Hunk of Burning Love or Hound Dog?

elvis

Elvis released “Hound Dog”on June 5, 1956. OMB picked the same date, 58 years later, for its FedRAMP deadline. Will it be a hunk or a howler?

The FedRAMP rockers – agencies, CSPs, and 3PAOs – who’ve invested millions in FedRAMP certifications, have Suspicious Minds. They’re All Shook Up over concerns that OMB’s not going to enforce the deadline – leaving agencies free to buy non-FedRAMP cloud solutions. And, those that bought the FedRAMP record, Crying in the Chapel.

Return to Sender?

MeriTalk chatted with OMB to understand EOP’s FedRAMP enforcement plans. According to OMB, “agencies have to be FedRAMP compliant, not CSPs.” OMB asserts that the deadline is designed to “put agencies on notice.” OMB acknowledged there needs to be more communication around what FedRAMP means.

A Little Less Conversation

Here’s the Q&A with OMB:

1. Can agencies still buy/specify non-FedRAMP compliant cloud services after the deadline?
 
 Yes.  But agencies need to get their CSPs into the process.  But  that does not mean the full GSA and JAB process.  Agencies can  certify their own CSPs – see HHS’ experience.

 2. Will not having a FedRAMP A&A and/or being in the pipeline effectively close the government market to CSPs?
 No.

 3. Will agencies have to stop using non-FedRAMP-compliant solutions?
 No.

 4. How will OMB determine what CSPs an agency is using if the business office is buying those services around the IT function?  Folks can and do buy cloud services on a credit card.
 That’s a larger issue around oversight and CIO authorities.

 5. Can you please specify how you will treat FedRAMP in your ongoing PortfolioStat sessions?
 We cannot.  This is a government-only process.

 6. What happens if agencies ignore the FedRAMP compliance deadline?
 OMB will work through normal oversight channels to identify an appropriate response.

 7. How are you collaborating with DoD on cloud security certifications and this deadline?
 Ongoing dialogue with DoD stakeholders.  We engage with DoD  via the JAB.

 8. How will you factor the new Rev4 FedRAMP standards into your management plans?
 You mean if an agency says we just did Rev 3 FedRAMP, do we  have to do Rev 4?  We do not have an answer for this question right now.

 9. Other thoughts associated with the June 5th Deadline?
 FedRAMP is a process, not a thing.

Heartbreak Hotel?

So, it’s Viva Las Vegas – careful about betting the farm on FedRAMP. If certification’s not required, those who’ve invested will be pissed. Those who haven’t, won’t bother. A lot of companies in California will scrap plans for FedRAMP. It’s going to make it harder for Federal leads to get their companies to take certification seriously.

Couple of additional thoughts. What happens to non-compliant CSPs already installed, that are not interested in investing to go through the FedRAMP process? Will agencies need to kick them to the curb? Who owns the responsibility at DoD now that Teri Takai has left the building? Will David DeVries pick up the guitar?

It’s Now or Never

The time for cloud is now. We urge OMB to take a stronger stance – and send the right message to agencies and industry. To help, MeriTalk is launching a new Federal Cloud Watch on the FedRAMP OnRAMP site. We’re tracking government procurements to see which agencies spec FedRAMP-compliant CSPs – and if new procurements comply with Cloud First. More soon.

We’re not the only folks interested. We have heard that members of Congress are keenly interested in this issue as well. The Cloud Computing Caucus Advisory Group will take a closer look at FedRAMP at the next Hillversation on May 20th at the Rayburn Building – register here.

It’s time to TCCB – Take Care of Cloud Business. Thank you, thank you – thank you very much.

Steve O'Keeffe
About Steve O'Keeffe
Steve O'Keeffe is the founder of MeriTalk, the government IT network. MeriTalk is an online community that hosts professional networking, thought leadership, and focused events to drive the government IT dialogue. A 20-year veteran of the government IT community, O'Keeffe has worked in government and industry. In addition to MeriTalk, he founded Mobile Work Exchange, GovMark Council, and O’Keeffe & Company.
No Comments

    Leave a Reply