Reporter’s Notebook: Goodrich Pins CSPs’ FedRAMP Frustrations on Companies’ Sales Failures

Reporters Notebook

I heard an interesting theory recently as to why so few agency cloud authorizations granted under the Federal Risk Authorization and Management Program (FedRAMP) are being shared between agencies: It’s not that agencies are refusing to share—one of the fundamental promises of the program—it’s that cloud service providers are failing to capture new business.

That was the conclusion reached by FedRAMP Director Matt Goodrich, speaking recently at the QTS Information Security and Compliance Forum in Washington, D.C. According to Goodrich, some agencies may very well have refused to share a FedRAMP authority to operate (ATO) granted to a CSP, but that’s only a small part of the story behind one of the major shortcomings of the FedRAMP program.

“I hear a lot of that from industry–that ATOs are not being reused from one agency to another. Then when pressed, what I hear is ‘oh, I didn’t capture business from that ATO,’ ” Goodrich said. “When pressed, I may ask what agency is not accepting your ATO for a service that they are using—I never get an answer. I always get … ‘we didn’t actually capture that business.’ ”

I had the opportunity to press Goodrich on the issue. He said what appears to be a lack of reciprocity is actually a situation where CSPs assumed that once they received an ATO it would translate into business across all the other agencies.

“You have to give me names and you have to give me CSPs,” Goodrich said. “I don’t know how you expect me to help or expect the government to help you if you can’t give us names. I’m not saying it’s not true, but the second I start to push for facts behind it or push for names, or push to have a conversation to help, I’m never given the names and I’m never given the people. So that’s why I default to the thinking that it’s not actually the reuse of the ATO as much as it is a loss of business capture.”

“So, I have yet to actually see an agency say I’m not accepting another agency’s ATO,” he said.

Launched in 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. But government agencies and CSPs have voiced concerns in recent years about the efficiency of the program, as well as the perceived lack of effectiveness and transparency. A major study released in January by the FedRAMP Fast Forward Industry Advocacy Group called for changes in many of these areas, including the sharing of agency ATOs.

“The real promise of FedRAMP—embodied in the ‘certify once, use many times’ framework—has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” the paper states. “Agencies often refuse to accept other agency ATOs.”

Dan Verton
About Dan Verton
MeriTalk Executive Editor Dan Verton is a veteran journalist and winner of the First Place Jesse H. Neal National Business Journalism Award for Best News Reporting -- the highest award in the nation for business/trade journalism. Dan earned a Master's Degree in Journalism and Public Affairs from American University in Washington, D.C., and has spent the last 20 years in the nation's capital reporting on government, enterprise technology, policy and national cybersecurity. He’s also a former intelligence officer in the United States Marine Corps, has authored three books on cybersecurity, and has testified on critical infrastructure protection before both House and Senate committees.
5 Comments
  1. Anonymous | - Reply
    So are you going to publish names and details or will you keep insinuating things that cannot be validated as true or not?
  2. Anonymous | - Reply
    Dan. Did FedRAMP hurt your feelings along the way here or is this all you can muster working in your underwear from your home office?
  3. Anonymous | - Reply
    Who are you talking about? If it is Matt, then can he start by citing your company as not capturing business?
  4. Dan Verton | - Reply
    Oh Anonymous, you have so many different personalities. It's hard to keep up with you. I'm more than happy to have an adult conversation on-the-record about the public comments of government officials. At least Matt Goodrich has always had the courage to own his own commentary -- you will notice there are quotation marks in this story, detailing what he said (on-the-record) about one of the biggest criticisms his program has received from industry.
  5. Anonymous | - Reply
    The only reason I can think of for an agency to refuse to share a FedRAMP ATO is because they don't have confidence in their decision and don't want other agencies to see their reasons for accepting risk and making the authorization. All FedRAMP ATOs are supposed to be reported to the FedRAMP PMO.

Leave a Reply


Popular

Recent