A complaint has been filed with the General Services Administration’s inspector general alleging officials from the Federal Risk Authorization and Management Program, known as FedRAMP, issued veiled threats of retaliation against companies that publicly voiced concerns about problems with the cloud security certification process, MeriTalk has learned.
Steve O’Keeffe, the chairman of the FedRAMP Fast Forward Industry Advisory Group, said some companies have received calls in recent weeks from officials in the FedRAMP Program Management Office that contained veiled warnings that their Federal cloud business could suffer if they continued to take part in the industry-led effort to highlight problems with the FedRAMP program. O’Keeffe, who also serves as founder and publisher of MeriTalk, made the comments during a March 3 meeting of the Cloud Computing Caucus Advisory Group on Capitol Hill.
“Since we published the Fix FedRAMP paper, we’ve received calls from a series of CSPs who’ve noted that they’re afraid to provide criticism of the FedRAMP process for fear that the PMO will punish them for speaking up,” O’Keeffe said. “And, organizations that have participated in the program have received calls from the PMO questioning why they have engaged in the Fix FedRAMP initiative, and inferring that this participation will be bad for their FedRAMP business.”
The controversy stems from the Fix FedRAMP position paper, published Jan. 25 by the FedRAMP Fast Forward industry group. Developed over the course of 14 months and several not-for-attribution working group meetings, the paper takes a tough and honest look at the shortcomings of the FedRAMP cloud certification process and how the program has actually become a barrier to Federal agencies that are trying to move to the cloud.
“We met with the GSA PMO and gave them the opportunity to react to the draft Fix FedRAMP paper. They declined to do so, saying that providing feedback would add to the credibility of the report,” O’Keeffe said. “We actually set up this Cloud Caucus meeting as a platform for the PMO to roll out its FedRAMP 2.0 platform. But, after expressing strong interest in speaking here, GSA informed us that it was not allowed to participate. I’m still mystified by that one.”
“Reprisal is not to be tolerated,” Rep. Gerry Connolly, D-Va., co-chair of the House Cloud Computing Caucus, said during the meeting. He encouraged vendors to present any complaints or concerns to him or other members of the Caucus.
“We can be an advocate on your behalf,” Connolly said. “We can use both informal or formal ways of doing it.”
In anticipation of the Cloud Computing Caucus meeting, Rep. Ted Lieu, D-Calif., co-chair of the House Cloud Computing Caucus, contacted the GSA to ask a simple question: “Why is it (FedRAMP) so effed up?”
Lieu said he deemed a successful FedRAMP process as one in which CSP vendors: receive decisions about certification in a reasonable amount of time, have knowledge of how far an application has moved along in the process, and understand what’s coming next.
According to Lieu, GSA did not give concrete answers to the problems but said they wanted to make the process more transparent.
The highly interactive discussion between the lawmakers, industry representatives and government IT officials lasted three hours. The meeting became contentious at times, with some from both the government and industry alluding to the need for a FedRAMP leadership change.
Launched in 2011, FedRAMP’s stated goal was to streamline the certification process for CSPs looking to provide Federal agencies cloud computing services, and to be able to easily share those certifications throughout government. But even some Federal IT officials acknowledge that the program has become more of a roadblock than an on-ramp for Federal cloud migrations.
Tony Summerlin, one of the original chief architects of the FedRAMP program, said the program today does not resemble the program he helped design five years ago.
“When we started FedRAMP, it was to facilitate people going to the cloud as soon as possible,” said Summerlin, the chief data officer and senior strategic adviser to the Chief Information Officer at the FCC. “So I knew what it was supposed to be doing, and I know what it’s doing now, which has nothing to do with its original purpose.”