Reporter’s Notebook: Goodrich Pins CSPs’ FedRAMP Frustrations on Companies’ Sales Failures

I heard an interesting theory recently as to why so few agency cloud authorizations granted under the Federal Risk Authorization and Management Program (FedRAMP) are being shared between agencies: It’s not that agencies are refusing to share—one of the fundamental promises of the program—it’s that cloud service providers are failing to capture new business.

That was the conclusion reached by FedRAMP Director Matt Goodrich, speaking recently at the QTS Information Security and Compliance Forum in Washington, D.C. According to Goodrich, some agencies may very well have refused to share a FedRAMP authority to operate (ATO) granted to a CSP, but that’s only a small part of the story behind one of the major shortcomings of the FedRAMP program.

“I hear a lot of that from industry–that ATOs are not being reused from one agency to another. Then when pressed, what I hear is ‘oh, I didn’t capture business from that ATO,’ ” Goodrich said. “When pressed, I may ask what agency is not accepting your ATO for a service that they are using—I never get an answer. I always get … ‘we didn’t actually capture that business.’ ”

I had the opportunity to press Goodrich on the issue. He said what appears to be a lack of reciprocity is actually a situation where CSPs assumed that once they received an ATO it would translate into business across all the other agencies.

“You have to give me names and you have to give me CSPs,” Goodrich said. “I don’t know how you expect me to help or expect the government to help you if you can’t give us names. I’m not saying it’s not true, but the second I start to push for facts behind it or push for names, or push to have a conversation to help, I’m never given the names and I’m never given the people. So that’s why I default to the thinking that it’s not actually the reuse of the ATO as much as it is a loss of business capture.”

“So, I have yet to actually see an agency say I’m not accepting another agency’s ATO,” he said.

Launched in 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. But government agencies and CSPs have voiced concerns in recent years about the efficiency of the program, as well as the perceived lack of effectiveness and transparency. A major study released in January by the FedRAMP Fast Forward Industry Advocacy Group called for changes in many of these areas, including the sharing of agency ATOs.

“The real promise of FedRAMP—embodied in the ‘certify once, use many times’ framework—has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” the paper states. “Agencies often refuse to accept other agency ATOs.”

  1. Anonymous | - Reply
    So are you going to publish names and details or will you keep insinuating things that cannot be validated as true or not?
  2. Anonymous | - Reply
    Dan. Did FedRAMP hurt your feelings along the way here or is this all you can muster working in your underwear from your home office?
  3. Anonymous | - Reply
    Who are you talking about? If it is Matt, then can he start by citing your company as not capturing business?
  4. Dan Verton | - Reply
    Oh Anonymous, you have so many different personalities. It's hard to keep up with you. I'm more than happy to have an adult conversation on-the-record about the public comments of government officials. At least Matt Goodrich has always had the courage to own his own commentary -- you will notice there are quotation marks in this story, detailing what he said (on-the-record) about one of the biggest criticisms his program has received from industry.
  5. Anonymous | - Reply
    The only reason I can think of for an agency to refuse to share a FedRAMP ATO is because they don't have confidence in their decision and don't want other agencies to see their reasons for accepting risk and making the authorization. All FedRAMP ATOs are supposed to be reported to the FedRAMP PMO.
  6. Anonymous | - Reply
    The reason why agencies won't accept ATO's is twofold. 1 - Agencies think they will bear the cost of ATO's for the whole industry. With no return 2 - Agencies don't trust each other's authorization process Same reason that DoD won't accept clearances from NSA, DHS, etc. How many "Public Trust" clearance packages have you filled out in your Cyber career.

Leave a Reply