New Survey Reveals Feds Are Frustrated With FedRAMP Cloud Authorization Process

cloud computing fedramp

Less than three months after a wave of negative feedback from industry forced the General Services Administration to revamp the Federal Risk and Authorization Management Program, a new MeriTalk survey shows for the first time that many government IT officials doubt the value of the program in its current form.

According to the survey of 150 Federal IT decision-makers, four out of five officials (79 percent) are frustrated with FedRAMP, characterizing the process as “a compliance exercise.” In fact, some officials ignore the program entirely even though it is mandatory for Federal agency cloud deployments and service models at the low and moderate risk impact levels. Nearly one in five officials surveyed (17 percent) report FedRAMP compliance does not factor into their cloud decisions, while 59 percent would consider a non-FedRAMP-compliant cloud.

The report also found that government IT decision-makers share industry’s frustration with the lack of transparency into the FedRAMP process and feel unsatisfied with its efforts to increase security.  More than half of Federal officials (55 percent)–and 65 percent of defense agencies–do not believe FedRAMP has increased security.

FedRAMP Director Matt Goodrich has blamed lack of ATO sharing on industry's failure to capture business. But a new MeriTalk survey shows agencies are not sharing.
FedRAMP Director Matt Goodrich has blamed lack of ATO sharing on industry’s failure to capture business. But a new MeriTalk survey shows agencies are not sharing.

Industry has been highly critical of the lack of sharing between agencies of their cloud service provider authorizations, known as authority to operate (ATO). Earlier this month, FedRAMP Director Matt Goodrich took issue with this criticism, arguing that the perceived lack of sharing of ATOs is actually the inability of CSPs to capture new business.

But the latest survey tells a different story. Forty-one percent of Federal IT officials report not using another agency’s FedRAMP ATO. Thirty-five percent of those agencies with an ATO said they have not allowed others to use it. And 26 percent have been denied another agency’s ATO.

Launched in 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. But government agencies and CSPs have voiced concerns in recent years about the efficiency of the program, as well as the perceived lack of effectiveness and transparency. A major study released in January by the FedRAMP Fast Forward Industry Advocacy Group called for changes in many of these areas, including the sharing of agency ATOs.

In response to that avalanche of criticism, GSA launched a major restructuring of FedRAMP in March. Known as FedRAMP Accelerated, the effort is designed to streamline the process for CSPs and enable them to achieve a provisional ATO within three to six months.

Despite those changes, 41 percent of government officials remain unfamiliar with GSA’s plans.

When it comes to improving FedRAMP, 47 percent recommend establishing an ATO clearinghouse where agencies have access to–and are required to accept–all ATOs. Some (27 percent) also recommend changing leadership at the GSA Program Management Office (PMO)–civilian agencies are more likely to suggest this change, with 37 percent recommending a change in leadership.

Dan Verton
About Dan Verton
MeriTalk Executive Editor Dan Verton is a veteran journalist and winner of the First Place Jesse H. Neal National Business Journalism Award for Best News Reporting -- the highest award in the nation for business/trade journalism. Dan earned a Master's Degree in Journalism and Public Affairs from American University in Washington, D.C., and has spent the last 20 years in the nation's capital reporting on government, enterprise technology, policy and national cybersecurity. He’s also a former intelligence officer in the United States Marine Corps, has authored three books on cybersecurity, and has testified on critical infrastructure protection before both House and Senate committees.
6 Comments
  1. Anonymous | - Reply
    zzzzzzzzzzz This again Who ran the survey? I guess its polling time and any survey will do
  2. Anonymous | - Reply
    Where did you find these "officials" ??? If 41% are unaware of what GSA's plans are they aren't even reading your blog. Seems like a stretch to call them "Federal IT decision makers" and to call this post "news"
    1. Anonymous | - Reply
      Since when did lack of pertinent information awareness ever preclude someone from being a decision maker? I have run across plenty both in and out of government.
  3. Anonymous | - Reply
    This should definitely be a flag to the FedRAMP team that changes need to be made if government officials are doubting its value
  4. Anonymous | - Reply
    I don't think that getting rid of the CSP Supplied path was a good idea. That decision is going to add to delays.
  5. Anonymous | - Reply
    It will never be possible to obtain a Provisional ATO in 3 months. Anyone who thinks this is possible does not really understand FISMA or the risk management framework.

Leave a Reply


Popular

Recent