The long-running FedRAMP program for cloud computing just became law

The Federal Risk and Authorization Management Program, known as FedRAMP, is supposed to make it easier for agencies to use commercial cloud computing. FedRAMP, ...

The Federal Risk and Authorization Management Program, known as FedRAMP, is supposed to make it easier for agencies to use commercial cloud computing. FedRAMP, as policy, has been around for a dozen years, but only became law at the end of last year. Will that make a difference? The Federal Drive with Tom Temin  spoke with Ryan Silvonic got one view from attorney Michael Borgia, a partner at Davis-Wright-Tremaine.

Interview transcript:

Tom Temin
You have been watching FedRAMP for quite some time now. And the usual things people say about it still apply. The vendors say it takes too long to get certified. And agencies seem to want their own certification, anyway. So it’s there, everybody admires it. It’s been part of cloud. But how can this new law, maybe, further things a little bit?

Michael Borgia
Well, it’s great question. And to a large extent, we’ll have to see. I think that the law did some important things to discuss. But it could have gotten further. I think it took, somewhat, of a measured approach, still tried to respect the basic framework we got from [Federal Information Security Management (FISMA)], back in 2002. Ultimately, it comes down to the agencies and figuring out their own authorization. So they could have blown that up and they could have said, No, it’s going to be decided for you, but they didn’t. So we’ll have to see. There’s a few things I think this law does that is very interesting. What you’ve seen, if you’ve read about this, a lot of discussion of what’s called this presumption of adequacy. I would liken it to sort of a thumb or something on the scale. It is not requiring agencies to take previous authorizations from other agencies or from the [Joint Authorization Board (JAB)] or whatever we have going forward. But I think, trying to push them in that direction. So essentially, in nonlegal terms, what the presumption of adequacy says is that, if a cloud service has gone through FedRAMP, one way or the other, has an authority to operate or an authorization to operate. As it’s called in the statute or [Provisional Authority to Operate (P-ATOs)], things like that. Then another agency must presume that authorization is adequate for its own authorization. It doesn’t have to take it 100% of the time, there are some kind of outs in the law, the agencies are still empowered to decide that they need more security controls than the FedRAMP ATO might provide. But again, it’s a finger on the scale to say you have to presume that. There’s a sort of a parallel provision that says, it’s sort of, almost painfully, obvious but important to kind of speaks to the frustration of [Communications Service Providers (CSPs)] in the space, that agencies have to check. They’re required to check the database and actually know, has this thing been authorized yet? So it almost seems silly. But yeah, I think that’s kind of where we are.

Tom Temin
Right. The whole thing is kind of belt and suspenders. It’s been certified through FedRAMP, this particular service or this cloud provider for Agency X. I’m the same size of agency and I have about the same requirements. But yet, I’m still reluctant to say, ok, they approved it, here we go, even though they’re entitled to. But every agency feels it’s unique, in so many domains, no less so than in cloud computing.

Michael Borgia
For sure, and that’s understandable. You can’t blame agencies for feeling like, if something bad happens it’s our issue, it’s our mistake, our risk and so we want to have our hands in it and really understand it. But as you’ve alluded to, there’s a lot of frustration amongst CSPs. There was a [Government Accountability Office (GAO)] report from, I believe 2019, that reference, still fairly significant and common, non use of FedRAMP. Many agencies, I believe the number was, 15 out of 24, that were using non FedRAMP authorized cloud services. They cite the example of why don’t they named the agency, but there’s one agency that was using 90 nonFedRAMP authorized. So frustrating, I think, for the government, but also frustrating for cloud service providers, because then why are we doing this?

Tom Temin
Right. And the term cloud service providers has really expanded in the last 10 or 12 years. Early on, people thought it was the basic cloud operators, the infrastructure companies, Google, Amazon, Oracle and Microsoft. But really, it’s thousands of companies that offer any kind of software as a service hosted in a cloud.

Michael Borgia
Absolutely, yeah, there’s many different models. And if you want to deep dive into the federated materials, you can learn about infrastructure as a service and platform as a service and software as a service and almost anything else as a service. But this is just a larger it issue, even private sector purchases of cloud services. This is where they’re going. Moving off an on premises infrastructure and internally developed software, internally maintained data centers. All the software, all the servers, moving towards the cloud. So you’re right, it’s a multilayered ecosystem. And so now, many, many, many, even from the most kind of innocuous software purchases, could implicate FedRAMP, because so much is coming from the cloud and, especially, from SaaS, software as a service.

Tom Temin
We’re speaking with Attorney Michael Borgia. He’s a partner at Davis-Wright Tremaine. And you’re also writing that, perhaps, this law can speed up the authorization or the speed up the acceptance of companies into the FedRAMP to become authorized. Because that’s been a big complaint. Is how long it takes and how expensive it is. How can the law boost that process?

Michael Borgia
Well, I think an under discussed part of the law and it’s only just been passed in December. So we’ll see. But it under discussed part is, the structural changes to the law. It’s kind of amazing given the importance of FedRAMP. And I have to give them credit how much they’ve been able to accomplish, despite the fact that the FedRAMP is run by the joint authorization board, the JAB. Which is made up of the CIOs of [Department of Defense (DoD)], [Department of Homeland Security (DHS)] and [General Services Administration (GSA)]. If those are not the largest three agencies, they gotta be up there. So it’s almost treated this as like a side hustle for those people. That’s a massive job being the CIO of DHS or DoD. And yet, they’re also doing this and there’s not even a separate appropriation for it. So I think one of the important things that this law is going to do that doesn’t seem that exciting, but I think could have real changes, is actually starting to in law in statute, build out formal responsibilities, apportioning those amongst different agencies. I think giving those CIOs some help, actually adding potentially members to the FedRAMP board, which is, I think, a newly created by this law board, that will have some oversight and guidance. I think that, while there’s nothing directly in the law that says, Ok, if you do X, you will speed it up. I think the hope is that by formalizing this, by better apportioning responsibility, by bringing in more stakeholders, that it will get better, it will get faster. Because you’ve got to have, hopefully, more people who are really dedicated to this and really trying to see it through.

Tom Temin
Right. And you mentioned too, that the GSA gets lots of specific responsibility. Develop, coordinate, implement a process to support agency review. Develop and publish templates, best practices, technical assistance and other materials to support authorization. To what extent have they done that so far?

Michael Borgia
So it’s interesting, I think that the way and we’ll have to see how this all comes down. But as I read the law, GSA, it mostly maintains its current responsibility. But when you look at the provisions, I think it actually gets into more substance as well. So I think we’ll see GSA just have more responsibility and more action in general. So right now, under the current program, that was predated the laws, but back since 2011. GSA is, I guess, a true to name, is their administration. They have the Project Management Office. And they put out guidance, they create templates, they are, kind of, the day to day workhorses of the program. And they’ll still do that here. But there’s an interesting provision that also empowers them to, actually, grant FedRAMP authorizations. And I’m interested to see how they implement that. I haven’t seen any discussion from FedRAMP or from the GSA about that yet. But I think that one of the goals here is, to put more into GSA, let GSA run this. Again, maybe, not have to do so much threw a JAB. Because, again, I’d have to imagine the JAB was just tapped out, given how busy those individuals are, anyway. So run more through the GSA and hopefully streamline the process that way. And then you’ve got [Office of Management and Budget (OMB)], you’ve got the FedRAMP board and you’ve got this advisory committee. So you have lots of people, lots of cooks in the kitchen, still kind of offering their advice and guidance on how to improve the program.

Tom Temin
And the whole thing has a sunset provision, too.

Michael Borgia
I have not seen any discussion of that. But I think that’s fascinating. So five years and then a sunset, I don’t know. Perhaps, that was just an effort to say, look, if this goes badly, then we’ll all undo it and we’ll go back to what we had. And what we had was ok. But I’m hopeful, cautiously optimistic, I would say, that this is going to make the program better, more formal. More of a full time job and push these things through faster and get a better experience for cloud service providers.

Tom Temin
And just a detail here because the OMB director, by law, gets a lot of responsibilities here. They have to make a report each year to the GAO. So it’s a little bit of bureaucracy spreading here. In a practical sense, who in OMB would actually get this responsibility? Would it be the federal CIO?

Michael Borgia
Well, it all comes down to the director. I assume the director will probably have designees. And the statute it’s all comes back to the director. So high level, which I think is good, but we’ll have to see who actually. It would make sense if it was the CIO or someone in Information Technology, Information Security,

Tom Temin
Right, because the law always says the director or the administrator or the agency head, but the reality is someone’s belly button gets pushed by that director, administrator or agency head.

Michael Borgia
Yeah, well, let’s hope so. Because again, those are very busy people. So that’s my expectation is, I think, OMB has a lot of oversight responsibilities here defined in the law. They already did, they did have of a lot of oversight. So I think we’ll still see OMB play, quite a strong role in this. And they’re a little bit of man behind the curtain. You’ve got the FedRAMP board, you’ve got the advisory committee, but they still have a lot of responsibility to make recommendations. And I think too, to shape what these other bodies look like, so they’re not going away.

Tom Temin
Well, the man behind the curtain eventually floated away in a balloon, so let’s not keep that in mind. But bottom line, this will enhance adoption of cloud computing, do you think, by the federal agencies?

Michael Borgia
I think so. I think what I’m most hopeful of, in a way, is that this will make things easier for more medium sized and smaller cloud service providers, as well. I want to make it easier for larger as well. But I think what a lot of struggle here, is that more medium and small cloud service provider and as you said, this doesn’t just mean infrastructure providers. This could mean any software vendor that has cloud services and a SaaS model. And they have, I think, especially, struggled to go through the arduous FedRAMP authorization process and then get told, well, I’m sorry, that’s actually not enough for the second agency, you got to go through it again, or go through other things. To make matters worse for them. You may also be familiar with StateRamp, which is a nonprofit organization that has kind of created a somewhat of a parallel to FedRAMP, for states and local governments. And many small and medium sized businesses want to get into there and provide software for school boards, for City Hall, things like that. Well, one of the ways you can do that, is by happy already being FedRAMP authorized. So if being FedRAMP authorized is really hard for a small business and now it’s a real kick in the teeth to then say, well, now it’s even harder to get into City Hall. So I’m hopeful that it will streamline the process for everyone. In particular, I’m hoping that for the smaller and medium sized businesses, it will enable them to get authorized. Because right now, I think the authorization process is a huge barrier for those. Which is bad for competition.

 

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Mandel Ngan/Pool via AP)FILE - In this May 13, 2021, file photo, Rob Portman, R-Ohio, speaks during a Senate Homeland Security and Governmental Affairs Committee on unaccompanied minors at the southern border, on Capitol Hill in Washington. Portman announced earlier this year that he would not run again. The Senate primary in Ohio is still a year away, but Republican contenders already are working furiously to cast themselves as Trump's favorite in the open race. (Mandel Ngan/Pool via AP, File)

    Senators see room in FedRAMP bill to address supply chain security threats

    Read more
    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    Pentagon ‘endorses’ reciprocity for CMMC, FedRAMP requirements

    Read more