Federal IT Pros Vent FedRAMP Frustrations

A MeriTalk survey found that despite the GSA's push to fix the process, 41 percent of respondents are unfamiliar with GSA’s plans to remedy FedRAMP.

meritalk and federal it

Four out of five federal cloud decision makers (79 percent) are frustrated with the Federal Risk and Authorization Management Program (FedRAMP), most commonly calling the process, a compliance exercise, according to a MeriTalk survey of 150 federal IT cloud decision makers.

The survey also found that despite the General Service Administration’s (GSA) push to fix the process, 41 percent are unfamiliar with GSA’s plans to remedy FedRAMP.

"From the beginning, FedRAMP has suffered from lack of transparency—industry and agency officials alike have been clamoring for automated tools that would provide visibility into what cloud services are available, which vendors are in which stage of the authorization process," Dan Verton, executive editor of MeriTalk, told eWEEK. "But the program management office has only very recently started an outreach effort to agencies. And that outreach effort consists of one person: Ashley Mahan, the so-called FedRAMP Evangelist. That’s not enough. Agency officials tell us that they want a central clearinghouse of information."

When it comes to improving FedRAMP, 49 percent of feds propose accelerating the Cloud Service Provider (CSP) certification process so there are more secure cloud options, while 47 percent suggest establishing an Authority to Operate (ATO) clearinghouse, where agencies have access to—and are required to accept—all ATOs.

"Clearly, the most troubling and revealing finding from our survey is that one in five government IT decision makers say that FedRAMP—a mandatory program—doesn’t factor into their cloud computing decisions," Verton said. "Closely related to this is the startling number of agencies that have not allowed other agencies to use their authorizations, as well as the high number who said they’ve been denied the use of authorizations by other agencies. This is the fundamental promise of the FedRAMP program—certify once, use many times."

It is a problem that FedRAMP Director Matt Goodrich has ignored by blaming it on industry’s failure to capture business, he said.

The report also found federal officials are frustrated with the lack of transparency into the FedRAMP process and unsatisfied with its efforts to increase security.

More than half of federal officials (55 percent) and 65 percent of defense agencies said they do not believe FedRAMP has increased security.

"It might be too soon to judge the impact that recent changes to the program will have on the most important issues facing FedRAMP," Verton said. "But our survey indicates the program still faces huge barriers to success. Real change may not come to FedRAMP until the leadership is changed—something that 37 percent of federal IT officials said they want to see happen. I think Matt Goodrich has taken the program as far as he can, and it’s time for a new approach at the top."