The Federal Risk and Authorization Management Program (FedRAMP) — the program charged with managing security accreditations for cloud vendors selling to the government — is in the midst of a renaissance but federal managers have yet to be impressed, according to a new survey.
A poll of 150 federal IT managers conducted by MeriTalk showed less than half — 45 percent — believe the program has led to better cybersecurity at their agency and the vast majority — 79 percent — view FedRAMP as just another frustrating exercise in compliance.
Download: FedRAMP Fault Lines
After the administration instituted the Cloud First policy in 2010, many agencies were wary of moving to the cloud out of security concerns. And rightly so — giving agency data to a third party could lead to significant problems if that vendor does not have appropriate security controls in place.
FedRAMP was created to give agencies a level of assurance that the cloud provider they are contracting with meets a certain level of security. However, since its inception the program has been mired with problems, most notably the long and expensive accreditation process.
Nonetheless, FedRAMP compliance is a mandate for agencies using cloud services. To ensure the program doesn't continue to be a millstone for agencies moving to the cloud, the program office recently launched FedRAMP Accelerated — a set of reforms intended to speed up the process and make better use of shared authorities to operate (ATOs), in which one agency's authorization can be used by others.
Despite these efforts, 17 percent of survey respondents said FedRAMP is not a factor in their cloud decisions and 59 percent said they would consider a cloud solution that isn't in compliance.
Additionally, 41 percent said they weren't aware of the program office's efforts to improve the process.
"Despite efforts to improve, FedRAMP remains cracked at the foundation," MeriTalk founder Steve O'Keeffe said of the survey results. "We need a FedRAMP fix — the PMO must improve guidance, simplify the process and increase transparency."
Along with the survey results, MeriTalk published three recommendations for the program office:
- Eliminate confusion: Federal cloud decision makers are overwhelmed by FedRAMP frustrations and turning to the easiest thing — ignoring it all together. The FedRAMP PMO must improve guidance and expand training.
- Encourage sharing: Failing to share agency ATOs nearly defeats the purpose of FedRAMP. The FedRAMP PMO must simplify the process and stimulate sharing with an ATO clearing house.
- Promote progress: Feds are wary of FedRAMP’s value. The FedRAMP PMO must increase transparency around security improvements, timeline accelerations and actions taken to restore the program.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.