Is the government reversing course on FedRAMP?
Last week was disconcerting for those who provide cloud computing services to the federal government, as it now appears that the federal government is reversing course on all the work to date on the Federal Risk and Authorization Management Program, known as FedRAMP.
Despite an Office of Management and Budget directive that requires agencies to use FedRAMP-compliant vendors for their cloud computing needs, and the investment of tens of millions of dollars by taxpayers and cloud service providers to create a program to meet those requirements, an official at GSA stated that while FedRAMP should be an evaluation criteria, it should not be used to screen eligible vendors from the start. His explanation for this seeming change of direction was that using FedRAMP as an eligibility requirement could limit competition if vendors had not already achieved FedRAMP compliance — referred to as an authority to operate, or ATO — in time to bid. Instead, the official said agencies should simply require that the vendors obtain an ATO before the contract is operational.
Unfortunately, the GSA official’s statement upends the clear security imperatives the government had established for vendors and potentially negates the significant investment of time and money that the government and industry have put into this requirement. Security was a primary consideration when the FedRAMP program was created, but now it seems to have become a secondary concern. Additionally, the agency that is responsible for administering the requirements for FedRAMP is the same one that made contradicting statements. This makes the situation more difficult to address.
Additional concerns stem from a new draft of revisions to the OMB circular A-130 titled, “Management of Federal Information Resources.” The proposed revisions seem to establish independent approval authority over the FedRAMP ATO process by agency privacy officers. The draft also offers an option to create two separate processes.
Editor’s Note: FedScoop first reported the news of the proposed changes to OMB circular A-130.
Overall, these events have raised significant concerns. Industry has been working as a stakeholder in this process to contribute to its success, and dozens of companies have achieved an ATO, with more in the pipeline and who knows how many more getting ready to start the process. All of these companies have each spent millions of dollars to enter and complete this process simply to bid on a solicitation. But now there may be a separate — and possibly overlapping — process.
Industry wants one authority to determine which providers have established and maintained compliance with FedRAMP’s set of security and technical standards and requirements. It would be acceptable to add privacy requirements and another seat at the table, but we do not need another approval authority when we already have governmentwide investment in the existing authority.
It is also important that the eligibility requirements established in 2001 and promoted by OMB, the Defense and Homeland Security departments, and the General Services Administration, be sustained. If not, we will have negated the millions of dollars taxpayers and industry invested to establish security as a precursor for cloud computing investments in the public sector space.
All of the companies that have achieved or are in the process of achieving an ATO fully support security and privacy as technical starting points for the goods or services they offer. Neither security nor privacy should be an afterthought when it comes to any information system, much less those operated by the government. It is important that OMB straighten these issues out before we erode both essential aspects of cloud offerings in the federal marketplace.
Trey Hodgkins is the senior vice president, public sector at the Information Technology Alliance for Public Sector, or ITAPS, a division of the Information Technology Industry Council.