FedRAMP Briefing Matt Goodrich, JD FedRAMP Director, GSA Date August 2017
FedRAMP: LATEST STATS The program has been in existence for 5 years, formally launching in June 2012 5 YEARS We have DOUBLED the number of cloud providers and authorizations each year since launch We currently have 86 33% authorized Cloud Service Providers 33% of those that are authorized are small business Since inception, agencies have re-used authorizations 505 times That means every authorization has been reused approximately 6x 110 110 155 44 161 45 PAGE 2
FedRAMP ACCELERATED & FedRAMP READY FedRAMP Accelerated demonstrated the PMO s ability to reduce JAB authorization timelines by over 75%. Transformed the ATO Process to Take Less Than 6 Months Reduced Timelines from 18-24 months down to approximately 4 months on average Still maintained the same level of rigor in reviews as previous process Increased security reviews by incorporating Continuous Monitoring into process Key Element of Success was FedRAMP Ready Many CSPs begin unaware of what gaps exist within their system This results in unforeseen costs and time for CSPs in the authorization process The FedRAMP Readiness Assessment Report helps identify a CSP s security implementations upfront in the process - for gov t to understand success likelihood, and a CSP to use as a self assessment PAGE 3
FedRAMP CONNECT: OVERVIEW The JAB will be selecting 12 vendors per year to work with for a FedRAMP JAB Provisional ATO (P-ATO) FedRAMP Connect - Evolving the Selection Process To help evolve the program, the PMO worked with the JAB, OMB and the CIO Council to develop clear, transparent criteria to prioritize CSPs for working with the JAB toward a P-ATO Based on current resources and funding, the JAB has the capacity to authorize up to 12 CSPs a year Selection Criteria Demand is now the number one criterion for prioritization; it is also the only requirement for prioritization There are also a range of preferential criteria if demand is all considered equal (Govt cloud vs commercial, High impact vs Moderate impact, etc.) Selection Process We received roughly 40 business cases for the inaugural FedRAMP Connect, held in early 2017 We selected 14 vendors to pitch their services to the JAB and 13 agency CIOs and their representatives The JAB prioritized 7 vendors and have kicked-off the authorization process Even if a vendor wasn t selected for the JAB, we are working closely with the vendors to identify an agency match - 6 vendors have been matched to date. Upcoming Milestones We are now accepting business case applications for the next round of FedRAMP Connect until 25 August, 5pm. Applications are due by 5pm on 25 August 2017, with the target date of the next FedRAMP Connect set for October 2017 PAGE 4
FedRAMP TAILORED: OVERVIEW Not all SaaS are Created Equal FedRAMP was originally built around enterprise-wide solutions that would cover the broadest range of data types for cloud architectures and low, moderate, and high impact FedRAMP tailored addresses low risk use SaaS focusing on things like collaboration, project management, and open-source code development You would not secure your 2017 Cadillac Escalade the same way you would secure your Huffy Bike. You need a more rigorous security mechanism for the SUV, while a U-lock device will suffice to secure your bicycle. PAGE 5
FedRAMP TAILORED: BENEFITS Benefits of FedRAMP Tailored: Balance: New baseline will provide agencies with agility to leverage valuable services while maintaining the appropriate level of security. Simplicity: The SSP, SAP, SAR, and Remediation Plans are combined into a single document (defined control-by-control). Separate attachments for the risk summary table and Plan of Action & Milestones (POA&M) are used for initial ATO and ConMon. Speed: This process can be completed in as little as 4 weeks. Economical: The simplified ATO documentation means Agencies and SaaS providers save time, effort, and costs. Secure: The security is commensurate with the risk (total of 36 controls). PAGE 6
Questions? PAGE 7