Stan Soloway


FedRAMP at risk of being ramp to nowhere

FedRAMP might be one of the government’s most important information technologhy initiatives. Designed to provide a clear and disciplined path for companies to gain government approval of their cloud and software security protocols, FedRAMP is, as its name suggests, the critical gateway for companies providing such goods and services.

And, on many levels, it has proven effective. But questions are beginning to pile up. And among them is whether FedRAMP is destined to become a ramp to nowhere.

Two primary problems plague FedRAMP: the length of time it takes to get certified and the lack of reciprocity in the system.

Sound familiar? It should. These are the very same issues that have dogged the personnel security clearance system for many years. Yet we still haven’t learned the requisite lessons.

The queue for Joint Authorization Board (JAB) approvals is too long and appears to be getting longer. Companies are now routinely waiting eighteen and twenty months to get through the process. This is not how it was planned.

The JAB is designed to be the inter-agency team for certifications for providers and solutions that had multi-agency applications. For all others, there is the Authority to Operate (ATO) approval process within each individual agency.

Instead, it appears that ATO applicants that are not currently providing cloud-related services to the given agency (although their intent is to bid on such requirements), the agency is redirecting them to the JAB. And this shift is creating a system overload at the JAB.

Then there is the issue of reciprocity.

We routinely find companies with an ATO from one agency that is not accepted by another; or a company with JAB approval is still required to also get an ATO from the agency for which they are proposing to do work.

Remember the DISA announcement earlier this year that it had issued preliminary approval to 23 solutions? What far too few noticed was that each of those solutions, all of which only required the lowest levels of security, still had to get an ATO from a component of the defense department before they could proceed, even though all 23 already had either JAB approval or an ATO from another agency!

And there is more.

Little has been done to clarify whether companies should be required to have their FedRAMP certification before they can even bid on work that would require it. Some argue that companies that have made the upfront investment in pre-approvals deserve some advantage over those that have not.

But that is very shortsighted. The process is so long and can require so many redundant actions (not to mention costs) that to require advance approval unfairly biases in favor of a small community of providers.

As one example, part of the FedRAMP process involves network penetration testing, the results of which are only good for six months. But if delays stretch the broader FedRamp approval process too long (as is routinely happening today), the company has to go back and do the testing again…and maybe even again. At its own cost.

GSA leaders have been clear that they do not believe FedRamp approval should be a condition for bidding. But nothing has been done to make that the rule of the road, leaving scores of providers waiting in line.

Ironically, some of those who got the earliest FedRAMP approvals now face the prospect of having to be re-certified, as their offerings have matured and expanded. They too could face the same barriers and potential disruptions.

It is convenient to simply criticize the FedRAMP program office for failing to keep the trains running smoothly. But that wouldn’t be fair.

As with security clearances, the responsibility (and blame) lies with many entities and is the result of many factors. That’s why getting the most senior government leadership far more engaged, and soon, is so vital.

Only the very top leadership in government has the ability and authority to iron out some of the inconsistencies, find ways to reduce process times, and get FedRAMP back on track toward what it was meant to be: an entry point, not a sticking point.

Absent sustained leadership attention and action, the government’s ability to rapidly access and field new capabilities will be further compromised. And FedRamp itself could become a ramp to nowhere.

Reader Comments

Mon, Dec 14, 2015 Katie Lewin Alexandria, VA

I was the first Director of the FedRAMP office and agree with many of the concerns stated here. Yes, the queue is too long for JAB approvals. IT is true that the original purpose of the JAB was to provide provisional ATOs for cloud solutions that would be used across many agencies. JAB reviews were also used as a way for agencies to become familiar with the FedRAMP methodology. Agencies can accept JAB provisional ATOs and modify to meet their particular security requirements. However it was assumed that agencies would conduct the majority of ATOs themselves using FedRAMP. In my opinion, there are several reasons that agencies have used JAB ATOs almost exclusively. First, it is much more cost effective for agencies to let the JAB do the review and assessment work, and then accept the results. Second, a review by the three JAB agencies is perceives as more rigorous as it is conducted by technical staff from 3 agencies. Third, agencies are not encouraged to perform their own ATOs or to accept ATOs performed by other agencies. The concept of reciprocity is key to the success of FedRAMP. OMB can apply some leverage to get agencies to accept ATOs performed by other agencies under the FedRAMP methodology. In my opinion, OMB can also do more to increase the efficiency of FedRAMP. Through their TechStat program or even informal discussions, OMB can encourage agencies to conduct their own ATOs for cloud solutions and support agency resource requirements needed to perform these security assessments. It is correct that GSA has made it clear that agencies cannot require FedRAMP certification to bid on work. Short of some type of FAR modification, the best course of action for cloud service providers is to report any RFPs that require FedRAMP certification to the FedRAMP Office. The Office can then work with the agency to remove that requirement. I agree that the approval process, particularly the time to meet penetration testing requirements, is too long in light of the three year recertification time line. I think articles such as this will encourage the FedRAMP Office to focus on issues such as this. As you said, many entities have to get involved to address the issued you raise. It has been my experience that the FedRAMP Office is receptive to suggestions and will work to improve the program. FedRAMP is an important initiative. It is probably time for a program review and some adjustments. It is the result of many hours of work with contributions from most of the Federal agencies. It deserves some attention and retooling, but it can continue to evolve to an important element in the security of the Federal government

Mon, Dec 14, 2015 Martin Washington, D.C.

There are a couple problems with this outside view of FedRAMP. The queue is long, but due to the fact that the JAB is carrying all of the weight. There have been a small number of agencies sponsoring packages and it was never designed to be that way. To write "Two primary problems plague FedRAMP: the length of time it takes to get certified and the lack of reciprocity in the system." is a half truth. Reciprocity is baked into the framework and is a key element. FedRAMP is the only Framework designed to work this way right now. Currently you have DoD in the process of trying to get all the DIACAP systems cut over to the Risk Management Framework (RMF), which has even more controls and is basically the same thing as FedRAMP. Taking a system or vendor though any certification process takes time, and considering what the government is asking of CSP's they are moving at a quick pace. FedRAMP is not going anywhere, cloud is not going anywhere and when the new laws requiring all Federal clouds to be FedRAMP'd drop I am sure many are in for a rude awakening.

Mon, Dec 14, 2015 Gorvan Mestrovich

We need to face the fact that the overall Federal contracting approach is very satisfying to both customers and (most) suppliers. It supports millions of well paid jobs. It does this part because of the bureaucratic, slow procedures and process. Little has changed over decades. And there is a whole industry of consultants, trade groups, advocacy orgs and lobbyists, and attorneys and accountants who feed off the slothful process. They love it. And the progressive decline in trust mean these procedures are not going away. So, rejoice in all of the business. As for the complaint that all of this amounts to an anticompetitive screen, so many jobs are dependent on it, things are not likely to change

Mon, Dec 14, 2015 John G Northern Virginia

This article poses many excellent points, the sum of which I'll boil down to this...trying to sell to the federal government is a wretchedly difficult process. The myriad delays for a company to get a PO is only the first hurdle. GWACs do offer some relief from the layer of protest delays, but to see unwarranted red tape create situations where vendors need to recertify is insane. To recognize actual revenue with the federal government market can take down a company's finances, or cost the taxpayers far more than necessary due to imputed "delay fees" they must bake in.

The contracting model is severely broken, yet fed agencies have little visible pressure to resolve the core problems. Smart companies are well advised to have strong private sector practices to carry their public sector!

Fri, Dec 11, 2015 Jack

this comment: "What far too few noticed was that each of those solutions, all of which only required the lowest levels of security, still had to get an ATO from a component of the defense department before they could proceed, even though all 23 already had either JAB approval or an ATO from another agency!" shows a complete lack of risk management. the JAB or any other agency can't accept risk on behalf of another. We call them "provisional ATOs" but we should really call them "Fedramp Moderate Certifications" because that is really what is being done at the board. Each receiving organization must look at the residual vulnerabilities of the cloud provider through THEIR threat profile and determine what risk they will be accepting to use that platform. Fedramp is a phenomenal program that has cut agency assessment and review time by 80 to 90 percent in most cases and has provided a far more robust security posture than many agencies have in house.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.