FedRAMP still a steep climb, 12 years in

A cloud computing security program established in 2011, continues to present difficulties to government and industry: FedRAMP, the Federal Risk and Authorization Management Program, is a way of establishing that cloud computing service companies are secure. But more than 12 years in, the program still has cost uncertainty. And agencies don’t always use FedRAMP approved vendors, according to the Government Accountability Office. For more, the Federal Drive with Tom Temin talked with Dave Hinchman, GAO’s Director of Information Technology and Cybersecurity Issues.

GAO Report

Interview Transcript: 

Tom Temin And FedRAMP rolls on and on, and I guess more vendors are getting certified under FedRAMP. It’s a complicated process for them. So for the government, you found issues with them sponsoring vendors to become certified, actually using certified vendors. And on the vendor side, you found uncertainty and uncertain costs of getting certified. So what’s going on here?

        Join us May 2 at 2 p.m. ET for a discussion with agency and industry leaders on network modernization strategy, 5G, AI and plans for the future at the Naval Network Warfare Command and NASA, sponsored by T-Mobile. | Register now!

Dave Hinchman So I think that you’ve really zeroed in on the key aspects of what we found in our study. We were asked to do three things. Sort of do a survey of who’s using FedRAMP, for what reason? How much does FedRAMP cost in the agency? Conversely, how much is the cost one of the cloud providers? But then also, what are the challenges that both the agencies and the providers are facing and what are [Office of Business and Management (OMB)] and [General Services Administration (GSA)] doing to look at that? And I think you zeroed in that you’re right. The process takes a long time. There’s a lot of uncertainty. People aren’t always sure about what they’re supposed to do. And that’s on both the federal and the private sector side for the service providers. And I think there are some signs that some of that’s going to start to clear up over the next couple of years. But right now, it certainly is an ongoing issue.

Tom Temin And it sounds like there may not be enough of the industry that’s FedRAMP certified, because you found that several agencies, at least the CFO, large department agencies use for cloud services, companies that don’t have FedRAMP certification.

Dave Hinchman Yeah. And it’s hard to tell what the root cause of that problem is. Certainly, there was an issue with OMB not monitoring the use of cloud of authorized providers. They admit that’s been a problem. They have put into place a process to more closely monitor that. The process was just coming online as we were going to print. So we don’t have any good visibility into what that looks like. So that should make a difference. But I think that there’s also just because it can cost a lot of money, people get into the FedRAMP, they think, hey, this is great for business. This is the private sector side. And then they discovered this onerous federal bureaucracy, and they realize it’s maybe not all, but it’s cut up to be that it can actually be a long, expensive process to become a certified provider.

Tom Temin And discuss the issue or the process of a agency sponsoring a company. They don’t pay for their FedRAMP certification. But how does that all work?

Dave Hinchman Yeah, there are two different avenues that an agency and a provider can take. One is a more centralized process called the Joint Authorization Board, which is established when the program was created, was codified with the FedRAMP Authorization Act that was just recently passed. And then there’s the agency authorization pass, which is where the agency takes on this process on its own. And real quick, the Joint Authorization Board is a centralized function. People appointed by OMB and service providers offer themselves up as we would like to become authorized. They go through security assessments. They get this centralized process. Once you approve, then you’re an authorized provider. But agencies can contract with you. For the agency authorization path, this is maybe, an agency has a long standing relationship with the cloud provider, so they want to maintain that. And so the provider goes through this one on one process with the agency itself. They get assessed by an outside third party, and then ultimately they’re authorized. And both can take a long time. We’ve heard reports of stakeholders in the process not being responsive. And this is at the FedRAMP level, which creates uncertainty. Plus the cost issue where no one’s ever really sure what this is going to cost.

Tom Temin That’s an issue for industry, is the going through the assessment. What are the costs? What are the cost components for industry, since it’s a government appointed group of people that are doing the assessment. Yeah.

Dave Hinchman Well Tom, I can’t tell you that. And that was one of the things we found, when we went and talked to agencies, Hey, what does a federal authorization cost? We couldn’t get a solid answer. And there’s no good data available. In fact, most of the numbers we did get were actually after the fact cost estimates or an agency had to go back and try to tease out the numbers. And that’s because OMB hasn’t required agencies to track the discrete costs involved in getting the FedRAMP authorization. We got some estimates that range from tens of thousands of dollars to millions of dollars. And I think what that cost uncertainty, and you mentioned this at the top of our conversation, is probably going to scare people away, because if you don’t know how much something is going to cost, you’re going to be really hesitant about jumping in and trying to get part of that. And so I think that was one of our key recommendations, is that OMB require agencies to discretely track the cost of these authorizations so that they can standardize that. And more importantly, OMB can really determine whether this is creating more cost effective cloud services, which is one of the FedRAMP goals from the very beginning.

Tom Temin We’re speaking with Dave Hinchman. He’s director of information technology and cyber security issues at the GAO. And what about the issue of agencies trusting the certification that someone has, that they got through another agency sponsor, that it’s good enough for their own agency? That was the basic premise of FedRAMP to begin with.

        Read more: Agency Oversight

Dave Hinchman Yeah. And that’s not working as well as I think as people would like it to be. And I don’t know that we were really able to get to the root of what that is. I think when you look at, in our report we discussed the six challenges that people reported to us. And I think if you look at sort of the things that run through those challenges, it has a lot to do with not great communication within the program and people just not really understanding what they’re getting into. And so you’ve got this, as you mentioned, maybe one company that has the centralized certification. So anyone can sign up with that. But why aren’t they doing that? Well, there are things like agencies say they don’t have sufficient resources to do this. They don’t get timely responses from the FedRAMP program, which I mentioned. Sometimes they find service providers that aren’t fully prepared to provide the cloud service that they’re supposedly ready to do. And as well as internally, things like finding an agency sponsor as well as sort of more obscure things like, meeting FedRAMP technical and process requirements, which is required, like agencies and cloud providers, to totally change their security infrastructure to be compliant.

Tom Temin Right. Agencies have never had much trouble finding unique requirements of their own, that therefore we can’t use this other certification that agency B has established.

Dave Hinchman Correct. Yeah, that’s exactly right. And so I think that really creates an environment where there’s a need for more standardization. And OMB has mentioned this in the guidance that they issued for public comment this past fall. Comments close to the end of December. The guidance will be coming out soon. They’re talking about up leveling some of those requirements so that you don’t get as caught up in the minutia of agency A has this requirement, agency B has this requirement. I think I’m cautiously hopeful that taking that sort of higher level view is going to help more people get in. And these, companies that already have existing authorizations.

Tom Temin And the cloud service providers reported and I’m reading from your summary, they faced issues including lack of consistency when engaging with third party assessment organizations, outsiders. It strikes me this is like a big lesson learned for the Defense Department’s, CMMC program, which is entirely reliant upon third party assessment organizations across a much wider swath of industry than the FedRAMP program. So it strikes me this is something DoD ought to pay attention to.

Dave Hinchman Yeah, and I think you’re right. I think it’s a hard challenge. If you look at, in our report, we have a table where we talk about different efforts that OMB and GSA are taking to address these six challenges we identified. That problem with the third party assessment organizations is the one thing where there’s nothing currently underway to address that. And so I’m not sure people really know how to get at that issue. And so I think you’re right, linking that to the CMMC, or excuse me, CMMC is really important because that’s what they’re going to be relying on as well.

Tom Temin And is your sense FedRAMP officials at GSA, I mean, they’re earnest. They’ve been at this for a dozen years now, generally agreed with what you found out. And they’re trying to get around these problems.

Dave Hinchman I think I mentioned the monitoring program that’s coming online, to look at monitoring with compliance. They’ve talked that they are going, once they identify cloud instances that are not part of FedRAMP, they’re going to start moving that and getting them authorized, as well as the changes in the guidance that are coming out, or the the new guidance that’s coming out from OMB. I think that’s a positive change. There’s also bringing on additional staff, which we identified as a critical issue, as well as the need for automating some of the security processes. They’re working on, bringing that on line as well.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Tom Temin And maybe, people in the government and people in the industry may not realize that when you talk about the piece of industry that needs to be FedRAMP authorized, it’s not just the prime commercial cloud providers. $1 million to get certified or a couple of million for Amazon, that’s like 10 seconds worth of revenue. But for many there’s a huge ecosystem of small cyber suppliers and other types of suppliers, integrators that provide cloud services to get you to those big primes. For them, it can be cumbersome and expensive.

Dave Hinchman Yeah, absolutely. I think that’s a really good point. It’s not just the big names we hear about in the news. It’s the smaller, veteran owned, minority owned businesses, small businesses that litter the federal landscape. In fiscal year 22, the federal government obligated $7 billion for cloud services. If you look at the numbers we tracked, authorizations went from 926 cloud authorizations in 2019 to almost 1500 in 2023. So the government is moving into the cloud. And that’s not all with these big names we talked about. And so I think it’s really incumbent on OMB and GSA to move FedRAMP to a place where it’s standardized, where someone who wants to get into it can truly understand what they’re getting into, and that’s looking at the cost, knowing the process they’re going to have to do, and making sure that whole process moves as quickly and efficiently as possible.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.