Reacting to a battery of recent MeriTalk articles on GSA 18F and FedRAMP, voices inside and outside GSA have called for MeriTalk to name our source. Well, this time, we’re completely transparent–it’s Matt Goodrich. Just last week, the FedRAMP PMO issued a message to FedRAMP JAB-certified CSPs. The FedRAMP PMO tells CSPs that have invested millions to attain a JAB certification that they need to demonstrate that they have at least six unique agency customers–or they’ll get kicked out of the JAB certification and need to pursue an agency sponsor.
FedRAMP Eats Its Own Children
CSPs are incensed by what they see as the FedRAMP PMO moving the goal posts. And, interestingly, the FedRAMP PMO states that it may change the minimum threshold–so that CSPs may need more than six agency customers to maintain their JAB certification. Peculiar timing for this assertive move from the embattled PMO. GAO just announced that it’s auditing the FedRAMP process–and Congressman Gerry Connolly’s convening government and industry to frame new legislation to corral the wayward “do-once-use-many” cloud cybersecurity certification program. By requiring CSPs to demonstrate their governmentwide installation, the FedRAMP PMO will likely turn its biggest allies into its biggest adversaries. CSPs are incensed by the prospect of their massive investments going up in smoke.
What If CSPs Say No?
What if CSPs refuse to provide the PMO with information on where they’re installed? Few have agreed to provide this information to date. It’s widely known that CSPs don’t want to provide their customer lists for fear of tipping their hands to the competitors. It’ll be interesting to see how GSA goes about enforcing the reporting requirement–not to mention the eviction process. Time to lawyer up?
Congressman Will Hurd triumphed in Texas–that’s a huge win for the tech community. That said, it’s unlikely we’ll see any movement on MGT until the new session–why would Republicans not wait to negotiate with themselves? At the same time, we’ll likely see 18Fers jump ship fearing Trump. That could spell a whole new chapter for FedRAMP, cloud, and government procurement reform. Industry and government got together to provide recommendations to fix the program. GSA refused to acknowledge this effort. Mr. Goodrich’s email to CSPs has surely changed the tone and urgency of the debate.