FedRAMP 20X: Moving Beyond "In Process"

The Current Landscape: A Stalled "In Process"
 

FedRAMP CSPs work with their initial authorizing agency to establish an intent to authorize and develop a plan for the CSP to obtain an ATO. After the FedRAMP PMO receives the required confirmation from the agency the CSP is listed on Marketplace as “In Process” for a period of 12 months. During this time the CSP will undergo the 3PAO assessment and the development of their ATO package.

Coalfire has had many experiences where “In Process” status went well passed the 12-month window due to an extension allowed while the package waited in PMO backlog. With FedRAMP working through that backlog at a rapid pace and stepping out of the way, this extended wait will be a thing of the past. 

This "In Process" limbo can be frustrating for both agencies and cloud providers. Agencies, eager to leverage innovative cloud solutions, are often forced to wait. Cloud providers, having invested significant resources in the assessment process, see their progress stalled. 

However, as Pete Waterman, FedRAMP Director, stated, this is changing and cloud service providers will work directly with agencies for authorization. The FedRAMP PMO will utilize presumption of adequacy to enable a more efficient review process.

A Proposed Shift: Empowering Agency Choice with “3PAO Recommended”

With this shift in the FedRAMP PMO role in the authorization, a change should be considered to empower agency choice.  To address this, Coalfire proposes a shift in the authorization status indicators. Instead of the current "In Process" status used, the Authorization Status options should be updated to indicate "3PAO Recommended." This would signify that the CSO has undergone an independent assessment and meets the necessary security requirements, according to the accredited 3PAO.  Oh yeah, and while they are at it, lets remove the “Ready” status as well which was the method previously used to denote that the CSP met a baseline of controls but would be unnecessary with the “3PAO Recommended” status. 

Benefits of the "3PAO Recommended" Designation:

• Increased Agency Flexibility: Agencies would gain access to a wider pool of assessed CSOs, enabling them to make informed decisions based on their specific risk tolerance and operational needs.
• Accelerated Adoption: By removing the "In Process" bottleneck, agencies can expedite the deployment of secure cloud solutions, fostering innovation and efficiency.
• Risk-Based Authorization: Agencies could leverage the "3PAO Recommended" status as an indicator of security posture, allowing them to focus on agency specific risk assessments and authorization decisions.
• Increased Market Competition: This change allows for faster market adoption of cloud services and increases the speed of competition between vendors.
• PMO Focus: This change would allow the FedRAMP PMO to focus on standards, oversight, and high-risk or complex authorizations, as necessary.

Moving Forward: A Collaborative Approach

This change is not about lowering security standards. Rather, it's about empowering agencies to make informed decisions based on third-party assessments and their specific risk profiles. It's time to move beyond the "In Process" and “Ready” bottleneck and embrace a more dynamic and responsive FedRAMP marketplace and indicate to agencies the offerings that have been recommended by 3PAOs. Contact Coalfire for help moving past "in process".