Making the General Services Administration’s (GSA) FedRAMP (Federal Risk and Authorization Management Program) process more efficient for cloud service providers appears to be on the radar of the Office of the National Cyber Director (ONCD) as the ONCD moves toward the implementation planning phase of the National Cybersecurity Strategy released last month.
That’s according to Acting National Cyber Director Kemba Walden, who spoke briefly about the FedRAMP process during a panel discussion hosted by the Atlantic Council on April 6.
The 11-year-old FedRAMP program is operated by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies. Congress acted late last year to codify the program into law, and set in motion the process to make improvements to the program.
Walden fielded a question at the Atlantic Council event about the sometimes lengthy FedRAMP process, and whether there were any discussions happening to make the process more efficient and in the process improve public-private partnerships with the goal of boosting cybersecurity.
Walden explained that the new cybersecurity strategy sets out goals to “harmonize regulatory burden, find reciprocity where we can, [and] find gaps where we’re not using our regulatory authority to raise cybersecurity requirements for those that aren’t really investing in cybersecurity – but as we do that, doing it in full consultation with both regulators and industry that has to bear that burden.”
“On FedRAMP specifically, I understand the challenges, so does GSA,” Walden said.
Walden said she has spoken with GSA Administrator Robin Carnahan, and continued, “we are working through that, that particular complication, together with the ATOs [authorizations to operate] and the time and the delay that it takes, so we acknowledge that.”
“The more we hear from practitioners, the better we can serve practitioners,” Walden said. “So we’ve heard it loud and clear, and we’re trying to find an opportunity.”
“The other pet rock, as my staff likes to talk to me about, that I have is not just harmonizing regulations, but harmonizing standards in general,” she said. “I think there’s a lot of work to be done so we invest properly in cybersecurity and rather than compliance or ATOs or whatever it is.”