Commentary|DAVID WENNERGREN
DAVID WENNERGREN is executive vice president at the Professional Services Council.
FedRAMP Ready or FedRAMP Irrelevant?
Despite GSA’s efforts to accelerate the FedRAMP approval process, the lack of agency reciprocity puts the program’s central goals at risk
Recently, the General Services Administration asked for public comments on its proposed Federal Risk and Authorization Manage- ment Program Readiness Capabili- ties Assessment. In the Professional Services Council’s comments on the draft document, we applauded GSA’s FedRAMP Ready initiative to use private-sector third-party assessment organizations to help reduce the time required to obtain a provisional authorization or an authority to operate (ATO).
PSC also noted that the FedRAMP Program Management Office has taken a number of important steps to streamline the process. We said in closing, though, that there is a loom- ing challenge beyond the PMO’s con- trol that risks creating “FedRAMP Irrelevance” rather than “FedRAMP Ready.”
No matter how many improve- ments are made to the FedRAMP process, the laudable goal of ensur- ing that federal agencies have rapid access to secure commercial cloud solutions will not be achieved
if agencies don’t maximize their reliance on reciprocity — that is, relying on another agency’s ATO or provisional authorization to quickly determine the viability of a cloud solution.
The Office of Management and Budget must demand reciprocity between agencies and enforce the requirement for an agency to rely on a previously obtained authorization.
Last year, the Defense Informa- tion Systems Agency issued a press
release identifying 23 commer-
cial cloud offerings that had been granted provisional authorizations. However, defense organizations that wanted to use those proven offer- ings were still required to conduct an ATO assessment despite the
fact that the solutions would not handle sensitive information and had already been granted a FedRAMP
This might be
a good time for federal leaders to put “The Speed of Trust” on their summer reading list.
provisional authorization or ATO by another agency.
In January, the Defense Depart- ment published its Defense Acquisi- tion of Services instruction (DODI 5000.74), which requires all commer- cial cloud services to obtain both a provisional authorization from DISA and an ATO from the DOD organiza- tion implementing the solution — regardless of whether other authori- zations have already been obtained.
It takes a long time to get through the authorization process, and delays are needlessly exacerbated when the process has to be repeated by multiple agencies for an already proven solution.
Cybersecurity is a huge threat and risk aversion is understandable, but the lack of trust that still exists between agencies — particularly
at a time when great progress has been made in encouraging agencies to adopt a common set of security controls — is severely hampering the government’s access to new technologies.
Several years ago, Stephen M.R. Covey wrote a groundbreaking book on the subject titled “The Speed of Trust.” He describes how operating in a low-trust environment causes significant and quantifiable impacts on the time required and the cost of implementing any project.
IT modernization and cybersecuri- ty are the two most pressing IT chal- lenges facing government today, and rapid adoption of cloud solutions is one way to take significant strides toward both goals. Security certifica- tions should give us the confidence to move forward with an IT project. When the authorization process precludes the adoption of commer- cial best practices, we thwart our good intentions by extending the time period upon which agencies will continue to rely on outdated and insecure computing infrastructure.
And agencies will only achieve their risk management goals if they can measure the outcomes that matter and begin to trust the work of another agency’s cybersecurity professionals.
It might be a good time for federal leaders to put “The Speed of Trust” on their summer reading list. n
June 30, 2016 FCW.COM 11