FedRAMP lampooned in new study
Jan 31, 2016
When it comes to government cloud migration, the feds may just be their own worst enemy. Multiple federal IT initiatives have been spearheaded by various agencies over the past few years, one of which is to make the transition to cloud computing. The goal here is both to save money on legacy IT infrastructure through means of data center consolidation and improve sharing of technology resources.
But since the outset, many IT leaders have been wary of cloud computing, which, to a large extent, led to the creation of the Federal Risk and Authorization Program in 2011. The chief purpose of the program was to create a standard approach to "security assessment, authorization, and continuous monitoring for cloud products and services." In theory, this should have expedited cloud migration through the creation of an organized processes, and the development of lucid security parameters.
However, a recent report that is half-a-year in the making has found that FedRAMP is not living up to its potential, and that the time for change is close at hand.
Calling for reformation
Over the course of the past seven months, the FedRAMP Fast Forward industry group has worked with federal agencies, cloud service providers and third-party assessment organizations to compile a six-step plan to reform FedRAMP.
The results of that study were released Jan. 25., and among other things, they asserted that the process for assessing and certifying the products and services of cloud service providers is "fundamentally broken." The report noted, for example, that two years ago, it took nine months and cost about $250,000 for cloud service providers to obtain a FedRAMP Authority to Operate (ATO). Now, however, this process takes an estimated two years and costs $4-5 million. On top of that, the release for the study noted that cloud service providers "are blind to their status in the approval process."
From here, the report outlines six concrete steps that are aimed at improving FedRAMP. First, the report notes that there are three different routes for ATO procurement, that they are unequal and that this defeats that purpose of FedRAMP in the first place. Second, cloud providers should not be in the dark about the approval process, or how much time and money it entails. Third, FedRAMP should be more synchronized with other compliance provisions, so that cloud providers can meet at least some of the program's requirements through cooperation with other international privacy standards. Fourth, lower the rates of continuous monitoring for those vendors that have obtained an ATO. Fifth, make it possible for providers to update cloud environments in compliance with FedRAMP. Finally, better aid cloud providers in their endeavors to be compliant with Department of Defense security standards, rather than having them start from the beginning should they try to provide cloud services to DoD.
How soon can cloud service providers expect results?
All said and done, the sooner FedRAMP cleans up its act, the better it will be for federal agencies that are eager to migrate more services to the cloud, as well as the service providers that want to do business with these agencies.
That said, it is somewhat reassuring that FedRAMP immediately issued a response upon being presented with the report several days before it became available to the public.
"We're taking your feedback to heart," Matthew Goodrich, director for FedRAMP in the General Service Administration, wrote in the Jan. 20 post. "During the coming weeks and months, we'll be making some major changes based on your feedback. Things are going to happen quickly."
If they do, government cloud migration may soon receive a much needed momentum boost.