FedRAMP: What’s Broke, and How to Fix it

fedramp

It might not be in best short term interest, as a Regional Sales Director for a leading 3PAO, Coalfire,  to write this. But I am also a dedicated security professional who believes that innovation in government is essential. Ultimately, what I’m blogging here will be best for everyone, including myself. These are my opinions, and in no way reflect the opinions of my employer.

I want to start out by saying, screaming in fact, that the idea behind FedRAMP is a good thing. The “do once, use many times” motto of FedRAMP makes a lot of sense. Creating a set of common, reusable, documented controls, that can be used by multiple government agencies, is a great idea, especially when looking at the model from the perspective of an infrastructure as a service (IaaS) model. It’s something that I’d like to see more of in the commercial sector, and in fact, FedRAMP best practices are being transferred to the private sector, by private companies who serve both the commercial and government markets.

As good as FedRAMP is, there are some basic problems with its current implementation that I think need to be addressed.

  • The high cost of entry is keeping smaller, innovative companies out of the FedRAMP process. Meritalk estimates that the average cost to go through the FedRAMP process is approximately $250K, a number that smaller organizations and startups are finding difficult to justify. The costs to certify IaaS, Platform as a Service (PaaS), and Software as a Service (SaaS) are all very significant. While the “do once, use many times” model helps larger IaaS and PaaS providers recoup their investment in FedRAMP certification (without mentioning the savings from having a good security operation in place), this model is not as effective financially for smaller SaaS providers, who sell comparatively low-cost products to a handful of agencies. Even if a smaller company stands to make a killing with a much-needed technology in the Federal space, the initial investment in FedRAMP may make them think twice about entering the Federal market.
  • The JAB process is being overwhelmed. The GSA Program Management office gets a fixed budget to run the JAB, whether it is 50 companies in the process or 500 companies. The result we are seeing is that the average time to move through the authorization process has increased from six months to between nine months and a year.

So, how do we address these problems?

  • Look at IaaS, PaaS, and SaaS differently. IaaS will have multiple types of applications running on it, and the current FedRAMP model works pretty well both security-wise, and financially.  However, the cost efficiencies gained by “do once use many times” are not as great for PaaS, even more so for SaaS, where small innovative applications may not recoup the costs of accreditation easily.
    •  Consider the size of the application, along with types of data being handled by the application. A small system containing non-critical data doesn’t need the same level of scrutiny that a service offering which is broad and scope and/or contains ePHI, financial information, intellectual property or other data of a sensitive nature.

      This is the approach the Payment Card Industry takes. Smaller merchants that handle a low volume of transactions have to go through a certification process, but it is not as rigorous as that for financial institutions or merchants that handle a large number of transactions. FedRAMP does offer some discrimination between “low” and “moderate” security environments, but the cost delta associated with getting certified under the different levels is minimal. Most CSP’s go for the “moderate” accreditation.

  • Financing the cost of accreditation. There may be cases where small companies produce services that are needed for the government. Mobility solutions come to mind here, because many of the solutions are coming out of small start-up environments. These solutions often have higher security requirements, and it’s probably a good idea that they go through something very similar to the existing FedRAMP process. I see two options here:
    • Financing – if an application shows potential to penetrate much of the government market, and the investment in certification can be recouped over a number of years, a low-interest loan to cover costs of FedRAMP may be in order.
    • Grants – If an application is needed by a small number of agencies, and it still makes sense to deploy in the cloud, then a grant to absorb the costs of FedRAMP may be in order.
  • Increased automation of the JAB form approval process. I would recommend that the JAB take a look at developing a Turbo Tax equivalent for the System Security Plan. Such an application could ask the needed questions in way that CSPs can understand, and format them automatically in a way that the JAB can accept. This automation will help reduce the costs of accreditation.

    I’m aware that this is not an easy process. I’ve seen some attempts at FedRAMP wizards by third parties, and to me, they were more cumbersome, confusing, and difficult to operate than what is needed by the end user.

  • Funding of the JAB process by the applying companies. The JAB budget is relatively fixed and the JAB has unfortunately been unable to keep up with the workload being thrust upon it. If the JAB was funded directly by the applying companies, the JAB staff budget could scale more or less proportionally as the program grows

    I don’t believe that industry funding of the JAB, if done correctly, would result in a conflict of interest. A similar model is in place with the Comptroller of the Currency for examination of banks, and there appears to be minimal, if any, conflict of interest between the banks and bank examiners.

    This may sound contradictory in light of my ideas to reduce costs. I think the benefit of a faster time to market for applications would outweigh any cost considerations. Companies will be able to get to market 6 – 9 months earlier if this suggestion is properly implemented.

I know the devil will be in the details. Determining what kinds of innovation will call for grants or loans, accounting for systems that grow and change, and compensating for companies that try to game the new system will be things that all need to be addressed. I’d welcome comments or constructive criticism on how to improve this approach.

Leave a Comment

Your email address will not be published. Required fields are marked *

2 + 6 =