Although the federal government stands to save millions of dollars by moving services and applications to the cloud, the transition to cloud computing has been rocky and agencies remain reliant on outdated legacy systems, according to a recent report.
Tony Scott, the Federal Chief Information Officer, says the federal government today spends 80 percent of its $80 billion IT budget to maintain outdated, legacy, duplicative systems. And until the process for acquiring cloud computing services— the Federal Risk and Authorization Management Program (FedRAMP)—receives an overhaul, federal agencies will continue to miss out on the benefits of cloud computing.
Launched in 2011, FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for all federal agencies.
However, from the beginning, the FedRAMP process has suffered from a lack of transparency, as well as challenges related to time and cost.
In response, FedRAMP Fast Forward, a Federal IT industry advocacy group, on Monday published a six-step plan outlining ways to enhance FedRAMP transparency, efficiency, and effectiveness. The plan is based on seven months of discourse between the FedRAMP Fast Forward Industry Advocacy Group and Federal IT and policy executives at multiple agencies.
“For Uncle Sam to break with the expensive and dysfunctional legacy addiction, we need a FedRAMP Fix,” said Steve O’Keeffe, founder, MeriTalk. “Fix the program or it’ll fall under its own weight. We can’t afford to wait – it’s time for action on FedRAMP 2.0.”
In February 2014, MeriTalk, a public-private partnership focused on improving the outcomes of government IT, in collaboration with the General Services Administration (GSA), the federal agency responsible for delivering best-value acquisition to government agencies, announced plans for a new initiative, the FedRAMP OnRAMP—an online portal designed to accelerate government transition to cloud computing.
At that time, MeriTalk estimated the time and cost for industry to obtain a FedRAMP Authority to Operate (ATO) was approximately nine months and $250,000. This year, the 2015 Cloud Computing Caucus Annual Report put those figures much higher — two years and $4 million to $5 million. In fact, according to the report, one Cloud Service Provider (CSP) reportedly spent $40 million to obtain an ATO.
CSPS often have no knowledge of where they stand in the FedRAMP approval process and have no way to predict when they receive their ATOs. Moreover, CSPs have expressed confusion over documentation and program requirements. The report notes,
“There is so much confusion in the government ranks that many agencies are simply not accepting ATOs granted by other agencies.”
The Fix FedRAMP plan calls for the following:
1. Normalize the certification process. CSPs can take several routes to an ATO, and not all are seen as equal, which fundamentally undermines the value proposition of the FedRAMP program
2. Increase transparency about the approval process, what it takes to gain approval, and the time and cost involved
3. Harmonize security standards, so that CSPs can meet some FedRAMP requirements through compliance with existing international and privacy standards
4. Reduce the cost of continuous monitoring for CSPs that have achieved an ATO
5. Enable CSPs to upgrade their cloud environments while remaining compliant with FedRAMP requirements
6. Help CSPs map their FedRAMP compliance to Department of Defense (DoD) security requirements, rather than forcing them to start over again to obtain the ability to provide cloud services to DoD
To support and accelerate the FedRAMP process, as well as the adoption of cloud computing across the government, industry and government collaboration is vital.
Fearing reprisal, CSPs are generally reluctant to share their “ATO horror stories.” In turn, industry often fails to share information regarding their solutions due to concerns about giving up competitive advantage, or exposing theirlack of success. Consequently, industry and government agencies need incentives to embrace transparency.
“We’re all heavily invested in the program’s future,” the report stated. “We all know the challenges and want to make the program successful. We need to reduce the burden and increase the value, or the program will collapse under its own weight. It’s time for industry and government to band together to help change the trajectory of FedRAMP and ensure it is heading toward success.”