News Feature | June 2, 2016

Federal Cloud Decision Makers Report Deep Frustrations With FedRAMP Process

Christine Kern

By Christine Kern, contributing writer

Federal Cloud

Data shows 41 percent of Feds are unfamiliar with GSA’s plan to remedy FedRAMP

Despite efforts to improve the program and provide transparency to the process, data from MeriTalk’s latest report, FedRAMP Fault Lines, reveals 79 percent of Feds are frustrated with the Federal Risk and Authorization Management Program (FedRAMP) and 41 percent are unfamiliar with GSA’s plan to remedy FedRAMP despite the General Service Administration’s (GSA) push to fix the process.

The report examines Feds’ perception of FedRAMP, revealing 55 percent believe it has not increased security and 59 percent would consider implementing a non FedRAMP-compliant cloud.

MeriTalk published the findings, based on an online survey of 150 Federal IT cloud decision makers in April 2016, which reveal Federal cloud decision makers most commonly call the FedRAMP process, “a compliance exercise.”

Feds are frustrated with the lack of transparency into the FedRAMP process and are not impressed with its efforts to increase security. In fact, more than half of Feds (55 percent) and 65 percent of defense agencies do not believe FedRAMP has increased security.

“Despite efforts to improve, FedRAMP remains cracked at the foundation,” said Steve O’Keeffe, founder, MeriTalk. “We need a FedRAMP fix — the PMO must improve guidance, simplify the process, and increase transparency.”

The study further found that, although some Feds stated that FedRAMP has successfully reduced duplicative efforts, many others say the process is still too slow and they fail to take advantage of shared Authority to Operate (ATOs):

  • Forty-one percent of Feds have not used another agency’s FedRAMP ATO
  • Thirty-five percent of those with an ATO have not allowed others to utilize it
  • Twenty-six percent have been denied another agency’s ATO

These cracks in the FedRAMP foundation lead many Feds to remain uncertain about the process; some are even ignoring the program entirely, despite the fact that it is mandatory for Federal agency cloud deployments and service models at the low and moderate risk impact levels. Still, nearly twenty percent of those surveyed report FedRAMP compliance does not factor into their cloud decisions while 59 percent would consider a non FedRAMP-compliant cloud.

When asked how FedRAMP could be improved, respondents said accelerating the Cloud Service Provider (CSP) certification process to provide more secure cloud options (49 percent); establishing an ATO clearing house where agencies have access to — and are required to accept — all ATOs (47 percent); and changing leadership at the GSA Program Management Office (PMO) (27 percent).

The study makes clear Feds need to embrace FedRAMP in order for government to capitalize on the promise of cloud. The report thus outlines the following recommendations to improve the process:

  • eliminate confusion by improving guidance and expanding training
  • encourage sharing by simplifying the process and eliminating duplicate efforts with an ATO clearing house
  • promote progress by increasing transparency around security improvements, timeline accelerations, and actions taken to restore the program