The program could move to cover high security requirements or standardize service-level agreements for agencies and providers.
The Federal Risk and Authorization Management Program is an evolving entity, intended to grow and morph as agencies increase their use of cloud computing. Here are two things that a future version of FedRAMP might include that could expand the situations it covers and improve its uptake:
As the comfort level of agencies with both cloud computing and FedRAMP increases, many observers think the next level will be for FISMA high security requirements to join the low and moderate requirements that FedRAMP already covers. That will help alleviate many of the concerns people now have with some data security needs not being covered by the FedRAMP baseline, they say.
But it’s not that obvious, according to Maria Roat, director of FedRAMP at the General Services Administration. At meetings where the subject has come up, she’s been throwing back the question of whether the demand is for “high, high, high” security or just high availability of the data. Only about 12 percent of the needs across government are at the high level, she said, with the rest at low or moderate.
“When organizations such as intelligence agencies need a high (security) baseline, they keep the data in private clouds in their own data centers,” she said. “So far, agencies really aren’t stepping up and saying they need high confidentiality for FedRAMP.”
Right now, agencies have to negotiate their own service-level agreements with cloud providers around FedRAMP, which takes time and can provide headaches for many, particularly given that most agencies will use two or more companies to provide services.
“There is no FedRAMP SLA equivalent today,” said Kevin Jackson, vice president and general manager of cloud services at NJVC. “I think a minimum set of SLAs for agencies across government would be a good thing [for the FedRAMP program], and that’s a good role for GSA to take on.”
The question of a standardized FedRAMP SLA is something that many agencies have brought up, Roat said.
“We don’t have a good answer for it yet,” she said, “but it’s something we are looking at.”