FedRAMP cloud deadline looming amid updates to the program

Friday - 2/28/2014, 4:21am EST

Listen to Jason Miller's interview with Maria Roat.

Download mp3

Agencies are facing a June deadline to use only cloud computing services that meet governmentwide cybersecurity requirements.

Under the Federal Risk Authorization and Management Program (FedRAMP), the General Services Administration and the Homeland Security and Defense departments have led the 20-month effort to set a security baseline and a process to approve vendors.

The Office of Management and Budget will get a chance on Friday to see just how well agencies are doing toward the June deadline.

OMB set the timetable for agencies to use only cloud services approved by FedRAMP in a December 2011 memo.

Through the PortfolioStat effort, agencies are submitting new data that will highlight their progress.

"With the PortfolioStat, there were initially six questions related to cloud. With this most recent quarter of PortfolioStat, we were able to add a seventh question: Who is your FedRAMP point of contact?" said Maria Roat, GSA's director of FedRAMP, after she moderated a panel on FedRAMP Thursday sponsored by Cloud Computing Caucus Advisory Group in Washington. "What we learned is that the person doing the reporting for PortfolioStat is not necessarily from the CIO's shop, and they weren't always talking. We could tell from the data that was coming in, because there was information from some agencies and components that wasn't reported in PortfolioStat, and there were things reported in there that we didn't know about either."

Roat said FedRAMP's program management office looked at the data and is going back to OMB with details of agency efforts. She said with a FedRAMP point of contact, her office can ask for even more specific details to find out what they are working on.

"Right now, we don't have a broad insight into what the agencies are doing. When they tell us, great, but we don't use that mechanism to see that," she said. "I think some of the cloud providers know better than we do what's going on and what the agencies are working on."

More transparency about vendors

It's unclear what will happen if agencies are not using FedRAMP approved cloud services as of June. Roat said that is up to OMB to decide.

But she said if her office or an agency can tell OMB that the vendor's services are in the queue to receive FedRAMP approval and it's expected later this summer, that may be good enough progress.

One major change under the FedRAMP program that should help with the June deadline is the program management office released publicly the names of vendors going through the approval process.

Roat said a few weeks ago the program management office posted the list of who's in the approval process so agencies don't have to ask about specific vendors.

"Initially, with who is in the readiness process going through this, there was a lot of reluctance in industry. They didn't want their name out there because FedRAMP was new and shiny, and it wasn't proven successful yet," she said. "Before we did this, we did reach out to all these cloud providers, and the Joint Authorization Board approved it."

One industry executive, who requested anonymity, said making the vendors go through the FedRAMP process publicly is a good thing.

"Moving toward the June deadline and as agencies look to fulfill cloud needs, they need to know who's in the pipeline," the official said. "No one has been shy recently about saying they are in the approval process."

The source said initially there was some concern that the first vendors who received approval would have an advantage over those who didn't. But the official said that concern hasn't played out.

"Part of it is if you get names out there, it lowers the playing field," the source said.

Currently the Joint Authorization Board (JAB), made up of the chief information officers of GSA, DoD and DHS, approved 10 companies and the Agriculture Department, eight of which offer infrastructure-as-a-service.

Fourth added to the JAB

FedRAMP also recently expanded the JAB to include the Defense Information Systems Agency along with the DoD CIO.

Roat said Teri Takai, the DoD CIO, requested the JAB include DISA's security personnel as part of the review process. DISA is serving as the cloud broker for DoD under the Pentagon's cloud computing strategy from July 2012.

"When the packages are being reviewed, it has DISA's viewpoint on it," she said. "So then when one of the vendors comes through, DISA has already seen the package, and they know exactly what's in it, and they don't have to do the work twice. DISA is learning how to get that federal view, but they also are having input on what they need and a heads up on reviewing packages. I think it's beneficial all the way around."