Nearly half of federal officials do not even know what FedRAMP is
Nearly half of federal employees surveyed have no idea what the Federal Risk and Authorization Management Program is, much less the impact it will have on their agencies’ IT applications and infrastructure. A January 2012 survey of almost 300 government IT officials, including nearly 200 federal government employees or contractors, by the 1105 Government Information Group found that only a quarter knew enough to have an opinion about the program.
FedRAMP was developed by the CIO Council to establish a consistent approach to security for cloud computing across the federal government. It was signed into policy in December 2011 after more than a year of discussion.
Even though agencies eventually will have to comply with its security requirements, more than half have no opinion about whether it will achieve its stated goals: lowering operational costs, saving time during cloud vendor selection, accelerating adoption of the cloud, promoting stronger interagency cooperation, being robust enough to guarantee security in the cloud, and improving continuous monitoring practices within agencies and departments.
Of those surveyed who do have strong opinions, 28 percent believe that FedRAMP won’t have sufficient security, won’t address new security threats, and will put up roadblocks in getting third-party cloud service providers certified. In fact, 29 percent responded that they don’t expect that their agencies will use FedRAMP. The most common reason given was because of security concerns.
That’s not surprising, said Kyra Kozemchak, a senior research analyst at Deltek, a Herndon, Va., government IT research and software development firm, because FedRAMP has had to accommodate a broad range of security concerns, standards and acceptable levels of risk across the federal government. FedRAMP was designed to address the basic security requirements applicable to all agencies, but if agencies are anticipating a higher level of security needs, it doesn’t seem immediately applicable, she said.
“The FedRAMP group realizes that some agencies and departments need more security than FedRAMP provides, and there has been extensive dialogue between the FedRAMP office and defense organizations in particular about whether the baseline is high enough,” she said. “Ultimately, where an agency’s requirements exceed the minimum security identified by FedRAMP, service providers will need to meet that higher level.”
Another reason for the lukewarm reception to FedRAMP probably has to do with human nature, said Kevin Jackson, general manager for cloud services at NJVC, a Vienna, Va., technology services provider for government. Jackson also is CIO of GovCloud.com, a site with cloud computing news that's relevant to the government market.
“It’s a culture change. CIOs are now being told that their authority within the agency will be reduced because instead of them having control over the certification and accreditation process, 80 percent will be governed by FedRAMP,” he explained.
Kozemchak contends that over time, perceptions will change. Those perceptions will be partly influenced by the FedRAMP group working out some kinks but mostly by federal users getting used to the idea and beginning to actually implement cloud using FedRAMP specifications.
There is still a long road ahead. Applications for authority to operate will be accepted starting in June. It will take the rest of 2012 for cloud service providers to go through certification and for initial operations to get underway, and it will take yet another year to execute full operational capabilities. In the meantime, agencies with existing cloud services and authority to operate will have more than two years before they would have to be fully compliant.
“That means almost three years could pass from the FedRAMP policy memorandum release last year before an agency migrates its services,” Kozemchak said. “There is a lot of time that has to pass before agencies will really see if it’s a success, and by that time, a lot of the concerns may have faded.”