FedRAMP Ready or FedRAMP Irrelevant?

FedRAMP logo. (Update 2014)

Recently, the General Services Administration asked for public comments on its proposed Federal Risk and Authorization Management Program Readiness Capabilities Assessment. In the Professional Services Council's comments on the draft document, we applauded GSA's FedRAMP Ready initiative to use private-sector third-party assessment organizations to help reduce the time required to obtain a provisional authorization or an authority to operate (ATO).

PSC also noted that the FedRAMP Program Management Office has taken a number of important steps to streamline the process. We said in closing, though, that there is a looming challenge beyond the PMO's control that risks creating "FedRAMP Irrelevance" rather than "FedRAMP Ready."

No matter how many improvements are made to the FedRAMP process, the laudable goal of ensuring that federal agencies have rapid access to secure commercial cloud solutions will not be achieved if agencies don't maximize their reliance on reciprocity — that is, relying on another agency's ATO or provisional authorization to quickly determine the viability of a cloud solution.

The Office of Management and Budget must demand reciprocity between agencies and enforce the requirement for an agency to rely on a previously obtained authorization.

This might be a good time for federal leaders to put “The Speed of Trust” on their summer reading list.

Last year, the Defense Information Systems Agency issued a press release identifying 23 commercial cloud offerings that had been granted provisional authorizations. However, defense organizations that wanted to use those proven offerings were still required to conduct an ATO assessment despite the fact that the solutions would not handle sensitive information and had already been granted a FedRAMP provisional authorization or ATO by another agency.

In January, the Defense Department published its Defense Acquisition of Services instruction (DODI 5000.74), which requires all commercial cloud services to obtain both a provisional authorization from DISA and an ATO from the DOD organization implementing the solution — regardless of whether other authorizations have already been obtained.

It takes a long time to get through the authorization process, and delays are needlessly exacerbated when the process has to be repeated by multiple agencies for an already proven solution.

Cybersecurity is a huge threat and risk aversion is understandable, but the lack of trust that still exists between agencies — particularly at a time when great progress has been made in encouraging agencies to adopt a common set of security controls — is severely hampering the government's access to new technologies.

Several years ago, Stephen M.R. Covey wrote a groundbreaking book on the subject titled "The Speed of Trust." He describes how operating in a low-trust environment causes significant and quantifiable impacts on the time required and the cost of implementing any project.

IT modernization and cybersecurity are the two most pressing IT challenges facing government today, and rapid adoption of cloud solutions is one way to take significant strides toward both goals. Security certifications should give us the confidence to move forward with an IT project. When the authorization process precludes the adoption of commercial best practices, we thwart our good intentions by extending the time period upon which agencies will continue to rely on outdated and insecure computing infrastructure.

And agencies will only achieve their risk management goals if they can measure the outcomes that matter and begin to trust the work of another agency's cybersecurity professionals.

It might be a good time for federal leaders to put "The Speed of Trust" on their summer reading list.

About the Author

David Wennergren is executive vice president for operations and technology at the Professional Services Council.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.