FedRAMP at risk of being ramp to nowhere
- By Stan Soloway
- Dec 10, 2015
FedRAMP might be one of the government’s most important information technologhy initiatives. Designed to provide a clear and disciplined path for companies to gain government approval of their cloud and software security protocols, FedRAMP is, as its name suggests, the critical gateway for companies providing such goods and services.
And, on many levels, it has proven effective. But questions are beginning to pile up. And among them is whether FedRAMP is destined to become a ramp to nowhere.
Two primary problems plague FedRAMP: the length of time it takes to get certified and the lack of reciprocity in the system.
Sound familiar? It should. These are the very same issues that have dogged the personnel security clearance system for many years. Yet we still haven’t learned the requisite lessons.
The queue for Joint Authorization Board (JAB) approvals is too long and appears to be getting longer. Companies are now routinely waiting eighteen and twenty months to get through the process. This is not how it was planned.
The JAB is designed to be the inter-agency team for certifications for providers and solutions that had multi-agency applications. For all others, there is the Authority to Operate (ATO) approval process within each individual agency.
Instead, it appears that ATO applicants that are not currently providing cloud-related services to the given agency (although their intent is to bid on such requirements), the agency is redirecting them to the JAB. And this shift is creating a system overload at the JAB.
Then there is the issue of reciprocity.
We routinely find companies with an ATO from one agency that is not accepted by another; or a company with JAB approval is still required to also get an ATO from the agency for which they are proposing to do work.
Remember the DISA announcement earlier this year that it had issued preliminary approval to 23 solutions? What far too few noticed was that each of those solutions, all of which only required the lowest levels of security, still had to get an ATO from a component of the defense department before they could proceed, even though all 23 already had either JAB approval or an ATO from another agency!
And there is more.
Little has been done to clarify whether companies should be required to have their FedRAMP certification before they can even bid on work that would require it. Some argue that companies that have made the upfront investment in pre-approvals deserve some advantage over those that have not.
But that is very shortsighted. The process is so long and can require so many redundant actions (not to mention costs) that to require advance approval unfairly biases in favor of a small community of providers.
As one example, part of the FedRAMP process involves network penetration testing, the results of which are only good for six months. But if delays stretch the broader FedRamp approval process too long (as is routinely happening today), the company has to go back and do the testing again…and maybe even again. At its own cost.
GSA leaders have been clear that they do not believe FedRamp approval should be a condition for bidding. But nothing has been done to make that the rule of the road, leaving scores of providers waiting in line.
Ironically, some of those who got the earliest FedRAMP approvals now face the prospect of having to be re-certified, as their offerings have matured and expanded. They too could face the same barriers and potential disruptions.
It is convenient to simply criticize the FedRAMP program office for failing to keep the trains running smoothly. But that wouldn’t be fair.
As with security clearances, the responsibility (and blame) lies with many entities and is the result of many factors. That’s why getting the most senior government leadership far more engaged, and soon, is so vital.
Only the very top leadership in government has the ability and authority to iron out some of the inconsistencies, find ways to reduce process times, and get FedRAMP back on track toward what it was meant to be: an entry point, not a sticking point.
Absent sustained leadership attention and action, the government’s ability to rapidly access and field new capabilities will be further compromised. And FedRamp itself could become a ramp to nowhere.