FedRAMP Not FedRAMP’d?

Word is that www.fedramp.gov–and even the new, shiny FedRAMP dashboard–are running in a cloud without a FedRAMP ATO. Now, that’s embarrassing. We hear that this is all part of a force play by Noah Kunin, director of delivery architecture and infrastructure services at 18F/TTS. But, it’s not just FedRAMP that’s naked and afraid–it’s usa.gov, digitalgov.gov, businessusa.gov, challenge.gov, performance.gov. Oh, and to make matters more interesting, presidentialtransition.usa.gov is also on the list. In fact, 70-plus government sites, central to the digital revolution that is 18F/TTS, have no FedRAMP ATO–and may all be shuttered immediately.

Huh? Good question. 18F/TTS just received $18 million in funding from the GSA FAS Acquisition Services Fund for the new cloud.gov on a cost-recovery basis–and Mr. Kunin needs to get some paying customers to keep the lights on. Conspiracy theorists might speculate one way to do this–force workloads off the existing Content Management Platform cloud onto cloud.gov by saying CMP’s not FedRAMP ATO’d. Where’s GSA CIO David Shive in this mess? Another question: Who approved the $18 million FAS investment in cloud.gov?

Here’s another little chuckle for agencies and vendors who’ve danced with the FedRAMP/I8F monster. We understand that 18F/TTS is having issues getting its FedRAMP certification for cloud.gov. FedRAMP Accelerated was supposed to certify cloud.gov in November–but now that’s slipping to December. And, one month slip has a nasty habit of leading to another. Go sit on Father Goodrich’s knee and tell him what you want for Christmas. Open government, anyone?

  1. Anonymous | - Reply
    What's the purpose of MeriTalk, to be an independent voice reviewing Federal IT, or another version of the National Enquirer? "Word is..." "We hear..." "Conspiracy theorists..." Cite your sources and inform the reader whether or not you asked those mentioned in the article for clarification. You can offer the public a valuable service or simply be a different version of an non-credible social networking site.
    1. Anonymous | - Reply
      Criticism about anonymous sources...from an anonymous source? Sorry, couldn't resist, that was too easy.
  2. Anonymous | - Reply
    Add USA Jobs and USA Staffing to the list of mission critical Federal sites / applications that are not FedRAMPed.
  3. Anonymous | - Reply
    Why do sites with no PII or other sensitive government information need to be in FedRamp environment?
    1. Anonymous | - Reply
      Because bad actors can use them to deploy various kinds of malware that can ultimately affect other sites and/or users.
    2. Anonymous | - Reply
      BECAUSE data integrity matters. If the content on those sites is modified in a way that brings disrepute to the organization or government, or shatters the confidence of consumers because they can no longer trust the content on that site...then we'll have a problem. Security is not always about CONFIDENTIALITY. Data integrity and availability matter too.
  4. Anonymous | - Reply
    Sometimes where there's smoke there's fire! Does it make sense to shut down or spend millions to migrate so many sites to an environment (cloud.gov) that is less secure than the Content Management Platform. What is the specific issue with the CMP? Is this a last ditch effort to make 18F reimbursable? There seems to be a lot missing from this post in terms of details on both sides to know for sure what's going on. It's definitely worth looking into!
  5. Anonymous | - Reply
    Only bad actor I see is the clown masquerading as the FedRAMP PMO he's just not credible in the role
  6. Anonymous | - Reply
    I blame Phaedra!
  7. Anonymous | - Reply
    The TRUTH is they DO have ATOs and they are up for renewal. The GSA OCIO Office is refusing to sign the renewal ATOs because they say they don't seem to understand containerization, which is commonly used now and part of the Amazon hosting environment too. The refusal to sign them appears to be because they want to claim they have no ATOs - therefore force transition to Cloud.gov (which lacks an ATO). Shively being the head of both TSS and OCIO now has a conflict of interest and needs to stop this stupidity.
  8. Anonymous | - Reply
    Has GSA come to this? Open internal warfare. This is what happens when the B team runs the show. GSA has only diminished its credibility since the clown conference. It's a shame.
    1. Anonymous | - Reply
      "Has GSA come to this? Open internal warfare. " "Warfare" would imply that either side has a plan or goals. I'd describe GSA's state as "entropy."
      1. Anonymous | - Reply
        It seems as though Steve is just giving GSA folks a safe space to do online bullying with each other. No facts. Just name calling with Steve chiming in as bully #1.
        1. Anonymous | - Reply
          Actually these are all facts which have been confirmed by multiple people across GSA. Whether this is an official news organization or not, they are sharing important information and has been the only one brave enough to share it. Several people have gone to them with this information because they are tired of it being covered up. When the GSA communications team is asked about this, they threaten reporters that they won't get anymore stories if they publish anything about this. When GSA leadership is asked about this, the employees asking are blacklisted. So who's bullying again?
      2. Anonymous | - Reply
        MERITALK IS NOT A NEWS ORGANIZATION. This has become the latest version of an online bullying website. Conspiracy theories, sources not cited, only anonymous comments. It's all a big joke if you ask me.
  9. Anonymous | - Reply
    The amount of money spent on the entire FedRamp boondoggle could have probably cleared the national debt! I wish they would just get on with SOMETHING, ANYTHING, rather than killing us with this death of a thousand cuts.
  10. Anonymous | - Reply
    I wouldn't say "It's all a big joke if you ask me" GSA has not refuted the allegation that FedRAMPs not FedRAMP'd or that its whole could infrastructures in a huge mess. Well done MeriTalk for outing this nonsense its anything but funny.
  11. Anonymous | - Reply
    Wow. Totally agree with Anonymous | Oct 4, 2016 at 11:02 am The rest of the comments supporting the article are clearly other MT personnel. MT would leave us with absolutely no security if they could. Would suspect they are working for a foreign actor. Disgusting. -e
    1. Anonymous | - Reply
      Wow. Senator McCarthy has managed to comment from the beyond. The post is clearly questioning why the agency in charge of administering FedRAMP to help ensure the security of government systems would not be using compliant systems themselves. Is this not a rational question? How you make the leap that the author or organization "would leave us with absolutely no security" is most perplexing. I'll yield the floor to the gentleman from Wisconsin.
  12. Anonymous | - Reply
    Talk to the GSA CIO about that. Are there any secure and compliant environments at GSA? If so, why isn't at least FedRAMP in one? Let's get to the bottom of this with the facts. Who is accountable there, anyone? Has GSA even responded yet?
    1. Anonymous | - Reply
      Had Shive listened to his team and not some arrogant 18f guy with no experience, they wouldn't be in this situation. Truth is there really isn't a major issue that would force shutdown of these sites. They all had an ATO that just expired and Noah convinced Shive not to sign the renewal, ?why? is the real question. it's all fabricated to try to keep another failed 18f program alive. Taking money from other internal GSA programs to fund 18f is running dry and not making a dent in the ridiculous $20M+ in the red.
  13. Anonymous | - Reply
    There goes 18f again breaking all the rules, living in their own world, wasting more money. Only a couple more months of this and they will for sure be gone with the next administration regardless of who it is. No one wants this mess. Let's all agree it's another big fail, shiw then the door and move on.
  14. Anonymous | - Reply
    I'm not sure what this article means - the cloud hosting service should be fedramped not the site itself.
  15. Anonymous | - Reply
    For clarity I believe the reference here is to the FedRAMP.gov program informational (WordPress) website - not any specific hosting environment that may be FedRamp approved. . For the question at Oct 8, 8:42 am ET, the answer is - FedRamp approvals are on hosting environments, not necessarily the applications or websites running in those environments which each carry their own security approvals (ATOs).
  16. Anonymous | - Reply
    The article clearly states that it's talking about the fedramp.gov website not the FedRAMP concept. The irony here is that the clowns marching around telling CSPs and agencies that they need to have certifications and ATOs to run their systems in the cloud does not have those things for the website that hosts information about the program run by the FedRAMP PMO. Take the time to read before commenting please.

Leave a Reply to Anonymous Cancel Reply