Fix FedRAMP or Congress Will, Connolly Tells GSA

A pile of fake money representing the $150,000 spent on the FedRAMP dashboard was presented as an example of agency spending waste. (Photo: MeriTalk)

A pile of fake money representing the $150,000 spent on the FedRAMP dashboard was presented as an example of agency spending waste. (Photo: MeriTalk)

Facing criticism over the awkward nature of the FedRAMP process and the use of $150,000 to create a FedRAMP dashboard that already exists in the private sector, the General Services Administration (GSA) was told on Tuesday that it needed to clean up the program or have Congress step in.

“If GSA can’t fix this, then Congress will. And the problem with that is that Congress is always a blunt instrument. We don’t do subtle,” said Rep. Gerry Connolly, D-Va., at the MeriTalk 2016 Cyber Security Brainstorm in Washington. “You’ll get legislation that is overly prescriptive.”

Featured in the center of the room, a pile of fake money representing the $150,000 spent on the FedRAMP dashboard was presented as an example of agency spending waste.

Connolly said that although going through the FedRAMP program was supposed to take six months and $250,000, it now takes two years or more and requires millions of dollars. He also noted that companies wishing to authorize their product through FedRAMP have to sometimes go through the FedRAMP process twice, once for general authorization and again for a specific agency.

“This process has now become an extra layer and burden for industry,” Connolly said. “[Congress] will absolutely insist that it be a one-step process, not a two-step. Either JAB [Joint Authorization Board] certifies and that’s good enough for everybody, or you go to a system where you’ve got to go to each individual agency, and I predict Congress will go for the former.”

“When we launched FedRAMP, every agency said, ‘we don’t want the department of FedRAMP, we don’t want everything to go through one centralized place, we still want some control over the IT that we manage, that we buy, and that we use,’ ” said Matt Goodrich, director of FedRAMP. “In the vision of FedRAMP from the beginning, we’ve always said the vast majority of authorizations should go through agencies, they should not be going to the Joint Authorization Board.”

Goodrich added that those products that were widely used across government agencies should be the ones going through the JAB, as it would be redundant for them to go through each individual agency for authorization.

Many in industry, however, still feel that the current FedRAMP authorization process is difficult to get through.

“I spoke at the MeriTalk conference on this subject in March,” Connolly said. “The only people in the room who thought things were going well were government folks involved in managing it. And I even did a poll, and every single private sector hand in the room, which was most of the hands in the room, was dissatisfied.”

Despite harsh criticism, representatives from GSA expressed how important it was to hear such commentary and to have the hard discussions about how to make the program better.

“I invite those comments. I invite this dialogue,” said David Shive, CIO at GSA. “Without this conversation we can’t get better.”

Also from the Brainstorm:

Cybersecurity Initiatives Will Continue to Next Administration

Commerce CISO Says Playing Defense is Essential

DISA is Moving to Commercial Cloud

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
  1. Anonymous | - Reply
    DHS is a signature on the FedRAMP ATO for a CSP but they won't recognize the FedRAMP accreditation..maybe someone should talk to them as a do once accept many instead of Goodrich being beat up by Steve
  2. Anonymous | - Reply
    It is so easy to stack up piles of money and take pictures of it, however difficult to attain an accredited 3PAO audited, agency approved FedRAMP ATO. These FedRAMP bashing articles are getting annoying, especially to those that know the program and its rigorous requirements. Possibly try to present positive solutions instead of trying to sway those new to FedRAMP into a negative trap?
  3. Anonymous | - Reply
    I, too, am getting tired of these FedRAMP bashing articles. The FedRAMP ATO process mirrors FISMA ATO process described by the NIST Risk Management Framework. The primary difference is that the FedRAMP Moderate baseline requires about 60 additional 800-53 controls and enhancements.
  4. Anonymous | - Reply
    Yup, the complainers are mostly industry who don't want to meet the FedRAMP control requirements and have a "what we do is good enough" attitude. It ranges from the ones that circumvent FIPS 140-2 validated data-at-rest encrypted storage control requirements at the IaaS layer by making it a customer responsibility (aka customer problem) to ones that want Gov/Mil business but aren't willing to spend what it takes to get there. On the flip side, each agency wants to impose their rules/policies on a FedRAMP'd system but insist that a system already has to have a FedRAMP ATO -- as that car insurance advert says -- that's not how any of this works!
  5. Anonymous | - Reply
    Agree with these posts. As a company who has been through this process, recommend move the discussion forward with more focus on what the ROI is/has been with this investment. Stop picking on Matt, focus on the beneficiaries of this process, start with the CIOs. Is anyone asking them what the benefits/ROI is so we can capture the other side of the story?
  6. Anonymous | - Reply
    There's still SO much misinformation amongst agencies about FedRAMP, we have a dozen or federal clients who refuse to give us an ATO, seemingly because they think that 1 agency authorization is the same thing as the JAB. I surmise that they really just don't want to take on any extra "responsibility" (read: work, as minimal as it is to review a POA&M and ask a few questions...) and don't want to formally accept residual risks in cloud products that they were utilizing swimmingly while ignoring any potential security issues. "Poking the bear" so to speak.
  7. Anonymous | - Reply
    Those of us familiar with the NIST 800-37 Risk Management framework should view the FedRAMP process as a standard way of doing business. All you companies out there, quit whining and pony up the cash to make your systems compliant. Also remember this, Meritalk is a parasite to the FedRAMP host.
  8. Anonymous | - Reply
    FedRAMP was brilliantly conceived back in 2011-2012 but seems to have lost its way. For the first two years, it received continuous praise. It's possible that a more seasoned management team might be needed. Unfortunately the current processes don't work well and are not manageable. I think with a some process re-engineering the program can get back on track.

Leave a Reply