FedRAMP: Red tape or silver bullet?

The Federal Risk and Authorization Management Program’s relationship to cloud adoption: “exclusionary” stumbling block, “silver bullet,” or maybe a bit of both?

At MeriTalk’s Cloud Computing Brainstorm on June 17, senior officials offered very different views of the comprehensive cloud security rules.

Just more red tape

Pushing for more speed and sharing across government – and lampooning the penchant agencies have displayed for each creating their own, minimally different versions of applications when they could far more efficiently use existing solutions – several agency leaders railed against FedRAMP.

Joe Paiva, CIO at the International Trade Administration, worried that FedRAMP was turning out to be “exclusionary,” dulling the positive benefits of market competition as agencies flocked to FedRAMP-certified cloud service providers (CSPs).

He also decried the lumbering process of moving small acquisitions through FedRAMP.

“None of this is in the law or the [Federal Acquisition Regulation],” he noted, saying it takes “political will” to cut through red tape – such as requirements that every service offering in a CSP’s menu goes through FedRAMP individually.

Tony Summerlin, senior adviser to the FCC CIO and self-professed “Irish cynic,” echoed Paiva’s critique, saying that FedRAMP was meant to speed up cloud adoption but in reality has gummed up the federal works.

“We have to be able to pull stuff off the shelf when we need it,” Summerlin said.

A one-stop shop for a cloud security picture

Matt Goodrich, the General Services Administration’s FedRAMP director, led the defense.

“’It’s a beast to get through all the documentation,’” Goodrich recalled CSPs complaining, but he said the beauty of FedRAMP certification lies in the fact that CSPs can go through the process once for government-wide certification, rather than facing different certification processes in different agencies.

“It’s the silver bullet for that cloud service provider [that gets certified]. It’s not the silver bullet for that end user in that agency,” he said, noting that agencies are not absolved of basic security responsibilities once they contract with a FedRAMP-certified CSP.

Michaela Iorga, cloud computing security technical lead at the National Institute of Standards and Technology (NIST), backed up Goodrich.

“It’s not that NIST is not listening to the pain and agony from consumers and providers,” she said, adding that NIST continually works to develop standards that balance security and workability.

The exhaustive, 325-control-laden FedRAMP certification process is aimed at giving agencies a complete understanding of the cloud systems they’re buying into, risks and all.

“If you don’t have that information, you can’t trust [the system],” Goodrich said. “You can’t trade rigor for speed.”

Goodrich also fired back at the notion that FedRAMP could stifle competition, noting that vendors don’t need to be FedRAMP certified before getting contracts.

“Yes, you should be FedRAMP certified, but that doesn’t mean certified at the time of bid or even at the time of award,” Goodrich noted. But they do have to be certified before they can begin providing service.

He advocated a flexible approach throughout the procurement process.

“If you require FedRAMP authorization at the time of bid, you’re basically saying the 40 [cloud] providers we have now are the 40 providers we’ll have for the entirety of FedRAMP,” he noted. “That’s not good for industry and it’s not good for agencies.”

In the end, Goodrich said, FedRAMP can often help agencies improve their cybersecurity posture as it forces them to develop an understanding of the systems on which they rely that they often didn’t have before the move to cloud.

“You don’t wait for an IG report, you don’t wait for GAO to come in” and critique information weaknesses, Goodrich noted.

As for FedRAMP’s 325 controls, they may be a pain for CSPs to work through, but they represent critical systems awareness work.

“Agencies haven’t been going through all those controls themselves,” Goodrich said,

Good or bad, there’s no avoiding FedRAMP.

“The administration has already said it’s not aspirational,” Goodrich said in response to a query from the audience on FedRAMP’s future. “It’s mandatory.”