A.R. "Trey" Hodgkins photo
Is the Government Reversing Course on FedRAMP?

Last week was disconcerting for those that provide cloud-computing services to the federal government, as it appeared that the federal government is reversing course on all the work to date on the Federal Risk and Authorization Management Program (FedRAMP). While this change is very concerning and confusing to ITAPS member companies, we are optimistic that the government will straighten this out as soon as possible.

First, a quick history lesson: In 2001, the Office of Management and Budget (OMB) established the “Cloud First” policy, which created requirements for agencies around the consideration of cloud computing services when making information technology investments. Later that year, OMB created a baseline set of technical and security requirements for eligibility to offer cloud computing services as a vendor, a process to validate compliance with those requirements, and a deadline for agencies to begin demanding compliance with those requirements. The General Services Administration (GSA) responded by establishing a government-wide program to administer this activity. OMB added heft to these requirements by recruiting the Department of Defense and the Department of Homeland Security to manage the program alongside GSA, enlisting the National Institute of Standards and Technology at the Department of Commerce to help develop the technical and security standards, and lining up the Federal Chief Information Officer Council to manage cross-agency coordination. The hard work of the vendor community and these agencies paid off when these requirements became effective in June 2014.

This week, one statement disrupted these efforts. Despite the OMB directive requiring that only FedRAMP compliant vendors are eligible for competition and the investment of tens of millions of dollars by taxpayers and cloud service providers to create a program to meet those requirements, an official at GSA stated that FedRAMP should be an evaluation criteria, but it should not screen out eligible vendors from the start. His explanation for this seeming change of direction was that using FedRAMP as an eligibility requirement could limit competition if vendors had not already achieved FedRAMP compliance, however, referred to as an Authority to Operate (ATO), in time to bid, the agency simply needed to require that the vendors obtain one before the contract is operational.

Unfortunately, the GSA official’s statement upends the clear security imperatives the government had established for vendors and potentially negates the very significant investment of time and money both the government and industry have put into this requirement. Security was a primary consideration when the program was created, but this seems to make that a secondary concern. Additionally, the agency that is responsible for administering the requirements is the same one that made contradicting statements. This makes the situation more difficult to address.

The following day, details of a new draft of revisions to the OMB circular A-130 titled, “Management of Federal Information Resources” leaked out and posed an additional challenge to the FedRAMP program. The revisions seem to establish independent approval authority over the FedRAMP ATO process by agency privacy officers. The draft also offers an option to create two separate processes.

Overall, these events have raised significant concerns. Industry has been working as a stakeholder in this process to contribute to its success and dozens of companies have achieved an ATO, with more in the pipeline and who knows how many more getting ready to start the process. All of these companies have each spent millions of dollars to enter and complete this process simply to bid on a solicitation, but now there may be a separate – and possibly overlapping – process.

Industry wants one authority to determine who has established and maintained compliance with a set of security and technical standards and requirements. It would be acceptable to add privacy requirements and another seat at the table, but we do not need another approval authority when we already have government-wide investment in the existing authority.

Industry also stresses that the eligibility requirements, that were established in 2001 and have been frequently repeated by OMB, DoD, DHS and GSA, be sustained. If not, we will have negated the millions of dollars taxpayers and industry invested to establish security as a precursor for cloud computing investments in the public sector space.

All of the companies that have achieved or are in the process of achieving an ATO fully support both security and privacy as technical starting points for the goods or services they offer. Neither security nor privacy should be afterthoughts when it comes to any information system, much less those operated by the government. It is important that OMB straighten these issues out before we erode both essential aspects of cloud offerings in the federal market place.

About ITAPS. ITAPS, a division of the Information Technology Industry Council (ITI), is an alliance of leading technology companies offering the latest innovations and solutions to public sector markets. With a focus on the federal, state, and local levels of government, as well as on educational institutions, ITAPS advocates for improved procurement policies and practices, while identifying business development opportunities and sharing market intelligence with our industry participants. Visit itaps.itic.org to learn more. Follow us on Twitter @ITAlliancePS.

Public Policy Tags: Public Sector