GSA Opts Out of FedRAMP

43764-800x450_MT_MyCupof_IT_Header_Image

The Fix FedRAMP paper released a few weeks back from the FedRAMP Fast Forward  Industry Advocacy Group  has given a cohesive voice to widespread concerns about the cloak-and-dagger and inefficiencies of the FedRAMP process.  We briefed the GSA FedRAMP PMO, the entity at the center of the debacle, on the paper before making it public.  Disappointingly, but consistent with its petulant voice that tries to blame industry for the program’s shortcomings and dismal track record, GSA refused to comment on the paper.

Dumping gasoline on the fire, late last week GSA pulled out of the March 3rd Cloud Computing Caucus meeting focused on FedRAMP’s shortcomings – a program built to provide GSA with a platform to answer the issues raised in the Fix FedRAMP paper – and pointedly to roll out its long-over-due FedRAMP 2.0.


The opportunity to transform the outcomes of failing Federal IT rests on cloud.  Sens. Tom Udall, D-N.M.,  and Jerry Moran, R-Kan.,  call out reforming FedRAMP in their Cloud Infrastructure Transition Act.  If FedRAMP’s a flop, let’s just call the time of death.  Uncle Sam can’t afford GSA to opt out of FedRAMP.  Congressmen Gerry Connolly. D-Va., and Ted Lieu, D-Calif., will open the session on March 3rd.  It’s going to be a hot time on the Hill on March 3rd.

Steve O'Keeffe
About Steve O'Keeffe
Steve O'Keeffe is the founder of MeriTalk, the government IT network. MeriTalk is an online community that hosts professional networking, thought leadership, and focused events to drive the government IT dialogue. A 20-year veteran of the government IT community, O'Keeffe has worked in government and industry. In addition to MeriTalk, he founded Mobile Work Exchange, GovMark Council, and O’Keeffe & Company.
21 Comments
  1. Anonymous | - Reply
    Wow, horribly disingenuous title. GSA has made it's share of mistakes with the program, but does your title inflame things more or less than they were yesterday?
  2. Anonymous | - Reply
    Sounds like a couple of CSPs got their FedRAMP ATOs in the last couple of weeks which is great news. Understand that it took some of them more than two years.
  3. Anonymous | - Reply
    Poke the bear baby seems everybody else is afraid to say the emperors naked.
  4. Anonymous | - Reply
    Yeah, this title is ridiculous. Having dealt with government security/compliance for a while, FedRAMP is probably the best idea in a long time, even if it's far, far from perfect.
  5. Anonymous | - Reply
    The title is clickbait, pure and simple. Also, the FedRAMP logo you used is also over a year out of date at this point.
  6. Anonymous | - Reply
    GSA is opting out of your event, not FedRAMP. This is just Mr. O'Keefe trying to be relevant but sounding like a petulant child.
  7. Anonymous | - Reply
    I saw the headline and thought I must have missed a breaking news story. No, it's just a deliberately inaccurate click-bait title, promoting MeriTalk's FedRAMP event. But it worked. (Hangs head in shame, goes to room for a time-out.)
  8. Anonymous | - Reply
    Does the author even follow government cloud efforts or understand the authorization process. This article neither informs nor helps the process. FedRAMP works to get industry and government to approve once and re-use many. Great idea I say.
  9. Anonymous | - Reply
    Having problems getting people to your event Steve?
  10. Anonymous | - Reply
    Speaking of shortcomings...this article falls way short of being informative. Gasoline anyone?
  11. Dan Verton | - Reply
    Having sat through the candid discussions that took place during the working sessions of the FedRAMP Fast Forward Industry group meetings, it is no surprise that this paper and this poor decision by GSA not to engage the CSPs who feel the program is failing are getting so much attention. I only wish the anonymous government officials and media competitors would put their name to their opinions so we can have a real discussion.
  12. Anonymous | - Reply
    No matter where you fall on this discussion I think everyone can agree that it would be good to have a public discussion with GSA playing an active role in the dialogue. Running away from the conversation makes it seem like you have something to hide or nothing to say.
  13. Anonymous | - Reply
    I'm looking forward to the event and the discussion on how to improve FedRAMP. It would have been an interesting opportunity to hear more about GSA’s FedRAMP 2.0 plan.
  14. Anonymous | - Reply
    Thinking some of the anonymous authors may not have read the paper, or even the blog. Neither indicate FedRAMP is a bad idea. Quite the opposite. From the paper: "FedRAMP needs to succeed if the government is to realize the myriad benefits of cloud computing. We’re all heavily invested in the program’s future." What it says - is that there are challenges: "However, the real promise of FedRAMP — embodied in the “certify once, use many times” framework — has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability." Read the report - https://www.meritalk.com/study/fix-fedramp/.
  15. Anonymous | - Reply
    If anyone wants a better idea of what GSA is doing, here's a REAL look: http://federalnewsradio.com/technology/2016/02/jab-redesign-bring-faster-approval-better-alignment-resources/
  16. Anonymous | - Reply
    Looking at these comments, it looks like a pillow fight to me. I would echo some of the sentiments above, people need to read the Fix FedRAMP report. I plan to attend the March 3 meeting and wish GSA would show up and explain the new process. I just read Matt's article above and it's long on promises and very short on real details. Everybody wants to know what concrete steps GSAs going to take to improve the process and to get agencies to play better together. I would say drawing on the recommendations from the industry paper would be a good start.
  17. Anonymous | - Reply
    The good things about Fedramp are that the CSPs are tested by qualified 3PAOs against a consistent set of security standards. There are some issues that can be overcome: packages with embedded document references to files not included; ATOs of specific government implementations of little value to others; packages not up to date; packages with adjustments to finding ratings not explained; POA&Ms which are not POA&Ms but Nessus scans; etc. however; these can be overcome with some Q&A and are typically corrected when asked. So, all in all, a good base program that is still young, but growing in the right direction. :-)
  18. Anonymous | - Reply
    How could the FedRAMP PMO ever live with itself if it allowed a package to get through where every Nessus vulnerability was not called out as its own line item on the POA&M? Shudder at the thought of grouping things sensibly. I too would like to hear what GSA has to say, particularly to the question "how do you run a program overseeing cloud authorizations when you don't understand the cloud or authorizations?" I mean, they're great at chiding CSPs and 3PAOs for column widths, but that's not really what CSPs, the government, our our taxpayers need.
  19. Anonymous | - Reply
    The messenger is just such a toxic bomb thrower that that nothing will be corrected with him chairing these discussions. He fills his pockets by making more controversy.
  20. Anonymous | - Reply
    Meritalk is a cancerous parasite looking for any angle to be relevant. Just go away already.
  21. Anonymous | - Reply
    Looks like the fedramp pmo is in crisis mode

Leave a Reply