A “fireside chat” brought the heat to Capitol Hill on Thursday.
Members of the Cloud Computing Caucus delivered a scathing review of the FedRAMP certification process, but also strong words of advice, to a roomful of Federal workers and private contractors at the Fix FedRAMP forum.
FedRAMP Fast Forward Industry Advisory Group chair Steve O’Keeffe led a panel discussion in the Rayburn House Office Building on Capitol Hill, along with Reps. Gerry Connolly, D-Va., and Ted Lieu, D-Calif., both co-chairs of the Cloud Computing Caucus.
The original goal of FedRAMP was to eliminate the barriers for cloud service provider (CSP) vendors to work at Federal agencies. Yet, more than five years in, many vendors are wondering if FedRAMP has created more obstacles than it has knocked down.
“This room would not be filled if there weren’t problems with FedRAMP,” Connolly said, to the packed room.
The slog that has become the FedRAMP certification process has caused frustration and uncertainty among many of the cloud service providers and policy makers.
In anticipation of this discussion, Lieu contacted the General Services Administration, the agency that oversees the FedRAMP process, to ask a simple question: “Why is it (FedRAMP) so effed up?”
Lieu said he deemed a successful FedRAMP process as one in which CSP vendors: receive decisions about certification in a reasonable amount of time, have knowledge of how far an application has moved along in the process, and understand what’s coming next.
He said GSA did not give concrete answers to the problem but said they wanted to make the process more transparent.
Connolly agreed. He also encouraged the private and public sectors to collaborate and share information to help develop better FedRAMP best practices.
FedRAMP launched in 2011 with the goal to streamline the certification process for CSP vendors looking to provide Federal agencies cloud computing services. FedRAMP’s once stated goal was to standardize the process of certifying contractors.
“The real promise of FedRAMP—embodied in the ‘certify once, use many times’ framework—has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” according to a position paper drafted by the FedRAMP Fast Forward Industry Advocacy Group in 2015.
According to the MeriTalk website: “The position paper is the result of seven months of collaboration between members of the FedRAMP Fast Forward industry group, including cloud service providers (CSPs), third-party assessment organizations (3PAOs), Federal agencies, and officials from Capitol Hill.”
Yet, FedRAMP confusion continues to hamper the certification process. In 2013, estimates put the FedRAMP Authority to Operate (ATO) process, beginning to end, at about nine months with a cost of $250,000 per vendor. In 2015, the position paper pegged the time for certification at two years and between $4 million to $5 million per vendor.
“It’s not easy, it is complicated, it costs too much, and it takes too much time,” Connolly said.
Some CSP vendors in the audience expressed concerns over retaliation from the GSA and the FedRAMP Program Management Office. Many want to complain to Federal officials about the slow FedRAMP process. Yet, oftentimes vendors said if they do complain, the FedRAMP PMO may retaliate by denying their FedRAMP bid. According to O’Keeffe, some CSPs have already reported veiled threats to their Federal cloud business if they supported the recommendations of the Fix FedRAMP position paper.
“Reprisal is not to be tolerated,” Connolly said. He encouraged vendors to present any complaints or concerns to him or members of the Cloud Computing Caucus.
“We can be an advocate on your behalf,” Connolly said. “We can use both informal or formal ways of doing it.”
Before leaving, Lieu gave a glimmer of hope that the FedRAMP process would be fixed.
“Let’s make IT great again,” Lieu said.