FedRAMP Process Takes the Heat on Capitol Hill

Rep. Gerry Connolly, D-Va., debated two workforce-related bills Tuesday. (Photo: Jessie Bur, MeriTalk)

A “fireside chat” brought the heat to Capitol Hill on Thursday.

Members of the Cloud Computing Caucus delivered a scathing review of the FedRAMP certification process, but also strong words of advice, to a roomful of Federal workers and private contractors at the Fix FedRAMP forum.

FedRAMP Fast Forward Industry Advisory Group chair Steve O’Keeffe led a panel discussion in the Rayburn House Office Building on Capitol Hill, along with Reps. Gerry Connolly, D-Va., and Ted Lieu, D-Calif., both co-chairs of the Cloud Computing Caucus.

Rep. Ted Lieu, D-Calif., speaks at the FixFedRAMP event on March 3 in Washington, D.C. (Photo: Jessie Bur, MeriTalk)
Rep. Ted Lieu, D-Calif., speaks at the FixFedRAMP event on March 3 in Washington, D.C.  At top, Rep. Gerry Connolly, D-Va., addresses the audience.  (Photos: Jessie Bur, MeriTalk)

The original goal of FedRAMP was to eliminate the barriers for cloud service provider (CSP) vendors to work at Federal agencies. Yet, more than five years in, many vendors are wondering if FedRAMP has created more obstacles than it has knocked down.

“This room would not be filled if there weren’t problems with FedRAMP,” Connolly said, to the packed room.

The slog that has become the FedRAMP certification process has caused frustration and uncertainty among many of the cloud service providers and policy makers.

In anticipation of this discussion, Lieu contacted the General Services Administration, the agency that oversees the FedRAMP process, to ask a simple question: “Why is it (FedRAMP) so effed up?”

Lieu said he deemed a successful FedRAMP process as one in which CSP vendors: receive decisions about certification in a reasonable amount of time, have knowledge of how far an application has moved along in the process, and understand what’s coming next.

He said GSA did not give concrete answers to the problem but said they wanted to make the process more transparent.

Connolly agreed. He also encouraged the private and public sectors to collaborate and share information to help develop better FedRAMP best practices.

FedRAMP launched in 2011 with the goal to streamline the certification process for CSP vendors looking to provide Federal agencies cloud computing services. FedRAMP’s once stated goal was to standardize the process of certifying contractors.

“The real promise of FedRAMP—embodied in the ‘certify once, use many times’ framework—has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” according to a position paper drafted by the FedRAMP Fast Forward Industry Advocacy Group in 2015.

According to the MeriTalk website: “The position paper is the result of seven months of collaboration between members of the FedRAMP Fast Forward industry group, including cloud service providers (CSPs), third-party assessment organizations (3PAOs), Federal agencies, and officials from Capitol Hill.”

Yet, FedRAMP confusion continues to hamper the certification process. In 2013, estimates put the FedRAMP Authority to Operate (ATO) process, beginning to end, at about nine months with a cost of $250,000 per vendor. In 2015, the position paper pegged the time for certification at two years and between $4 million to $5 million per vendor.

“It’s not easy, it is complicated, it costs too much, and it takes too much time,” Connolly said.

Some CSP vendors in the audience expressed concerns over retaliation from the GSA and the FedRAMP Program Management Office. Many want to complain to Federal officials about the slow FedRAMP process. Yet, oftentimes vendors said if they do complain, the FedRAMP PMO may retaliate by denying their FedRAMP bid. According to O’Keeffe, some CSPs have already reported veiled threats to their Federal cloud business if they supported the recommendations of the Fix FedRAMP position paper.

“Reprisal is not to be tolerated,” Connolly said. He encouraged vendors to present any complaints or concerns to him or members of the Cloud Computing Caucus.

“We can be an advocate on your behalf,” Connolly said. “We can use both informal or formal ways of doing it.”

Before leaving, Lieu gave a glimmer of hope that the FedRAMP process would be fixed.

“Let’s make IT great again,” Lieu said.

  1. Anonymous | - Reply
    I can't understand why GSA wasn't at this meeting to give their side. CSPs fear speaking up because of the possibility of being blacklisted. Maybe it's for new FedRAMP leadership at GSA.
  2. Anonymous | - Reply
    There were GSA members present, but not from the FedRAMP PMO. To be honest, some of the frustration is misdirected at FedRAMP and really belongs with FISMA and how agencies must authorize information systems. FedRAMP did not change those fundamentals to the extent that some outside the government believe it did - or should.
  3. Anonymous | - Reply
    Having had the opportunity to attend in person, it was stated multiple times that it took 14 months to gather and compile the information in the report. This information was provided to the GSA and feedback was given over that time period. My guess would be that the GSA did not attend for the simple reason that the facts are not being accurately portrayed. Their are some valid points being made, but when it comes to the timeline disputes, they missed the mark. Whether we are talking about DIACAP, FISMA, RMF or FedRAMP, it takes time to get through any of these processes. If the vendors have not done their due diligence, created a secure architecture or their documentation is "effed up" , then it will take longer than designed. If they try to do this without experienced security personnel, then it will take even longer. What I got out of yesterday's meeting was that agencies and the private sector still do not understand the process or requirements. This is nothing new when it comes to Certification and Accreditation or in FedRAMP terms, Assessment and Authorization. Until they are educated we will continue to see these types of complaints.
  4. Anonymous | - Reply
    It's not FedRAMP's fault that a large portion of those costs and delays are internal on the vendor side to achieve compliance with the technical and policy requirements. It would be a real shame -- and destroy FedRAMP's credibility with the security community -- if political pressure leads to a watering down of the security controls. That would send us back to square one, with each agency insisting on applying its own overlay entirely. At least now there is some common ground, although, as noted above, individual organizations do (and likely always will) have the right to demand higher levels of security for themselves. I would also suggest that the real challenge with FedRAMP lies not with GSA, but with DISA and FedRAMP+. That process is still very immature, despite the fact that DoD has more money available to spend on cloud than the rest of the government combined.
  5. Anonymous | - Reply
    FedRAMP's job is accreditation not teaching. Having to teach proper security to CPSs who don't come in with the knowledge of how to secure their systems to FISMA baselines slows FedRAMP down. The process is suppose to be challenging, a movement to whitewash this challenge makes no one a winner, especially agencies and missions who count on a proper vetting process. I see the same CSPs complaining about the process, the same ones that protest cloud awards on the basis that they couldn't understand how to respond to cloud services questions. Perhaps their time is better spent on investing in their people, systems, and processes than attending complaint rallies.
  6. Anonymous | - Reply
    Attended the event, and it was clear there was a lot of concern about FedRAMP, and confusion on clarifications. Was great to have such a collaborative discussion about how to fix FedRAMP - just wish GSA was there to give their side
  7. Anonymous | - Reply
    It's painfully obvious that the current iteration of FedRAMP was authored and being implemented to accommodate those with deep pockets, not learning, laziness or poor execution espoused by supporters . It is complex by design to prohibit competition. The dynamic nature of the standard in general is driving up costs and this latest exercise supports that fact. FedRAMP needs to be simplified dramatically and leverage and/or build on other certifications. Due to its current complexity there is more mis-information than concrete paths to achievement, exactly what it was "supposedly" designed to avoid. Other authors are correct in that it isn't only FedRAMP, as there are a multitude of autonomous agency diversions pervasive in the context of Federal standards, particularly from those Federal entities which stand to benefit the most from the process, such as the IRS, SoS, etc. In failing to address the clooge of agency interpretation and deviations FedRAMP is all but useless. It is important to note that this consideration is a step in the right direction, however, failure to address those agencies run amok seals its fate. Perhaps government isn't the answer here as the bullying implies. Since GSA was apparently absent nothing will improve as the problems remain insulated and isolated in their own bureaucratic towers of self-interest.
  8. Anonymous | - Reply
    Government Acq Professional here... comment at 1:17 fits my experience. The people writing the standards are often either a) ignorant on what is actually required to be "secure" and/or b) just doing what industry (industry to them is big defense IT contractors) tell them they should do. They seek input from "industry", and build their plans from that input. That input is almost always self interested. Big defense IT isn't stupid. They've played this game for a long time. If they get 15-20% of their recommendations put in they'll be more able to maintain control of competition. The people that ALWAYS win are the people good at manipulating Government cogs, not the people good at building smart solutions. Further, it's ALWAYS a better decision for Government organizations (groups of individuals with jobs) to "cover all your bases" than it is write lean, "risky" or "smart" regs. Just write 1000 pages and at least if something goes wrong and some system gets hacked you'll have some section to blame, not someone to fire. Round and round we go.
  9. Anonymous | - Reply
    The 3PAOs are the culprit in my opinion. They grossly overcharge, drag their feet to charge more $$ per hour, deliver 2nd-rate documents that don't pass muster and have to be redone, and fail to assist companies through the process. I've done many assessments under FISMA. Yes, they aretedious and burdensome and too centered on documentation over real security. But two years and $4 million? GSA isn't charging that money, and although they could move faster on evaluating documents, the real delays lie in the assessments-- done by 3PAOs.
  10. Anonymous | - Reply
    What would make this whole process much easier on the CSPs is if FedRAMP had some sort of advisory branch that CSPs could use to advise on the correct implementations. Right now, the PMO won't look at any package until it's completed; however, cloud providers are often guilty of misinterpreting the NIST guidance or have basic questions about if a certain approach will meet FedRAMP requirements. As of now, CSPs can just send questions to the FedRAMP e-mail address, but the responders often state that it's the opinion of the 3PAO as to whether the control is compliant. This doesn't work for the CSPs - most want to go in with a solid offering, but they're working in the dark. And the PMO is ridiculously slow - they deserve a lot of blame in the amount of time this process takes. They hold both CSPs AND 3PAO's feet to the fire with respect to the schedule, kicking them back with the most minor schedule transgression, without thinking that it applies to them in the slightest. Security assessment plans, which should be the agreement between the CSP, the PMO, and the 3PAO on how testing should be conducted, are often the very last things to be approved - often after the testing is completed. The PMO is working to get more educational material out for CSPs, but in general, it's not enough. As a result, the PMO is slow as they work through reviewing the system security plans because they're delivering a lot of bad news to the CSPs - bad news that often takes time and money to fix. I would love to see them appoint a CSP-advisor type similar to the Federal advisory Ashley Mahan so CSPs can go in with cleaner offerings. And the PMO really needs to get its processes down better - the security assessment plan should be agreed on prior to the commencement of the testing.
  11. Anonymous | - Reply
    Unfortunately, most CSPs do not take the time to put in the security controls correctly the first time. They don't follow the guidance. Many have never read the Guide to Understanding FedRAMP. Most of them want to try to short-cut the process by not putting in place the security controls, and not describing how they work correctly. Clearly FedRAMP is working or there would not be so many authorizations.

Leave a Reply