FedRAMP Is Too Complicated, Not Secure Enough: Survey
The FedRAMP standard for federal agency use of cloud services has too many complications in its operations and lacks the assurance of security, according to the results of a MeriTalk survey.
7 Ways Cloud Computing Propels IT Security
(Click image for larger view and slideshow.)
The Federal Risk and Authorization Management Program (FedRAMP), meant to ensure secure federal government cloud use, isn't adding the security it was intended to provide. Its complicated procedures are sometimes keeping it from living up to expectations, according to a MeriTalk survey.
MeriTalk, a public/private partnership that publishes IT best practices for the federal government, released the results of its FedRAMP survey earlier this week. The survey, conducted online in April 2016, received responses from 150 federal IT leaders responsible for cloud decisions in their organizations. The majority of respondents (79%) said they were frustrated with the system, while 59% said they would consider implementing a cloud service for their agency that was not FedRAMP compliant.
FedRAMP was designed as a blueprint for assessing and confirming security levels among the suppliers of cloud computing to the Department of Defense, intelligence agencies, and federal offices that service civilians.
MeriTalk published a report on the survey, "FedRAMP Fault Lines," on May 23, and made a summary available to the press under the headline: "Four out of Five Federal Cloud Decision Makers Report Deep Frustrations With the FedRAMP Process."
The General Services Administration (GSA) launched FedRAMP in June 2012 in an attempt to standardize the way federal agencies assess the security of a cloud provider they wished to use.
Since June 2012, FedRAMP has been pressed into service by the Department of Defense, NASA, the Office of Management and Budget, and other federal users of cloud services. Use of FedRAMP is mandatory for Federal agency cloud deployments and service models at the low- and moderate-risk impact levels.
Yet, FedRAMP includes its own processes and procedures that are sometimes hard to understand, which are under revision by the Program Management Office in the GSA.
Meanwhile, CenturyLink, Virtustream, Amazon Web Services, and other major cloud suppliers have obtained FedRAMP certifications, indicating their security practices are up to snuff, according to FedRAMP.
Certified for Sale
At one point, the ability of a relatively unknown cloud services startup to obtain FedRAMP certification was an indicator that it might be acquired. Several certified startups, such as Autonomic Resources, acquired by CSC in February 2015, were bought after attaining certification.
Another example is Virtustream, which was certified in July 2014 and acquired by EMC in May 2015 for $1.2 billion.
Yet, 17% of respondents in the MeriTalk survey reported that FedRAMP does not factor into their cloud decisions.
Some 60% of respondents to the MeriTalk survey work in government agencies that serve civilians, while the remaining 40% work in military or intelligence agencies. Fifty-five percent of respondents working for civilian federal agencies reported that they did not believe FedRAMP had increased the security of their cloud use, while 65% of those working in military/intelligence agencies said the same.
FedRAMP is given credit for reducing the constant duplication of effort that marked previous attempts by federal agencies to establish basic security with cloud providers. Built into the FedRAMP system is a process by which agencies can grant an authority to operate (ATO) to an outside service provider after it has met the requirements of the FedRAMP template for security. An ATO is then supposed to be shared with other agencies, so long as they apply to the issuing agency for permission to use it.
But with new technologies constantly becoming available, along with new service providers, it's hard for FedRAMP's approach to keep up.
The process of certifying new services is slow, according to respondents. Neither is FedRAMP's grant of authority to operate (ATO) working the way it was intended.
The survey found that 41% of respondents have never used another agency's ATO, and that 35% of respondents who had obtained an ATO said their agency has not allowed others to use it. Also, 26% of respondents said their agency had been denied permission when seeking to use another agency's ATO.
No one is sure how much to conclude from such figures, because FedRAMP is plagued with a lack of visibility into its own internal operating procedures. In fact, 41% of respondents to the MeriTalk survey said they are not familiar with the GSA's plans to accelerate FedRAMP.
"FedRAMP remains cracked at the foundation," said Steve O'Keefe, founder MeriTalk, in a prepared statement. "We need a FedRAMP fix."
O'Keefe called for that fix to include improved guidance from the Program Management Office regarding how to use FedRAMP, a simplification of its processes, and increased transparency.
Get Your Dream Job. Use InformationWeek's hosted, searchable job board to land your next gig in tech. Start your search here.
Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.