Fix FedRAMP – Tough Love?

We love FedRAMP. How could you not? It’s the smart gateway to secure cloud computing across the government. Without a clear, centralized, easy-to-understand cloud computing security model, cloud’s vaporware. Without cloud we can’t consolidate applications, embrace shared services, and modernize our IT. Without cloud, we’ll continue to waste 80 percent of our $80 billion annual IT spend on legacy systems.

We aren’t the only ones that love FedRAMP. Companies have spent hundreds of millions of dollars on the process. And, it’s out of that love that the folks that dig FedRAMP are hosting an intervention – confronting FedRAMP with its issues for its own good. That’s why the FedRAMP Fast Forward industry advisory group, in which MeriTalk participates, has worked with stakeholders across government to put together the Fix FedRAMP Report.

What’s Wrong?
Where to begin…? Three words — transparency, effectiveness, and accountability.

It costs too much, it takes too long. CSPs in the process don’t know their status and CSPs trying to get in, don’t know how. There’s mass confusion about the merits of the three paths to a FedRAMP ATO – JAB, agency, and self certification. CSPs are afraid to raise issues publicly for fear of reprisals from the PMO. The program’s unscalable – the PMO spends as much on continuous monitoring for the current approved CSPs as it does on managing all new applications in process. Further, agencies don’t trust FedRAMP ATOs granted by other agencies – defeating the whole point of FedRAMP. CSPs are simultaneously pursuing ATOs from multiple agencies for the same cloud offerings – which defeats the whole “do-once-use-many” premise.

The FedRAMP PMO sits under the GSA Associate Administrator’s office. GSA Associate Administrator for Office of Citizen Services and Innovative Technologies past and present agree there is a problem. Dave McClure played an active role in developing the Fix FedRAMP recommendations. Phaedra Chrousos is looking to cut the CSP approval duration to three months – three cheers for Phaedra.

Six-Point Plan
You should read the Fix FedRAMP report. We all remember the 25-point plan – this is just six points. If you’re pressed for time – skip to the pages that really matter, 3-8. Here’s a readahead on the recommendations:

  1.  Normalize JAB and Agency ATO Certification Processes: Break the JAB traffic jam
  2. Increase Transparency: How long does it take, how much does it cost, how many agencies are using FedRAMP products, and what’s the saving to government?
  3.  Harmonize Standards: Map FedRAMP to other industry standards — and give CSPs that have jumped through other hoops credit for that hoop jumping
  4. Reduce Cost of Continuous Monitoring: Allow CSPs to self certify and move continuous monitoring from the FedRAMP PMO to DHS
  5. Empower Infrastructure Upgrades: Set CSPs free to upgrade their offerings without falling out of compliance, focus on certifying IaaS — why shouldn’t PaaS and SaaS ride on these platforms?
  6. Establish Defense Department Crosswalk: Map DoD requirements to FedRAMP

Reaction
We briefed GSA and the FedRAMP PMO on the Fix FedRAMP paper three weeks ago. Seems FedRAMP is on the move – we love it! Here’s a link to GSA’s reaction. GSA needs to follow through on these words.

Show Me the Love

The Hill’s very interested in FedRAMP. Register to attend the Congressional Cloud Caucus Fix FedRAMP meeting on the Hill on March 3rd. We’ll hear from Hill leaders, OMB, agencies, and industry. And, most exciting, we understand GSA will roll out its FedRAMP 2.0 plan – that’s the overall operational plan to improve FedRAMP performance and outcomes.

Sometimes the only love that counts is tough love. It’s time to get clean and sober about change. See you on March 3rd on the Hill. How much do you love Fix FedRamp?