For DOD cloud vendors, a FedRAMP Moderate rating will soon be enough
Cloud service providers will no longer need to wait for separate Department of Defense authorization if they’ve already met the Federal Risk and Authorization Management Program’s Moderate baseline.
Starting in late July, DOD will issue general provisional authorizations for any provider with a Provisional Authority to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB), said Jack Wilmer, the Pentagon’s deputy chief information officer for cybersecurity.
P-ATOs allow the government to evaluate cloud service offerings once and then reuse them, with JAB estimating 722 agency reuses for a savings of $180 million through June 1.
Until now, DOD has expected providers to meet 38 Committee for National Security Systems cybersecurity controls — on top of FedRAMP’s 325 Moderate baseline requirements — before allowing them to process any controlled unclassified information. Only then do systems receive provisional authorization, a process that takes an additional one to six weeks.
“As the department continues its transition to the cloud, it is becoming more important to increase the speed of authorizations for new cloud capabilities,” said Wilmer, one of three JAB chairs, during Wednesday testimony before the House Oversight Committee.
The use case will cover the “vast majority” of the 120 provisional authorizations DOD has issued to date, he added.
Only 20 cloud services needed additional assessments, and all told DOD has used FedRAMP to make about 140 cloud offerings available.
“We continue to review opportunities to improve authorization timelines through communication with vendors and interagency stakeholders,” Wilmer said. “And we strive to achieve as much consistency as possible between the FedRAMP and DOD security control baselines.”