Jumping to FedRAMP conclusions

Setting the record straight on what exactly Stan Kaczmarczyk said on June 2 about the cloud cybersecurity effort known as Federal Risk Authorization and Manag...

L et’s set the record straight on what exactly Stan Kaczmarczyk said on June 2 about the cloud cybersecurity effort known as Federal Risk Authorization and Management Program (FedRAMP). There have been several blogs and some articles that either didn’t understand or misconstrued his comments, which has set some in the federal community off in the wrong direction.

Speaking at the 1105 Government Information Group’s IT and Acquisition conference in Washington, Kaczmarczyk, the General Services Administration’s director of the Cloud Computing Services Program Management Office, tried to once again clarify a long-held belief that agencies should restrict competition for cloud services only to vendors that are FedRAMP approved.

“The traditional way is anybody who is qualified can bid, and if you win the work, you have to have the authority to operate (ATO) or FedRAMP in place before you go operational,” he said. “What we are telling agencies is it’s preferable to use FedRAMP authorization as an evaluation criteria. Somebody who already has FedRAMP authorization, you will get up and running and operational a lot sooner than somebody who is not even in the cue for authorization or has to do their own agency ATO for you. That can be an evaluation criteria, but you cannot screen out the non-FedRAMP companies right from the start.”

The industry executive who asked the question responded to Kaczmarczyk’s answer saying GSA needs to better educate and inform agency contracting officials about this concept because they still are unclear about how to apply FedRAMP requirements in cloud contracts.

But let’s be clear about Kaczmarczyk’s comment. He didn’t say the government is reversing course on FedRAMP as some in the industry community have asked.

He didn’t say FedRAMP isn’t required as others have said.

Kaczmarczyk said what the Office of Management and Budget has been saying since December 2011 when former CIO Steve VanRoekel signed the FedRAMP memo.

In that memo, VanRoekel wrote agencies must “ensure applicable contracts appropriately require CSPs to comply with FedRAMP security authorization requirements.”

There was nothing in the memo and nothing GSA said publicly that would require FedRAMP authorization before bidding.

Oh, and by the way, what Kaczmarczyk said is the same idea that long has been applied to certification and accreditation (C&A) of systems. When a vendor builds an application for an agency, that software may not meet the controls under the Federal Information Security Management Act (FISMA) out of the box, but has to be compliant before the agency moves into initial operating capability.

Why should FedRAMP be any different?

GSA has been fighting this perception for the better part of a year. In December, GSA officials said the Office of Federal Procurement Policy was considering a new policy to help clarify contracting language to help agencies understand how FedRAMP requirements fit into cloud service contracts.

But it’s unclear whether that policy hasn’t materialized, or continues to be under development.

So let’s all take a deep breath and add some rational thought to this process, if agencies are mandated to use it, vendors spending big bucks to get approved, why would GSA change course for no apparent reason?

I know, I know, stranger things have happened. But let’s not jump to conclusions either.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.