FedRAMP Under the Mistletoe?
What does everybody in Federal IT want for the holidays this year? Answers to five FedRAMP questions:
What’s the path forward to get agencies to buy into FedRAMP?
- Do cloud providers need a final stamp of approval before agencies buy their cloud services?
- Is being in the pipeline sufficient for agencies to buy CSP services – doesn’t that show the CSPs are firmly committed to the process?
- How do we accelerate the FedRAMP Authority to Operate (ATO) process?
- Are there any rules in the FedRAMP process and/or Federal cloud procurement
Coal in OMB’s Stocking
The Council of the Inspectors General on Integrity and Efficiency (CIGIE) IT Committee’s September report on Federal Cloud Computing considers many of these questions. Some interesting stats: IG’s looked at a sample of 77 Federal commercial cloud contracts valued at $1.6 billion. They found most cloud contracts don’t follow the Federal government’s cloud computing guidelines; three out of four.
Three quarters of agencies don’t even require CSPs to be FedRAMP compliant. CIGIE dug in on 19 agencies’ cloud programs – and found nine did not have a good inventory of their cloud systems. Extrapolate those percentages across all 438 Federal cloud contracts – some $12 billion worth – and it doesn’t take a red-nosed reindeer to see there’s a problem.
CIGIE lays the blame at OMB’s feet. The report notes OMB set up FedRAMP via policy memorandum, established the JAB and PMO office, and imposed the June 5, 2014, FedRAMP compliance deadline. But, OMB failed to establish an enforcement mechanism to police deadlines and hold agencies that fail to comply accountable for their actions.
CIGIE offers four recommendations. It firmly recommends that OMB determine how to best enforce FedRAMP compliance for CSPs and establish a reporting system to ensure agencies require FedRAMP compliance.
What’s Under the Tree?
Rumor has it GSA is readying a two-year FedRAMP roadmap. Could it be under the tree in time? Will it clarify the policy? Will OMB take the leadership opportunity it provides?
Naughty or Nice?
MeriTalk and the Cloud Computing Caucus Advisory Group are being peppered with calls and emails from unhappy CSPs who thought they’d been nice by getting into the FedRAMP pipeline, but now are being told they’ve been naughty. Some agencies won’t buy services from CSPs unless they’re all the way through the FedRAMP process; others are buying, as long as CSPs are on a FedRAMP pipeline with GSA or another agency; still others are looking at where CSPs are on the FedRAMP OnRAMP – documentation, testing, authorization, and the end zone (continuous monitoring). Based on the CIGIE report, a whole pile more of agencies are just sidestepping FedRAMP all together. The Hill is asking questions.
More Elves Please
Matt and Claudio in the FedRAMP PMO at GSA are working long hours in the FedRAMP toy workshop. We launched the FedRAMP OnRAMP with GSA in March of this year. We took a look back at pipeline progress and who’s gained an ATO in the past nine months. Here’s the before and after.
In March there were 10 ATO’d CSPs, with a total of 11 certified solutions – Microsoft had two. Eleven more were in process for ATOs. Nine months later, only three more CSPs are ATO’d, and only 15 solutions are certified – Microsoft and Oracle have two each. Three CSPs haven’t progressed at all – Layered Tech, VirtuStream, and MaaS360 – while Carpathia has set the pace as the fastest-moving CSP in the pipeline. Another 17 CSPs are in the ATO process.
FedRAMP is critical to government adopting cloud. GSA needs reinforcements in the workshop – more elves, please.
The Nutcracker
Curious to know how DoD is doing on cloud? Register for the Cloud Computing Caucus Advisory Group “Defense Goes on Offense” program taking place this February 12 on the Hill. Seems DoD is marching to the cloud in double time.
New Year’s Resolution
As goes FedRAMP, so goes mainstream government cloud adoption. GSA’s working hard to lead the way. Here’s hoping OMB makes cloud part of its New Year’s resolution – or we can kiss mainstream cloud adoption goodbye (yes, that can be under the mistletoe…). What’s on your cloud holiday list?