The Federal Risk and Authorization Management Program (FedRAMP), meant to ensure secure federal government cloud use, isn't adding the security it was intended to provide. Its complicated procedures are sometimes keeping it from living up to expectations, according to a MeriTalk survey.
MeriTalk, a public/private partnership that publishes IT best practices for the federal government, released the results of its FedRAMP survey earlier this week. The survey, conducted online in April 2016, received responses from 150 federal IT leaders responsible for cloud decisions in their organizations. The majority of respondents (79%) said they were frustrated with the system, while 59% said they would consider implementing a cloud service for their agency that was not FedRAMP compliant.
FedRAMP was designed as a blueprint for assessing and confirming security levels among the suppliers of cloud computing to the Department of Defense, intelligence agencies, and federal offices that service civilians.
MeriTalk published a report on the survey, "FedRAMP Fault Lines," on May 23, and made a summary available to the press under the headline: "Four out of Five Federal Cloud Decision Makers Report Deep Frustrations With the FedRAMP Process."
The General Services Administration (GSA) launched FedRAMP in June 2012 in an attempt to standardize the way federal agencies assess the security of a cloud provider they wished to use.
Since June 2012, FedRAMP has been pressed into service by the Department of Defense, NASA, the Office of Management and Budget, and other federal users of cloud services. Use of FedRAMP is mandatory for Federal agency cloud deployments and service models at the low- and moderate-risk impact levels.
Yet, FedRAMP includes its own processes and procedures that are sometimes hard to understand, which are under revision by the Program Management Office in the GSA.
Meanwhile, CenturyLink, Virtustream, Amazon Web Services, and other major cloud suppliers have obtained FedRAMP certifications, indicating their security practices are up to snuff, according to FedRAMP.
Certified for Sale
At one point, the ability of a relatively unknown cloud services startup to obtain FedRAMP certification was an indicator that it might be acquired. Several certified startups, such as Autonomic Resources, acquired by CSC in February 2015, were bought after attaining certification.
Another example is Virtustream, which was certified in July 2014 and acquired by EMC in May 2015 for $1.2 billion.
Yet, 17% of respondents in the MeriTalk survey reported that FedRAMP does not factor into their cloud decisions.
Some 60% of respondents to the MeriTalk survey work in government agencies that serve civilians, while the remaining 40% work in military or intelligence agencies. Fifty-five percent of respondents working for civilian federal agencies reported that they did not believe FedRAMP had increased the security of their cloud use, while 65% of those working in military/intelligence agencies said the same.
FedRAMP is given credit for reducing the constant duplication of effort that marked previous attempts by federal agencies to establish basic security with cloud providers. Built into the FedRAMP system is a process by which agencies can grant an authority to operate (ATO) to an outside service provider after it has met the requirements of the FedRAMP template for security. An ATO is then supposed to be shared with other agencies, so long as they apply to the issuing agency for permission to use it.
But with new technologies constantly becoming available, along with new service providers, it's hard for FedRAMP's approach to keep up.
The process of certifying new services is slow, according to respondents. Neither is FedRAMP's grant of authority to operate (ATO) working the way it was intended.
[Want to see what MeriTalk found when it surveyed IT managers on federal data center closures? Read Cloud Adoption Could Save Feds $10 Billion Annually.]
The survey found that 41% of respondents have never used another agency's ATO, and that 35% of respondents who had obtained an ATO said their agency has not allowed others to use it. Also, 26% of respondents said their agency had been denied permission when seeking to use another agency's ATO.
No one is sure how much to conclude from such figures, because FedRAMP is plagued with a lack of visibility into its own internal operating procedures. In fact, 41% of respondents to the MeriTalk survey said they are not familiar with the GSA's plans to accelerate FedRAMP.
"FedRAMP remains cracked at the foundation," said Steve O'Keefe, founder MeriTalk, in a prepared statement. "We need a FedRAMP fix."
O'Keefe called for that fix to include improved guidance from the Program Management Office regarding how to use FedRAMP, a simplification of its processes, and increased transparency.