FedRAMP Ready or FedRAMP Irrelevant?
Despite GSA’s efforts to accelerate the FedRAMP approval process, the lack of agency reciprocity puts the program’s central goals at risk.
Recently, the General Services Administration asked for public comments on its proposed Federal Risk and Authorization Management Program Readiness Capabilities Assessment. In the Professional Services Council's comments on the draft document, we applauded GSA's FedRAMP Ready initiative to use private-sector third-party assessment organizations to help reduce the time required to obtain a provisional authorization or an authority to operate (ATO).
PSC also noted that the FedRAMP Program Management Office has taken a number of important steps to streamline the process. We said in closing, though, that there is a looming challenge beyond the PMO's control that risks creating "FedRAMP Irrelevance" rather than "FedRAMP Ready."
No matter how many improvements are made to the FedRAMP process, the laudable goal of ensuring that federal agencies have rapid access to secure commercial cloud solutions will not be achieved if agencies don't maximize their reliance on reciprocity — that is, relying on another agency's ATO or provisional authorization to quickly determine the viability of a cloud solution.
The Office of Management and Budget must demand reciprocity between agencies and enforce the requirement for an agency to rely on a previously obtained authorization.
This might be a good time for federal leaders to put “The Speed of Trust” on their summer reading list.
Last year, the Defense Information Systems Agency issued a press release identifying 23 commercial cloud offerings that had been granted provisional authorizations. However, defense organizations that wanted to use those proven offerings were still required to conduct an ATO assessment despite the fact that the solutions would not handle sensitive information and had already been granted a FedRAMP provisional authorization or ATO by another agency.
In January, the Defense Department published its Defense Acquisition of Services instruction (DODI 5000.74), which requires all commercial cloud services to obtain both a provisional authorization from DISA and an ATO from the DOD organization implementing the solution — regardless of whether other authorizations have already been obtained.
It takes a long time to get through the authorization process, and delays are needlessly exacerbated when the process has to be repeated by multiple agencies for an already proven solution.
Cybersecurity is a huge threat and risk aversion is understandable, but the lack of trust that still exists between agencies — particularly at a time when great progress has been made in encouraging agencies to adopt a common set of security controls — is severely hampering the government's access to new technologies.
Several years ago, Stephen M.R. Covey wrote a groundbreaking book on the subject titled "The Speed of Trust." He describes how operating in a low-trust environment causes significant and quantifiable impacts on the time required and the cost of implementing any project.
IT modernization and cybersecurity are the two most pressing IT challenges facing government today, and rapid adoption of cloud solutions is one way to take significant strides toward both goals. Security certifications should give us the confidence to move forward with an IT project. When the authorization process precludes the adoption of commercial best practices, we thwart our good intentions by extending the time period upon which agencies will continue to rely on outdated and insecure computing infrastructure.
And agencies will only achieve their risk management goals if they can measure the outcomes that matter and begin to trust the work of another agency's cybersecurity professionals.
It might be a good time for federal leaders to put "The Speed of Trust" on their summer reading list.