MeriTalk Names GSA Source

Reacting to a battery of recent MeriTalk articles on GSA 18F and FedRAMP, voices inside and outside GSA have called for MeriTalk to name our source.  Well, this time, we’re completely transparent–it’s Matt Goodrich. Just last week, the FedRAMP PMO issued a message to FedRAMP JAB-certified CSPs.  The FedRAMP PMO tells CSPs that have invested millions to attain a JAB certification that they need to demonstrate that they have at least six unique agency customers–or they’ll get kicked out of the JAB certification and need to pursue an agency sponsor.


FedRAMP Eats Its Own Children

CSPs are incensed by what they see as the FedRAMP PMO moving the goal posts. And, interestingly, the FedRAMP PMO states that it may change the minimum threshold–so that CSPs may need more than six agency customers to maintain their JAB certification. Peculiar timing for this assertive move from the embattled PMO. GAO just announced that it’s auditing the FedRAMP process–and Congressman Gerry Connolly’s convening government and industry to frame new legislation to corral the wayward “do-once-use-many” cloud cybersecurity certification program. By requiring CSPs to demonstrate their governmentwide installation, the FedRAMP PMO will likely turn its biggest allies into its biggest adversaries. CSPs are incensed by the prospect of their massive investments going up in smoke.


What If CSPs Say No?

What if CSPs refuse to provide the PMO with information on where they’re installed? Few have agreed to provide this information to date. It’s widely known that CSPs don’t want to provide their customer lists for fear of tipping their hands to the competitors. It’ll be interesting to see how GSA goes about enforcing the reporting requirement–not to mention the eviction process. Time to lawyer up?


Quack, Quack

Congressman Will Hurd triumphed in Texas–that’s a huge win for the tech community. That said, it’s unlikely we’ll see any movement on MGT until the new session–why would Republicans not wait to negotiate with themselves? At the same time, we’ll likely see 18Fers jump ship fearing Trump. That could spell a whole new chapter for FedRAMP, cloud, and government procurement reform. Industry and government got together to provide recommendations to fix the program. GSA refused to acknowledge this effort. Mr. Goodrich’s email to CSPs has surely changed the tone and urgency of the debate.

  1. Anonymous | - Reply
    Let them jump ship. MeriTalk for presenting information that penetrates through the GSA spin. Spreading sunlight into the situation hopefully will enable a rational and informed discussion about how, or if, 18F should continue.
  2. Anonymous | - Reply
    My understanding is that the JAB exists to authorize clouds with the most government-wide use by agencies. This seems like an attempt to make sure they're investing in the right clouds? And if they don't have the six customers, they can still get an agency authorization. I'm not the biggest GSA fan, but why would you gaslight them by recommending that companies sue them instead of just talking to the PMO like it says in Matt's email? So, I'm confused - what's the story here?
  3. Anonymous | - Reply
    And, are you saying that Matt Goodrich is responsible for the quotes on 18F and FedRAMP that you attribute to 'a source inside GSA'? The stories you link to contain no quotes. So, what is Goodrich the source for? To be honest, the article feels more like it's designed to confuse and mislead than inform. Can you clarify please Steve?
  4. Anonymous | - Reply
    Seems GSAs moving the goalposts on FedRAMP and that CSPs may be out millions. THe program office should have been honest about how the program would work before they allowed CSPs to invest in the program.
  5. Anonymous | - Reply
    Re 11/11@9:27 AM, I agree, in spades. It seems to me that the headline implies that Mr. Goodrich is Meritalk's "mole" in GSA in what appears to be a crusade to undermine 18F and FedRAMP, when in fact Goodrich is merely quoted as the source of a new public policy on CSPs. "Designed to confuse and mislead" -- yes, that seems to be the intent. I'm disappointed in Meritalk's negative and increasingly partisan undermining of two initiatives I believe to be some of the best in Government IT, and this latest example makes me less likely to believe any similar postings in future. I no longer think Meritalk is dealing with GSA programs honestly and in good faith.
  6. Anonymous | - Reply
    Let’s not lose sight of the story. It’s pretty simple and it's not Steve O'Keeffe's headline choice. It’s about GSA not dealing with the CSPs in good faith. This is the story, and there is no question of the source or if true: “The FedRAMP PMO tells CSPs that have invested millions to attain a JAB certification that they need to demonstrate that they have at least six unique agency customers–or they’ll get kicked out of the JAB certification and need to pursue an agency sponsor.” No one thinks FedRAMP is a bad idea. That’s why we see all the debate here. It’s a good idea that’s taking misguided steps. What’s the recourse for CSPs who have spent millions on JAB certifications and were just told, sorry – we’re adding a requirement so you no longer qualify?
  7. Anonymous | - Reply
    Riiight. The founder of MeriTalk gets no voice in the headline for an article he authored. ;-)
  8. Anonymous | - Reply
    Hey CSP thanks for spending millions on achieving a FedRAMP jab p-ato - Now f#ck you!
  9. Anonymous | - Reply
    The idiot responsible for the CSP was given a promotion to CTO. He in turn brought in a bunch of other incompetent people to run programs for him. He keeps rotating them every 6 months and just makes it worse. Three years and they are still working on "taxonomy." At least the CSP will be dead soon now that IAE has cleaned house.

Leave a Reply to Anonymous Cancel Reply