I heard an interesting theory recently as to why so few agency cloud authorizations granted under the Federal Risk Authorization and Management Program (FedRAMP) are being shared between agencies: It’s not that agencies are refusing to share—one of the fundamental promises of the program—it’s that cloud service providers are failing to capture new business.
That was the conclusion reached by FedRAMP Director Matt Goodrich, speaking recently at the QTS Information Security and Compliance Forum in Washington, D.C. According to Goodrich, some agencies may very well have refused to share a FedRAMP authority to operate (ATO) granted to a CSP, but that’s only a small part of the story behind one of the major shortcomings of the FedRAMP program.
“I hear a lot of that from industry–that ATOs are not being reused from one agency to another. Then when pressed, what I hear is ‘oh, I didn’t capture business from that ATO,’ ” Goodrich said. “When pressed, I may ask what agency is not accepting your ATO for a service that they are using—I never get an answer. I always get … ‘we didn’t actually capture that business.’ ”
I had the opportunity to press Goodrich on the issue. He said what appears to be a lack of reciprocity is actually a situation where CSPs assumed that once they received an ATO it would translate into business across all the other agencies.
“You have to give me names and you have to give me CSPs,” Goodrich said. “I don’t know how you expect me to help or expect the government to help you if you can’t give us names. I’m not saying it’s not true, but the second I start to push for facts behind it or push for names, or push to have a conversation to help, I’m never given the names and I’m never given the people. So that’s why I default to the thinking that it’s not actually the reuse of the ATO as much as it is a loss of business capture.”
“So, I have yet to actually see an agency say I’m not accepting another agency’s ATO,” he said.
Launched in 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. But government agencies and CSPs have voiced concerns in recent years about the efficiency of the program, as well as the perceived lack of effectiveness and transparency. A major study released in January by the FedRAMP Fast Forward Industry Advocacy Group called for changes in many of these areas, including the sharing of agency ATOs.
“The real promise of FedRAMP—embodied in the ‘certify once, use many times’ framework—has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” the paper states. “Agencies often refuse to accept other agency ATOs.”