WASHINGTON—The Federal Risk and Authorization Management Program (FedRAMP), which assists government agencies in assessing cloud computing services for security, has gone through several rounds of improvement, but still needs work. A new report released today by the Information Technology and Innovation Foundation (ITIF), the leading think tank for science and technology policy, shows that the program is slow, expensive, and in need of reforms as cloud services become more important to federal agencies.
“FedRAMP needs additional upgrades,” says Michael McLaughlin, a research analyst at ITIF who authored the new report. “While FedRAMP has improved since its inception, the program is still slow, expensive, and inconsistent across federal agencies. If government is ever going to match the kinds of operational improvements and efficiency gains that the private sector has achieved by moving to the cloud, then Congress and the administration must do more to improve the FedRAMP program and provide it with the necessary funding to hire more people to review cloud services promptly.”
Created in 2011, FedRAMP’s assessment procedures are mandatory for most federal agency cloud deployments and assist agencies in complying with the Federal Information Security Management Act, which requires agencies to implement security programs to protect government information. An efficient FedRAMP process makes it easier for agencies to procure secure cloud services, which, in turn, lowers the risk of these agencies being exposed to security breaches and attacks.
Yet the program’s long timelines has created barriers for businesses offering cloud services to the government and has slowed agencies’ access to services that increase efficiency and reduce costs. ITIF urges Congress and the Trump administration to provide FedRAMP more funding, implement measures to standardize the authorization process across agencies, and launch pilot programs to experiment with ways to overhaul how FedRAMP reviews and authorizes cloud services.
“The FedRAMP authorization process is inconsistent across agencies,” says McLaughlin. “This issue foments distrust between agencies who should be re-using each other’s authorizations to minimize redundant security reviews. Congress should pass FedRAMP reform legislation that provides the necessary tools to efficiently and continuously support federal agencies in their efforts to adopt essential technologies.”