Fix FedRAMP – Tough Love?

We love FedRAMP. How could you not? It’s the smart gateway to secure cloud computing across the government. Without a clear, centralized, easy-to-understand cloud computing security model, cloud’s vaporware. Without cloud we can’t consolidate applications, embrace shared services, and modernize our IT. Without cloud, we’ll continue to waste 80 percent of our $80 billion annual IT spend on legacy systems.

We aren’t the only ones that love FedRAMP. Companies have spent hundreds of millions of dollars on the process. And, it’s out of that love that the folks that dig FedRAMP are hosting an intervention – confronting FedRAMP with its issues for its own good. That’s why the FedRAMP Fast Forward industry advisory group, in which MeriTalk participates, has worked with stakeholders across government to put together the Fix FedRAMP Report.

What’s Wrong?
Where to begin…? Three words — transparency, effectiveness, and accountability.

It costs too much, it takes too long. CSPs in the process don’t know their status and CSPs trying to get in, don’t know how. There’s mass confusion about the merits of the three paths to a FedRAMP ATO – JAB, agency, and self certification. CSPs are afraid to raise issues publicly for fear of reprisals from the PMO. The program’s unscalable – the PMO spends as much on continuous monitoring for the current approved CSPs as it does on managing all new applications in process. Further, agencies don’t trust FedRAMP ATOs granted by other agencies – defeating the whole point of FedRAMP. CSPs are simultaneously pursuing ATOs from multiple agencies for the same cloud offerings – which defeats the whole “do-once-use-many” premise.

The FedRAMP PMO sits under the GSA Associate Administrator’s office. GSA Associate Administrator for Office of Citizen Services and Innovative Technologies past and present agree there is a problem. Dave McClure played an active role in developing the Fix FedRAMP recommendations. Phaedra Chrousos is looking to cut the CSP approval duration to three months – three cheers for Phaedra.

Six-Point Plan
You should read the Fix FedRAMP report. We all remember the 25-point plan – this is just six points. If you’re pressed for time – skip to the pages that really matter, 3-8. Here’s a readahead on the recommendations:

  1.  Normalize JAB and Agency ATO Certification Processes: Break the JAB traffic jam
  2. Increase Transparency: How long does it take, how much does it cost, how many agencies are using FedRAMP products, and what’s the saving to government?
  3.  Harmonize Standards: Map FedRAMP to other industry standards — and give CSPs that have jumped through other hoops credit for that hoop jumping
  4. Reduce Cost of Continuous Monitoring: Allow CSPs to self certify and move continuous monitoring from the FedRAMP PMO to DHS
  5. Empower Infrastructure Upgrades: Set CSPs free to upgrade their offerings without falling out of compliance, focus on certifying IaaS — why shouldn’t PaaS and SaaS ride on these platforms?
  6. Establish Defense Department Crosswalk: Map DoD requirements to FedRAMP

We briefed GSA and the FedRAMP PMO on the Fix FedRAMP paper three weeks ago. Seems FedRAMP is on the move – we love it! Here’s a link to GSA’s reaction. GSA needs to follow through on these words.

Show Me the Love

The Hill’s very interested in FedRAMP. Register to attend the Congressional Cloud Caucus Fix FedRAMP meeting on the Hill on March 3rd. We’ll hear from Hill leaders, OMB, agencies, and industry. And, most exciting, we understand GSA will roll out its FedRAMP 2.0 plan – that’s the overall operational plan to improve FedRAMP performance and outcomes.

Sometimes the only love that counts is tough love. It’s time to get clean and sober about change. See you on March 3rd on the Hill. How much do you love Fix FedRamp?

  1. Anonymous | - Reply
    The problem with govie's is that they are always afraid to comment on an issues due to the politics involved and the fact that most are terrified at finding another job due their lack of skills. I have personally commented on this issues several years back directly to Matt Goodrich who responded by saying that Govies demand multiple paths to ATO. Based on my experience the JAB process is the most severe and the right path based on independent assessments. Agency certification are almost always influenced politically or through a perceived influence given the last of IT knowledge and specifically IT Security at Agency senior management positions. If one simply looks at the job requirements for Federal CSO's/CISO's/CIO's you will find very little in regards to Computer Science. To make this point allot simpler for everyone to understand ask yourself the following question how many of the Federal C-Level folks today can troubleshoot/fix their laptop (O/S/Application) issue on their own? Given all of the Federal Agencies/Organizations is there one C-Level person as competent technically as Bill Gates?
  2. Anonymous | - Reply
    While you could be right about the "last of IT knowledge", I think you meant "lack of". And what are the possibilities that someone with the appropriate degree might land in a senior position?
  3. Anonymous | - Reply
    I think the real issue with FedRAMP is making sure the process is transparent. I think you’re hitting the mark on your Fix FedRAMP report, let’s hope GSA plans to follow through with the recommendations. I’m looking forward to the event on the Hill.
  4. Anonymous | - Reply
    From the GSA FedRAMP certified page: "The Datapipe Government Solutions Federal Community Cloud Platform (FCCP) provides a unique approach to security that allows federal agencies to have more control and flexibility to meet their unique security needs. This platform is one of the first P-ATOs issued to a PaaS cloud service provider covering management through the virtual operating system." The IMPACT shows Moderate, which I'm assuming is FISMA Moderate, not high. So the statement above can only relate to FISMA moderate, not high. Without that specific statement the import is just a trifle ambiguous, that is, it's open to misinterpretation.
  5. Anonymous | - Reply
    If agencies still don't trust the FedRAMP process, all this time and money spent has no real benefit. GSA needs to take real action to implement the recommendations and change the process, or risk have another failed initiative...and more and more waste
  6. Anonymous | - Reply
    Glad to hear GSA is recognizing that change needs to be made, and making an effort to do so. Looking forward to see how this pans out -- let's hope the necessary changes are made.
  7. Anonymous | - Reply
    Credit for equivalent testing in rigor and independence is acceptable, self-assessment for continuous monitoring is a conflict of interest. The CSP must be ready to come to the table with transparency if they demand it from GSA. Agencies need to be educated as to how they leverage the ATOs available. I've seen agency ATOs leveraged to authorize in as little as two weeks! I've also seen agencies ATO a cloud provider that didn't even use the FedRamp templates! GSA has every right to slap them for doing such! GSA is doing a great job, we know this because the industry is saying "this is hard"... that's what we want, that means they are being forced to mature from their old models that left us all vulnerable in the past!
  8. Anonymous | - Reply
    The Fix FedRAMP paper is to be commended for having the courage to point out that the FedRAMP emperor is naked. Delighted to see new blood at GSA admitting that there's a problem and taking steps to change the game. We need FedRAMP, but not if its the FedRAMP we've seen so far. We're all excited to hear about FedRAMP 2.0 on March 3.
  9. Anonymous | - Reply
    Hmm that is really very nice of you thanks a lot for this.!

Leave a Reply