make a good business better

Blog Information Security

Print Divider Print Divider Branding

FedRAMP Announcement Designed to Speed Path to the Cloud

04/27/2016  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

Cloud computing makes sense for many organizations. Typically it offers a way to quickly scale and maintain IT operations, usually at a significant cost savings.

But as vendors doing business with federal agencies -- or the agencies themselves -- know all too well, moving to the cloud isn’t quite as easy as it is in private industry. Compliance with a standardized security protocol known as the Federal Risk and Authorization Management Program (FedRAMP) entails a lengthy authorization process that requires periodic reviews, as well as keeping tabs on a steady flow of program updates.

The good news is that federal authorities have issued proposed guidelines that could accelerate FedRAMP certification. On March 28, the FedRAMP Program Management Office issued a draft of its new readiness capabilities, which could result in wait times closer to six months, down from the current window of about 12-18 months for organizations seeking certification through the Joint Authorization Board (JAB).

This helps companies working with federal agencies in a couple of ways. First, it will allow firms with products or services that can benefit federal agencies to get their cloud-based products to market more quickly.

Second, it requires more ongoing, consistent security assessments, bringing the process closer into line with traditional security models. The reason is that under the present FedRAMP certification procedure, companies typically focus on documenting their security capabilities first, then demonstrating their security competency later. Under the newly proposed FedRAMP authorization rules, this order would likely be reversed, requiring demonstration of capabilities first, and documentation second.

Finally, the update integrates the functionality of the CSP Supplied certification path which is scheduled to be phased out by April 30, 2016, into one consistent JAB approval process. This should help to reduce some of the confusion many companies experience when trying to define their path to FedRAMP certification.

The program was developed in 2010 by a handful of government agencies, including the Departments of Defense and Homeland Security, to help smooth the path for firms by creating a single, clear security framework for cloud service providers and end users. The idea was, and still is, “do once, use many times.”

This latest proposal by FedRAMP officials is designed to help ease that compliance burden even more, while still providing a reasonable level of security around cloud computing for federal agencies.

Public comment on the new guidelines are being accepted from now until April 29, 2016.

Sese Bennett is a Senior Manager in the Information Security practice at LBMC, a premiere Tennessee-based professional services firm. Contact Sese at or 615-309-2420.

To learn more about FedRAMP Certification, download a free copy of our guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.