Small IT vendors looking to break into the federal cloud business can wait years to get approved by every agency with whom they want to do business. But the Federal Risk Authorization and Management Program (FedRAMP) is supposed to ease the certification process from one agency to the next: Once a vendor gets the go-ahead to provide cloud services to one agency, FedRAMP is supposed to fast-track the approval process for other agencies.
That’s the idea. But that’s not always how the program actually works. The FedRAMP process, as intended, is supposed to only take about six months and cost companies about $250,000 to get approved. But companies are spending millions and waiting years, even if they’ve already gotten the go-ahead from other agencies.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
House Oversight and Reform Subcommittee on Government Operations Chairman Gerry Connolly (D-Va.) said those hiccups in the FedRAMP process hurt both vendors and agencies. Companies can’t sell their products quickly, and agencies can’t modernize for IT quickly as the technology advances.
“We cannot afford to repeat the siloed processes of past IT acquisition that has led to spending $90 billion annually, mostly on maintaining legacy IT systems. However, we cannot leverage the potential of cloud computing if the processes are slower than the speed at which the technology advances,” Connolly said at Wednesday’s hearing.
That’s why Connolly and Subcommittee Ranking Member Mark Meadows (R-N.C.) plan to introduce a bill to codify the FedRAMP process.
“I think there is almost universal recognition that having a statutory anchor — this is in law — provides predictability and allows regular oversight of the program, that I think is welcome, both by the executive branch and by industry,” Connolly told Federal News Network following the hearing.
The bill also would require agencies to presume that once a vendor has met the FedRAMP security criteria at one agency, they won’t have to go through the entire process all over again with another agency.
In the spirit of that reciprocity, Jack Wilmer, the Defense Department’s chief information security officer and deputy CIO for cybersecurity, said starting next month, DoD will issue general provisional authorizations to vendors that have a Provisional Authority to Operate (P-ATO) at the FedRAMP moderate impact level from the program’s Joint Authorization Board (JAB).
“This means that cloud service providers will not have to wait for a separate DoD authorization to have their services used for DoD public data,” Wilmer said. “This use case covers the vast majority of DoD provisional authorizations that we have been issued to date.”
This comes at a time when agencies are spending a lot of time and money moving to the cloud. The Government Accountability Office in April found 16 agencies were spending 8% of their total IT budgets on cloud services. That’s supposed to increase to 11% by the end of this year. And for some agencies, including the General Service Administration and the Social Security Administration, they’re on track to spend 40% of their IT budgets on moving to the cloud.
Anil Cheriyan, the director of GSA’s Technology Transformation Services, said FedRAMP has turned a corner. Last year, the program approved 40 vendors. When FedRAMP first got off the ground in 2012, it took three years to approve that many vendors. Cheriyan added that about 33% of FedRAMP-approved products come from small businesses.
“There’s still more opportunities to educate small businesses. A lot of small businesses are unaware of the process itself, the security requirements that we have, and a lot of time, frankly, is wasted when small businesses are really trying to figure that out,” Cheriyan said.
But Connolly said those numbers don’t reflect the full challenge small businesses face when they’re trying to get FedRAMP certified.
“Small business can’t afford to risk millions of dollars and the uncertainty of no guarantee when they’ll be certified. And that’s a huge problem for small and minority businesses — women, veteran-owned businesses — to enter the field. The big players can afford it. The small and medium-sized businesses, frankly, have to really look at it,” Connolly said.
“I think the most important thing that we can do is driving additional automation into the assessment process. There’s a lengthy set of controls that small businesses and all cloud providers have to be able to implement,” Wilmer said. “The more that we can enable in terms of automation of going through that set of controls should reduce the burden of actually going through the process and creating the artifacts that are then required for us to assess.”
Jose Arrieta, Department of Health and Human Services chief information officer, agreed automation could help, but only if small businesses are kept in the loop.
“As the automation is built, if it is built, there should be direct engagement with the small business community as to what you’re building. What will actually help them plan to take advantage of the automation that you’re building,” Arrieta said.
After the hearing, Connolly told Federal News Network that a provision his upcoming bill would propose a FedRAMP advisory council aimed at easing some of the tensions between industry and agencies.
“We need to stay in sync so that industry concerns are being addressed and when problem arise, we can try and deal with them through that advisory mechanism, rather than something more formal,” Connolly said.