Four out of five federal cloud decision makers are frustrated with FedRAMP, according to a new report from government IT public-private partnership MeriTalk. Federal IT professionals said they are frustrated with a lack of transparency into the process.
MeriTalk surveyed 150 Federal IT decision makers in April for the FedRAMP Fault Lines report, and found that 65 percent of respondents at defense agencies, and 55 percent overall, do not believe that FedRAMP has increased security. Perhaps even worse, 41 percent are unfamiliar with the General Service Administration’s (GSA) plans to fix FedRAMP. The GSA announced FedRAMP Accelerated in March.
“Despite efforts to improve, FedRAMP remains cracked at the foundation,” said MeriTalk founder Steve O’Keeffe. “We need a FedRAMP fix – the PMO must improve guidance, simplify the process, and increase transparency.”
The Authority to Operate (ATO) system, in which an agency completes a security assessment of a system, and authorizes its use, is supposed to allow services to be authorized once and used often. However, MeriTalk found 41 percent of Feds have not used another agency’s ATO, and 35 percent of those with an ATO have not allowed others to use it.
As a result, 17 percent said FedRAMP compliance is not a factor in their cloud decisions, and 59 percent would consider a non-FedRAMP cloud.
Top suggestions for improvement are accelerating the Cloud Service Provider certification process to increase the number of secure cloud options (49 percent), and creating an ATO clearing house which forces sharing 47 percent. Additionally, 37 percent at civilian agencies, and 27 percent overall suggested a leadership change at the Program Management Office of the GSA.
The report recommends improved guidance and expanded training to reduce confusion, adopting the ATO clearinghouse idea to promote sharing and reduce duplication of efforts, and increased transparency.
Industry advocacy group FedRAMP Fast Forward called for improvement to the program in January.