U.S. Federal Agencies Frustrated with FedRAMP

By Susan J. Campbell
TMCnet Contributing Editor

The digital age has brought us a number of advantages. We no longer have to rely solely on manual processes to get things done; we can connect and collaborate with anyone, anywhere in the world in real-time; and remote operations have become commonplace with mobile phones providing the same capabilities we once could only get from a desktop computer.

Along with those benefits, however, are inherent threats from being connected at all times. Cyber security is an expanding industry, with experts delivering solutions at a speed constantly focused on outpacing that of the opposition: illegal hackers. Whether federal agency or private business, the protocol to deploy new applications or systems has to include steps to ensure protection.

According to a recent MeriTalk posting, the cyber security steps put in place to protect federal government systems and applications are causing frustration among users. A MeriTalk survey of more than 150 federal IT decision makers found that 79 percent are frustrated with FedRAMP, the Federal Risk and Authorization Management Program. Based on this feedback, the General Services Administration will have to revamp the program, bringing it out of its current stage where decision makers view it as little more than a compliance exercise.

This frustration with the cyber security system has led some officials to ignore the mandatory process completely, launching agency cloud deployments and service models without going through the proper processes. In fact, as many as 17 percent of federal IT decision makers do not factor FedRAMP compliance into their cloud decisions.  In addition, 59 percent would consider a non-FedRAMP-compliant cloud. Many are frustrated with the lack of transparency into the FedRAMP process, frustrated with the efforts currently in place to increase security.

Since its launch in 2011, FedRAMP aims to standardize the way the government conducts security assessments, authorizations and the continuous monitoring of cloud services. Yet federal agencies continue to experience challenges when using the program, including inefficiency and a perceived lack of transparency and effectiveness.

One of the key frustrations among FedRAMP users, according to the survey, is a lack of sharing among agencies of their cloud service provider authorizations. Known as authority to operate or ATO, this functionality has been used by those on both sides of the argument. FedRAMP Director Matt Goodrich claims that the perceived lack of ATO sharing is leading to the inability of CSPs to capture new business and not a lack of cyber security measures within FedRAMP.

As a result of these frustrations and a lack of use of the program, the GSA (News - Alert) has launched a major restructuring, anticipating better capabilities by mid- to late-summer. Known as FedRAMP Accelerated, the new program is expected to fix many of these problems, yet 41 percent of government officials remain unaware of the plans.