FedRAMP Is Too Complicated, Not Secure Enough: Survey


With savvy cybercriminals using vulnerabilities in apps, networks, and operating systems to gain c

The FedRAMP standard for federal agency use of cloud services has too many complications in its operations and lacks the assurance of security, according to the results of a MeriTalk survey.

The Federal Risk and Authorization Management Program (FedRAMP), meant to ensure secure federal government cloud use, isn't adding the security it was intended to provide. Its complicated procedures are sometimes keeping it from living up to expectations, according to a MeriTalk survey.

MeriTalk, a public/private partnership that publishes IT best practices for the federal government, released the results of its FedRAMP survey earlier this week. The survey, conducted online in April 2016, received responses from 150 federal IT leaders responsible for cloud decisions in their organizations. The majority of respondents (79%) said they were frustrated with the system, while 59% said they would consider implementing a cloud service for their agency that was not FedRAMP compliant.

FedRAMP was designed as a blueprint for assessing and confirming security levels among the suppliers of cloud computing to the Department of Defense, intelligence agencies, and federal offices that service civilians.

MeriTalk published a report on the survey, "FedRAMP Fault Lines," on May 23, and made a summary available to the press under the headline: "Four out of Five Federal Cloud Decision Makers Report Deep Frustrations With the FedRAMP Process."

The General Services Administration (GSA) launched FedRAMP in June 2012 in an attempt to standardize the way federal agencies assess the security of a cloud provider they wished to use.

Since June 2012, FedRAMP has been pressed into service by the Department of Defense, NASA, the Office of Management and Budget, and other federal users of cloud services. Use of FedRAMP is mandatory for Federal agency cloud deployments and service models at the low- and moderate-risk impact levels.

Yet, FedRAMP includes its own processes and procedures that are sometimes hard to understand, which are under revision by the Program Management Office in the GSA.

Meanwhile, CenturyLink, Virtustream, Amazon Web Services, and other major cloud suppliers have obtained FedRAMP certifications, indicating their security practices are up to snuff, according to FedRAMP.

At one point, the ability of a relatively unknown cloud services startup to obtain FedRAMP certification was an indicator that it might be acquired. Several certified startups, such as Autonomic Resources, acquired by CSC in February 2015, were bought after attaining certification.

Another example is Virtustream, which was certified in July 2014 and acquired by EMC in May 2015 for $1.2 billion.

Yet, 17% of respondents in the MeriTalk survey reported that FedRAMP does not factor into their cloud decisions.

Some 60% of respondents to the MeriTalk survey work in government agencies that serve civilians, while the remaining 40% work in military or intelligence agencies. Fifty-five percent of respondents working for civilian federal agencies reported that they did not believe FedRAMP had increased the security of their cloud use, while 65% of those working in military/intelligence agencies said the same.

FedRAMP is given credit for reducing the constant duplication of effort that marked previous attempts by federal agencies to establish basic security with cloud providers. Built into the FedRAMP system is a process by which agencies can grant an authority to operate (ATO) to an outside service provider after it has met the requirements of the FedRAMP template for security. An ATO is then supposed to be shared with other agencies, so long as they apply to the issuing agency for permission to use it.

But with new technologies constantly becoming available, along with new service providers, it's hard for FedRAMP's approach to keep up.

The process of certifying new services is slow, according to respondents. Neither is FedRAMP's grant of authority to operate (ATO) working the way it was intended.

[Want to see what MeriTalk found when it surveyed IT managers on federal data center closures? Read Cloud Adoption Could Save Feds $10 Billion Annually.]

The survey found that 41% of respondents have never used another agency's ATO, and that 35% of respondents who had obtained an ATO said their agency has not allowed others to use it. Also, 26% of respondents said their agency had been denied permission when seeking to use another agency's ATO.

No one is sure how much to conclude from such figures, because FedRAMP is plagued with a lack of visibility into its own internal operating procedures. In fact, 41% of respondents to the MeriTalk survey said they are not familiar with the GSA's plans to accelerate FedRAMP.

"FedRAMP remains cracked at the foundation," said Steve O'Keefe, founder MeriTalk, in a prepared statement. "We need a FedRAMP fix."

O'Keefe called for that fix to include improved guidance from the Program Management Office regarding how to use FedRAMP, a simplification of its processes, and increased transparency.

Get Your Dream Job. Use InformationWeek's hosted, searchable job board to land your next gig in tech. Start your search here.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    One Photo Not Enough? Instagram Now Lets You Post 10

    Planning to post multiple photos or videos on Instagram?You can now combine up to 10 of them into a single post, filling your friends' feeds with a new level of storytelling.
  • 5300c769af79e

    Chef Builds Habitat To House Enterprise Apps

    Join All Analytics Radio as we discuss how predictive analytics can help employers manage their la Habitat is an open source system designed to automate the building, deployment, and management of enterprise software.On Tuesday, Chef Software, an IT automation company based in Seattle, released Habitat, an open source project that aims to make it easy to build, deploy, and manage an app anywhere.
  • 5300c769af79e

    12 essential apps to navigate the Black Friday maelstrom

    At the heart of Black Friday is the need to bring order to the chaos of ads and offers at hundreds of stores.Dealnews Black Friday 2015 Dealnews pulls information on Black Friday sales and ongoing deals from thousands of websites and retailers.
  • 5300c769af79e

    'Springboard' Is Google Now for Business

    Dubbed Springboard, the program helps businesses "find the right information that you need at the moment that you need it.Type the query into Springboard and you'll be greeted with emails, documents, videos, and more saved content relating to the search.