Government Experts Tell Congress that FedRAMP Needs Some Work
After five years in use, the federal approval process for cloud services offers benefits, amid some challenges.
Officials from several federal agencies testified on Wednesday as to the effectiveness of the government’s cloud accreditation process, the Federal Risk and Authorization Management Program, with mixed reviews. Most witnesses before the U.S. House of Representatives Committee on Oversight and Reform’s Subcommittee on Government Operations hearing, entitled To the Cloud! The Cloudy Role of FedRAMP in IT Modernization, confirmed the positive benefits of the program. FedRAMP, as it is known, provides a vehicle under which companies with commercial cloud products and services can apply to sell to the government and military.
Witnesses told lawmakers that while FedRAMP has eliminated redundancies and reduced costs as part of its cloud security authorization process, challenges remain.
Jack Wilmer, DOD's deputy CIO for cybersecurity, testified that FedRAMP has been a “major benefit” to the department, although the military still has to meet the Committee for National Security Systems (CNSS) cybersecurity requirements for National Security Systems, which go beyond the authorizations of FedRAMP. As such, the department uses FedRAMP as a baseline in its DOD Provisional Authorization (PA) process. DOD adds up to 38 additional controls to meet the unclassified CNSS cybersecurity requirements for Controlled Unclassified Information.
“As the department continues its transition to the cloud, it is becoming more important to increase the speed of authorizing new cloud capabilities,” Wilmer acknowledged. “One change we are making in this regard is that a universal PA will be issued for storing and processing of DOD public information on any cloud service offerings which are assessed at the FedRAMP moderate baseline.”
Meanwhile, Joseph Klimavicz, deputy assistant attorney general and CIO at the Justice Department, told the lawmakers that FedRAMP has enabled the department to “efficiently implement cloud solutions in a secure manner.”
To date, the Department of Justice has 18 Joint Authorization Board provisional-authority to operate (ATO) certifications for cloud providers and nine ATOs sponsored by other agencies. In addition, Justice sponsors nine ATOs that can be used by other agencies, he stated.
The department also has included FedRAMP requirements in its acquisition policies and contract language, which has led to contract awards in which the vendors are accountable for the implementation of cloud security controls, Klimavicz said.
The deputy assistant attorney general/CIO raised several areas for FedRAMP improvement. FedRAMP helps to reduce administrative and cost burdens for cloud service providers, as well as agencies, through the reuse of provisional ATOs. However, he said, many providers do not understand which security controls to prioritize and implement. In addition, the process that third party assessment organizations use to assess compliance “results in less standardized outputs and lengthened review times,” Klimavicz said. “Agency-level ATOs can be difficult to share because residual risk from tailored or risk-accepted controls are inherently different between entities. Furthermore, the residual risks are not consistently documented.”
He noted that small companies still need support to understand and implement cloud security requirements in a more automated and cost-effective manner, so that the government can leverage their advanced technologies at lower costs.
Also, FedRAMP does not address all federal security mandates. “For instance, personnel security does not extend to requiring U.S. citizenship, data residency is not limited to United States territories, and continuous diagnostic monitoring capabilities are inconsistently implemented,” the deputy assistant attorney general/CIO said.
Klimavicz stressed that federal agencies must still assess controls not implemented by cloud service providers and provide the required continuous monitoring of the cloud-based IT systems over the whole operational lifecycle.
Meanwhile, the U.S. Department of Health and Human Services (HHS) has authorizations for nine unique cloud offerings and uses more than 60 FedRAMP certified cloud technologies and services, reported Jose Arrieta, HHS CIO.
Arrieta identified several challenges of FedRAMP but stressed that the benefits of adoption and migration to the cloud outweigh the problems. The issues include: (1) less access for smaller businesses to get FedRAMP certification, given their inherently lower financial resources and personnel than larger companies; (2) a remaining lack of awareness “in some pockets” of the federal sector about FedRAMP; (3) decreasing commitment of cloud service providers to maintain risk mitigation after FedRAMP authorization; and (4) few penalties for noncompliance of cloud providers.
In regard to penalties, Arrieta said HHS has pursued “its own process to handle these issues, but we would encourage standardized, government-wide process for FedRAMP oversight and enforcement in such situations.”
The CIO added that the rigor of the FedRAMP process has led to “a number” of state agencies that prefer to use FedRAMP-authorized cloud products, especially when their respective state governments do not employ cloud security standards.
“HHS has experienced great success with the adoption of cloud services, technologies, and capabilities leveraging the FedRAMP program,” Arrieta said. “It provides the government with a consistent and repeatable model for assessing and understanding the risks associated with cloud-based products, and reduces overall level of effort by promoting reuse of FedRAMP documentation.”