In a Customer Perspective panel on Thursday, three Federal CIOs and CTOs expressed frustration with current FedRAMP operations.
“I was grateful to work with Dave McClure on the first FedRAMP round,” said Tony Summerlin, chief data officer and adviser to the CIO at the FCC. “So I knew what it was supposed to be doing, and I know what it’s doing now, which has nothing to do with its original purpose.”
That original purpose, according to International Trade Administration CIO Joe Paiva, was to accelerate the adoption of commercial cloud computing services in Federal agencies. Today, however, the agencies seem disinclined to share FedRAMP-certified ATOs, those services given the authority to operate within a Federal agency.
Summerlin spoke of his particular frustration when trying to get the Justice Department to share its ATO with his department.
“Justice Department lawyers refused to allow the ATO to leave the building,” he said. He then asked if there was a problem with the contractor not wanting its ATO to be shared. “They said, ‘we have no comment.’ How could you not have a comment? I just want your ATO.”
It seems that from the very beginning of the program, however, that agencies had little interest in sharing with each other.
Greg Godbout, now the CTO for the Environmental Protection Agency, was working for an outside vendor when other agencies expressed interest in what he and his team were developing. His government representative then said, “Look man, I’m all for collaboration, but don’t share anything.”
Stories like this both baffled and amused the audience of Federal employees and industry representatives. Though FedRAMP was designed to cut the costs of adopting new software-as-a-service, while also facilitating the adoption of services across agencies, both agencies and developers are frustrated with the process. It often takes businesses months of work and millions of dollars to get FedRAMP certified for just one agency. Even when companies do want to work across agencies, the quagmire of paperwork and processes necessary to do so stagnates the progression.
“When we all talk about the billions of dollars we’re saving, the people on the other side have to see the carrot,” Summerlin said. “If we keep making it this hard, every new and inventive company will tell us to kiss off.”
On the positive side, FedRAMP is cutting down on costs and infrastructure for many Federal agencies.
“I took this job a year and a half ago, pissed a lot of people off, shut down a data center, moved the ITA entirely to cloud, got rid of hundreds, probably a thousand servers, and cut our budget by 17 percent in two years. I could not have done that without FedRAMP,” said Paiva. He also noted that the problem seems to be with agencies focus on security through FedRAMP, which was not its original goal.
“I think we fundamentally need to stop making recommendations that look like we’re using FedRAMP to ensure commercial services are good enough for the government, and make it that we’re using FedRAMP to drive government to get over itself and use commercial services,” Paiva said.
Unfortunately for those at the meeting, it seems that change needs to come from those running the FedRAMP process, like OMB and GSA, which were not present at the panel.
In fact, GSA even asked the FCC to come up with a playbook on acquiring new FedRAMP-certified software-as-a-service. The problem is that FCC has little time to be doing the GSA’s job.
“Those things should be in a playbook coming out of GSA,” Summerlin said.
Paiva agreed, adding, “I want OMB to write in a letter, signed by the OMB director, that if a vendor does this, departments will accept it, end of story. I think, unless OMB literally puts it in writing, it’s never going to happen.”
All three guests on the panel agreed that FedRAMP was a great and necessary idea, but poorly executed.
Paiva summed up the mood by saying, “I love FedRAMP. Yes, it needs to be fixed.”