On March 28, 2016, the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) introduced the revamping of FedRAMP Ready to include a FedRAMP Readiness Capabilities Assessment.
The goal of the updated FedRAMP Ready process is to allow cloud service providers (CSP) to demonstrate security capabilities through an assessment by an accredited Third Party Assessment organization (3PAO), rather than through a documentation review by the FedRAMP PMO. The objective of the modified program is to enable CSPs and agencies to achieve FedRAMP authorizations faster, without negatively impacting risk and quality of security packages. With the FedRAMP Ready announcement, new questions arise relating to how FedRAMP Ready will truly impact a CSPs capability to sell services to the government. What will achieving FedRAMP Ready mean for CSPs?
Based on input from Lunarline customers, it is widely perceived that a CSP must be included in the FedRAMP repository as a pre-requisite for bidding on a cloud services contract. Although the wording is not always consistent, a request for proposal (RFP) will mandate the CSP to be “FedRAMP Compliant,” “FedRAMP Certified” or “FedRAMP Authorized.” The requirement for being included in the FedRAMP repository can be a major obstacle for CSPs, especially small business that must balance FedRAMP against the return on investment (ROI) for integrating the security controls and implementing continuous monitoring. Although the process may be straightforward, there are significant costs associated with maintaining the appropriate number human resources to preserve security readiness. If RFPs require a CSP to be included in the repository prior to bidding, does FedRAMP Ready help the FedRAMP PMO achieve its metric goals?
Per a recent conversation with the FedRAMP PMO, Lunarline has been advised of the following regarding a CSP’s ability to bid on federal contracts:
CSPs without existing ATOs (Authorization to Operate) are allowed to bid on contracts. Agencies can request that a CSP has a timeline for obtaining an ATO, but should not limit the request to CSPs with ATOs. Please contact the FedRAMP PMO if an agency is doing such an action.
Lunarline’s experiences do not support the PMO’s comments that CSPs are allowed to bid on federal contracts without being in the repository. Currently, government contracting officers do not provide CSPs with the ability to request the government review a FedRAMP package for risk acceptance during the contract bidding process. The CSP must be fully FedRAMP compliant or the cloud service can’t be procured. Will the government accept FedRAMP Ready in place of the terminated FedRAMP CSP-Supplied path?
Based on information available to 3PAOs and CSPs, Lunarline is unsure if FedRAMP Ready will be a game-changer for anyone besides the PMO. The costs associated with the capabilities assessment must now be included as part of budgeting for FedRAMP on top of the existing full independent assessment. Although the PMO states CSPs are not required to achieve an ATO, there is no indication federal contracting officers will include FedRAMP Ready as part of the contract award process. There also aren’t guidelines describing the depth of testing or test cases for the readiness assessment. There are no instructions related to a 3PAO’s ability to use the results of the capabilities assessment as part of the formal FedRAMP assessment.
Ultimately, does FedRAMP Ready simply shift the burden of reviewing the FedRAMP package from the PMO to the 3PAO? Is there any additional value to a CSP?
Lunarline is interested in hearing feedback from CSPs currently working through the FedRAMP process. How does FedRAMP Ready impact the CSP? Does the removal of CSP-Supplied impact the CSP’s project plan? Has the CSP reviewed RFPs that mandate FedRAMP compliance as part of the requirements? Please send your comments to firstname.lastname@example.org.