As the deadline approaches for cloud providers working with federal agencies to meet security controls, the General Services Administration (GSA) is preparing to get companies through the approval pipeline.
Cloud service providers either currently working with federal agencies or interested in doing so must meet certifications under the Federal Risk and Authorization Management Program (FedRAMP) by June 5. Critics have suggested that the government will not strictly enforce the deadline, making the certification lose its credibility. Maria Roat, the GSA administrator overseeing FedRAMP, said even without the program cloud providers would need to be compliant with the Federal Information Security Management Act (FISMA). 
“Regardless of FedRAMP, cloud providers have to be authorized,” she said in an interview with Defense Daily. “It’s not like the agencies can do nothing and the cloud providers don’t have to comply with anything.”
FedRAMP simply made the approval process a lighter workload with lower costs, which should appeal to both agencies and companies, she said.
“What FedRAMP initiated was the do-once, use-it-many-times model,” she said.
Cloud service providers can seek approval via two methods: a general authorization to work with any agency from the FedRAMP office itself or an authorization gained in partnership with an individual agency. For small businesses, there is also a third route to become a cloud service supplier.
Eight companies are currently listed in the “ready for kickoff” phase, meaning that they have not started the process with the FedRAMP office or with an agency, but they have demonstrated readiness. To accelerate the process, Roat said her office has reached out to companies in the kickoff phase to see if they can be paired with an agency that will guide them through authorization. Eventually, when the company gains a wider footprint, it can apply for the government-wide approval. She also encouraged companies to reach out to her office directly.
“For those that are waiting for kickoff, they know where we are,” she said.
As for the June 5 deadline, the Office of Management and Budget (OMB) will be the official enforcement arm. OMB uses its PortfolioStat system every quarter to assess how agencies’ cloud adoption progresses and will use that feature to “drive discussions,” she said. Roat’s office worked with OMB to make the questions more specific and more informative. The questions now ask for details on which providers the agency has engaged and when it expects to issue authorizations.
“They really weren’t capturing the information that was needed. The questions were more general,” she said.
Agencies already in process will continue with FedRAMP after the deadline, Roat said. The deadline also does not mean that a future cloud service provider will never be able to work with government.
In addition to the deadline, critics have also noted that the third party audit organizations (3PAOs) that ensure providers meet security controls have not received much business from FedRAMP and may no longer pay to remain 3PAO certified. While only eight of the 27 3PAOs are listed as having audited a company, Roat said more than that were actually receiving business. She said a number of 3PAOs were working with small businesses and others were providing consulting services. The 3PAOs have to remain independent, but they are able to analyze a provider’s security controls before it starts the FedRAMP process so long as they do not provide recommendations.
Roat also anticipates the number of 3PAOs to follow the market.
“I expect the 3PAO community to change over time as businesses change their business model,” she said. “We have 27 3PAOs and that may shrink some.”
As for FedRAMP’s next steps, Roat said she plans to publish modifications to FedRAMP security requirements next week. The changes will bring the program into compliance with the National Institute of Standards and Technology’s (NIST) updates to 800-53 with revision 4. NIST 800-53 provides baseline security and privacy controls for federal IT. The fourth revision was published in April of last year.
“We look at those controls and make sure it makes sense in the cloud environment,” she said.