Today we are excited to announce that our first CSP crossed the FedRAMP Accelerated authorization line – Microsoft Customer Relationship Manager Online (CRMOL) was issued a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB) on September 22, 2016.
FedRAMP Accelerated is showing major returns on decreasing authorization timeframes. Microsoft completed the authorization process in just 15 weeks. Compared to the last authorization which took two years to complete, CRMOL was authorized six times faster! While there are a lot of reasons why this authorization was faster, there are two key elements to the process that enabled an authorization in under four months: CSP readiness prior to the authorization process demonstrated through capability assessments and an iterative review approach for the authorization process.
Prior to kicking off: Moving from documentation to capabilities reduced CSP time from 40 weeks to 10 weeks
FedRAMP introduced the FedRAMP Readiness Assessment conceptually in March and finalized the requirements last month. The readiness assessments replaced reviews by the Project Management Office (PMO) on documentation and instead focus on key capabilities of CSPs validated by a 3PAO. These readiness assessments ensure that CSPs entering the FedRAMP authorization process have the key technical capabilities in place prior to beginning an authorization. This ensures vendors won’t have to introduce new technologies or engineering updates to their system during authorization. This reduces overall costs for vendors as well as ensures the authorization process isn’t delayed due to vendors implementing new solutions to meet the FedRAMP requirements mid authorization process. The change from documentation reviews to capability reviews took CRMOL 10 weeks compared to our most previous ATO which took 40 weeks.
Authorizations process: Moving from a waterfall approach to iterative reviews reduced authorization time from 104 weeks to 15 weeks
The PMO also worked with the JAB to employ a more iterative, or agile, review approach to the authorizations. Previously, the JAB review process was focused on a waterfall like approach designed with key stage gates – focusing on documentation, then testing, then reviews of risks. The new FedRAMP Accelerated process, with capabilities and risk assessments upfront, enable the JAB to complete faster, more iterative reviews allowing for key questions or concerns to be raised faster and up front in the process. This iterative approach along with the capabilities enabled CRMOL to achieve a much more effective approach – only 15 weeks to an authorization – compared to 104 weeks for our most previous ATO.
We are continuing FedRAMP Accelerated with two other organizations – Unisys’s Secure Private Cloud for Government and Edge for Government and 18F’s Cloud.gov. We expect these authorizations by the end of the year and to follow similar timelines for authorizations under six months. We look forward to continuing our partnership with them and supporting their progress through this new process.
If you’re a CSP looking to be considered for prioritization into the Accelerated Process, please watch this space for information regarding prioritization by the JAB which we are finalizing in the coming weeks in coordination with the Federal CIO Council and OMB. Additionally, review the FedRAMP Accelerated process overview and Readiness Assessment Report.
Thanks to everyone who had a hand in this success!