Comment

FedRAMP Ready or FedRAMP Irrelevant?

FedRAMP logo. (Update 2014)

Recently, the General Services Administration asked for public comments on its proposed Federal Risk and Authorization Management Program Readiness Capabilities Assessment. In the Professional Services Council's comments on the draft document, we applauded GSA's FedRAMP Ready initiative to use private-sector third-party assessment organizations to help reduce the time required to obtain a provisional authorization or an authority to operate (ATO).

PSC also noted that the FedRAMP Program Management Office has taken a number of important steps to streamline the process. We said in closing, though, that there is a looming challenge beyond the PMO's control that risks creating "FedRAMP Irrelevance" rather than "FedRAMP Ready."

No matter how many improvements are made to the FedRAMP process, the laudable goal of ensuring that federal agencies have rapid access to secure commercial cloud solutions will not be achieved if agencies don't maximize their reliance on reciprocity — that is, relying on another agency's ATO or provisional authorization to quickly determine the viability of a cloud solution.

The Office of Management and Budget must demand reciprocity between agencies and enforce the requirement for an agency to rely on a previously obtained authorization.

This might be a good time for federal leaders to put “The Speed of Trust” on their summer reading list.

Last year, the Defense Information Systems Agency issued a press release identifying 23 commercial cloud offerings that had been granted provisional authorizations. However, defense organizations that wanted to use those proven offerings were still required to conduct an ATO assessment despite the fact that the solutions would not handle sensitive information and had already been granted a FedRAMP provisional authorization or ATO by another agency.

In January, the Defense Department published its Defense Acquisition of Services instruction (DODI 5000.74), which requires all commercial cloud services to obtain both a provisional authorization from DISA and an ATO from the DOD organization implementing the solution — regardless of whether other authorizations have already been obtained.

It takes a long time to get through the authorization process, and delays are needlessly exacerbated when the process has to be repeated by multiple agencies for an already proven solution.

Cybersecurity is a huge threat and risk aversion is understandable, but the lack of trust that still exists between agencies — particularly at a time when great progress has been made in encouraging agencies to adopt a common set of security controls — is severely hampering the government's access to new technologies.

Several years ago, Stephen M.R. Covey wrote a groundbreaking book on the subject titled "The Speed of Trust." He describes how operating in a low-trust environment causes significant and quantifiable impacts on the time required and the cost of implementing any project.

IT modernization and cybersecurity are the two most pressing IT challenges facing government today, and rapid adoption of cloud solutions is one way to take significant strides toward both goals. Security certifications should give us the confidence to move forward with an IT project. When the authorization process precludes the adoption of commercial best practices, we thwart our good intentions by extending the time period upon which agencies will continue to rely on outdated and insecure computing infrastructure.

And agencies will only achieve their risk management goals if they can measure the outcomes that matter and begin to trust the work of another agency's cybersecurity professionals.

It might be a good time for federal leaders to put "The Speed of Trust" on their summer reading list.

About the Author

David Wennergren is executive vice president for operations and technology at the Professional Services Council.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.