FedRAMP comes fraught with challenges

The process of standardizing and implementing security controls for federal cloud services doesn’t come without hiccups, and the only way for agencies to move forward is through a “quick learning, slow implementation” approach, said an official in the General Services Administration.

Although there’s little contention about the merits of the Federal Risk and Authorization Management Program, its “do once, share many times” approach is fraught with challenges, particularly in the areas of culture and existing security requirements, said David McClure, associate administrator in GSA’s Office of Citizen Services and Innovative Technologies.

With the development and rollout of FedRAMP, “we’re not creating a single Cinderella shoe here that fits everything,” said McClure, who moderated an April 13 breakfast panel organized by the Association for Federal Information Resources Management. “There continues to be, and has to be, an evolutionary and intelligent view on how we approach security.”

FedRAMP is a joint effort between cybersecurity and cloud experts from agencies such as GSA, departments of Homeland Security and Defense, the Office of Management and Budget, the Federal CIO Council, as well as the commercial sector. The program’s governing body, the Joint Authorization Board, provides authorization review as well as technical expertise to address agencies’ security needs.

The JAB is also expected to give that “extra push, extra authoritative review that really digs into this critical work and component of FedRAMP called leveraging,” McClure said.

“If we leverage the work of each of our agencies, we win,” he said. “We win big-time, because we will not spend as much money, and we’ll be able to do this much faster.”

But the largest cost savings won't come from standardizing controls for cloud-based services but from leveraging commodity IT, said Richard Spires, CIO at the Homeland Security department. A key reason the government trudges behind industry in leveraging commodity IT is the existence of security mechanisms that makes it hard to take advantage of cloud services, said Spires, who also sits on the JAB.

“There’s real hesitancy on the part of the government to move forward without the right security controls,” he said. “It will take another couple of years to get [FedRAMP] rolling, but it will really break down the barriers so that the federal government can leverage cloud-based services, both for private clouds as well as public clouds and hybrids to the same degree you start seeing them in the private sector.”

McClure acknowledged that the path toward full FedRAMP operational status in 2014 won’t be without roadblocks. ”We all know that; we know that throughout government security officers will have varying interpretations of what controls are acceptable and whether you can leverage a total package or not,” he said. “We know that we’ll have to demonstrate the foundational element of solid evaluation, high degree of trust, and the ability to leverage."

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Mon, Apr 23, 2012

Maybe they didn't want to use the more appropriate story analogy of the Emperor's new clothes.

Mon, Apr 16, 2012 FMJohnson

“'we’re not creating a single Cinderella shoe here that fits everything,' said McClure.” Not sure that's the analogy he wants to use. Cinderella's shoe only fit one thing, not everything...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group