The Federal Risk and Authorization Management Program, known as FedRAMP, is supposed to make it easier for agencies to use commercial cloud computing. FedRAMP, as policy, has been around for a dozen years, but only became law at the end of last year. Will that make a difference? The Federal Drive with Tom Temin spoke with Ryan Silvonic got one view from attorney Michael Borgia, a partner at Davis-Wright-Tremaine.
Tom Temin
You have been watching FedRAMP for quite some time now. And the usual things people say about it still apply. The vendors say it takes too long to get certified. And agencies seem to want their own certification, anyway. So it’s there, everybody admires it. It’s been part of cloud. But how can this new law, maybe, further things a little bit?
Michael Borgia
Well, it’s great question. And to a large extent, we’ll have to see. I think that the law did some important things to discuss. But it could have gotten further. I think it took, somewhat, of a measured approach, still tried to respect the basic framework we got from [Federal Information Security Management (FISMA)], back in 2002. Ultimately, it comes down to the agencies and figuring out their own authorization. So they could have blown that up and they could have said, No, it’s going to be decided for you, but they didn’t. So we’ll have to see. There’s a few things I think this law does that is very interesting. What you’ve seen, if you’ve read about this, a lot of discussion of what’s called this presumption of adequacy. I would liken it to sort of a thumb or something on the scale. It is not requiring agencies to take previous authorizations from other agencies or from the [Joint Authorization Board (JAB)] or whatever we have going forward. But I think, trying to push them in that direction. So essentially, in nonlegal terms, what the presumption of adequacy says is that, if a cloud service has gone through FedRAMP, one way or the other, has an authority to operate or an authorization to operate. As it’s called in the statute or [Provisional Authority to Operate (P-ATOs)], things like that. Then another agency must presume that authorization is adequate for its own authorization. It doesn’t have to take it 100% of the time, there are some kind of outs in the law, the agencies are still empowered to decide that they need more security controls than the FedRAMP ATO might provide. But again, it’s a finger on the scale to say you have to presume that. There’s a sort of a parallel provision that says, it’s sort of, almost painfully, obvious but important to kind of speaks to the frustration of [Communications Service Providers (CSPs)] in the space, that agencies have to check. They’re required to check the database and actually know, has this thing been authorized yet? So it almost seems silly. But yeah, I think that’s kind of where we are… Read the full article here.