.  Congresswoman Norton of D.C. asked about opportunities for improvement and how reciprocity can be strengthened for existing authorizations.  She also asked if more training and awareness at the agency level would help the program, to which all agreed.  Also of D.C., Representative Khanna asked about the challenges small businesses face in trying to get through FedRAMP, as Mr. Cheriyan highlighted that 33% of the FedRAMP authorizations were, in fact, classified as small businesses.  As such, Congressman Khanna stated that the program could do better in this regard. Finally, Ranking Member Meadows summarized the dialogue with a statement that if these big four agency CIOs can make FedRAMP work, it should be possible for any agency to undertake.

 

Feedback from Industry Panel

Alongside me, the industry panel also featured Jonathan Berroya - Senior Vice President and General Counsel, Internet Association; Will Ackerly - Chief Technology Officer, Virtru; and Lynn Martin - Vice President of Government, Education, and Healthcare, VMware.

Feedback from this group centered around the cost and timelines associated with FedRAMP, as well as the reuse of assessments. 

  • Mr. Ackerly from Virtru was very open that his company spent $1.6 million to achieve FedRAMP authorization and that the process took more than 20 months, which was considerable for a young start-up.   Mr. Ackerly also highlighted the need to streamline the ongoing continuous monitoring processes.  To read his detailed remarks, download Mr. Ackerly's full testimony.
  • Ms. Martin from VMware, in addition to her testimony, was also asked to highlight a separate issue where a product authorized in one environment had to undergo a near full assessment when putting the same software into a separate environment. 

Following opening remarks, the panel received additional questions on reciprocity and opportunities for awareness.  One key idea that was floated was that of a FedRAMP Advocate, which would theoretically operate similarly to an IRS Tax Advocate—something the entire panel agreed would be beneficial. 

 

Barbin Testimony and Feedback

Within the entire video recording, my opening statement has been bookmarked, and can also be found in writing on the Oversight Committee website.

Rather than recap my testimony in full, my summarized thoughts on the hearing are as follows:

  • It was all surprisingly quick--the entire session lasted two hours, and grew shorter as it moved from the government to the industry panel.  Admittedly, I was surprised to be in the galley watching the end of the government panel and then presenting my opening remarks 30 seconds later.  Chairman Connelly definitely moved through the content and questions in an expeditious manner. 
  • There appears to be high support for FedRAMP across government and industry.  While many spoke to opportunities for improvement, there was no indication that any parties testifying had any desire to revert back to the days where agencies all performed their own assessments. 
  • Those key themes noted for improvement were consistent, including:
    • More training, awareness, and advocacy for all stakeholders;
    • A shortened length of the assessment process;
    • Technological investments to help support both the initial assessment and ongoing authorization process;
    • Pressure on agencies to have the “presumption of adequacy” and accept FedRAMP authorizations from other agencies; and
    • An increase of JAB authorizations and support from the program for more--12 per year is not enough.
  • To me, the focus on the R in FedRAMP—which stands for Risk—was consistent with some of the agency feedback that a threat-based approach is needed moving forward.  It was encouraging to hear that no one seemed to want FedRAMP to become “checkbox compliance.”

Had there been an opportunity during the panel, I would have also reflected on the positive role that the FedRAMP Ready program has had in shortening assessment timelines.  This program, which tests the top 10% of the FedRAMP controls, including all federal mandates, allows CSPs to have their key controls evaluated while holding the tough conversations early.  From my perspective, CSPs that end up taking the longest during FedRAMP evaluations are those that believe they are prepared but haven’t really worked through the details—an expansion of FedRAMP Ready would absolutely help those organizations, along with others across the board.  Additionally, as FedRAMP Ready does not require an agency sponsor, it allows for cloud providers to demonstrate preliminary capabilities to the marketplace, aiding them in attracting potential agency sponsors and customers.

I, myself, and Schellman are big proponents of this program, having seen firsthand that FedRAMP Ready makes the full assessment much more streamlined--an argument we also made in Schellman’s webinar and case study with Crowdstrike.

What’s also interesting is that, despite hundreds of manual control tests and thousands of data points from scanning tools, FedRAMP deliverables are still Word and Excel documents. Here at Schellman, we have invested significantly in technology to facilitate a higher quality exchange of information with our clients, and we believe FedRAMP can benefit from the same.

All in all, my experience on the Hill was interesting made steps towards more progress for the program, and I look forward to engaging in further dialogue on these topics.

Additional Resources:

About the Author

Douglas Barbin

Doug Barbin is a Principal at Schellman & Company, LLC. Doug leads all service delivery for the western US and is also oversees the firm-wide growth and execution for security assessment services including PCI, FedRAMP, and penetration testing. He has over 19 years of experience. A strong advocate for cloud computing assurance, Doug spends much of his time working with cloud computing companies has participated in various cloud working groups with the Cloud Security Alliance and PCI Security Standards Council among others.

More Content by Douglas Barbin
Previous Article
FedRAMP at a Glance [Infographic]
FedRAMP at a Glance [Infographic]

Schellman has performed a third of FedRAMP assessed systems and is the #2 3PAO provider.

Next Video
Webinar - FedRAMP Best Practices and Federal Compliance Updates
Webinar - FedRAMP Best Practices and Federal Compliance Updates

Join Schellman's Federal Practice Team as they take a step back to navigate through the more recent updates...