Is FedRAMP the Final Answer?

When the Obama administration launched the FedRAMP program in June 2012, the business case was clear: provide a cost-effective, risk-based approach for the adoption and use of cloud services.

At the time, the government was spending millions of dollars to vet the security of commercial cloud solutions, and those reviews varied by agency. Today, it’s estimated that every time an agency uses FedRAMP for cloud security assessment and authorization, it can save 50 percent on staffing, reduce the assessment time by 75 percent and avoid $200,000 in costs, according to a 2013 annual report released by the General Services Administration.

Federal officials and industry praise the program for providing a standard approach to cloud security for both agencies and cloud providers. FedRAMP’s target audience is the federal government, which some experts say is one of the program’s shortcomings. Adoption of FedRAMP standards at the state and local level has been a mixed bag.

So, will FedRAMP — when fully implemented — help the adoption of cloud?

The question was posed to IT leaders from the Defense Department and National Institute of Standards and Technology during a recent meeting hosted by the Cloud Computing Caucus Advisory Group. The nonprofit, nonpartisan group is composed of technology companies and industry groups focused on educating lawmakers and the public about cloud computing and other IT issues.

“Cloud is already happening, so adoption or not, it’s already there, and if you think you’re not using a cloud you may just not be aware,” said Matt Scholl, acting division chief of the Computer Security Division at NIST. “The real question that will decide, in my opinion, the life or death of a program like FedRAMP is, Is there a business case that can stand it up and sustain it long-term?”

In other words, can the third-party assessors that test the security implementation of cloud providers stay in business? Can the cloud service providers continue to pay for FedRAMP and recoup the money from their customers? Will customers tolerate the cost?

If only the U.S. government uses FedRAMP, “we potentially put ourselves at risk as a business model,” Scholl said. “The other thing that we probably should think about hard and strong is that the economic power that is the U.S. government is potentially not what it used to be.”

That’s especially true as more companies focus on the consumer, forcing agencies to adapt technology to meet their security needs.

There are other market drivers and standards work the government should consider as FedRAMP evolves, Scholl said. Similar work is occurring within international standards organizations and in other countries and commercial organizations such as the Cloud Security Alliance. “Let’s work the best we can to come to some kind of alignment in a body on which we can all agree.”

DoD’s new acting CIO Terry Halvorsen shares that opinion.

“I don’t know if FedRAMP is the answer in the end game,” Halvorsen said. “I think it’s a hell of a first start.

“We needed a change,” he continued, adding that DoD’s Information Assurance Certification and Accreditation Process “wasn’t going to get us where we needed to be.”

In March, then-CIO Teri Takai issued an instruction that DoD would instead adopt a risk management framework for IT, reported FierceGovernmentIT. FedRAMP also takes a risk management approach.

“I do think in the long run we’ve got to get a standardization that complies more than inside the government,” Halvorsen said.

Following the event, FedRAMP Director Maria Roat said her staff is evaluating what the program will entail in the future. She noted that her office has already taken steps to ensure the program’s sustainability, including privatizing the selection process for third-party assessors.

In light of the June 5 deadline for current cloud contractors to certify their products and services, GSA held a FedRAMP industry day.