Roman Sakhno - Fotolia

Industry group says FedRAMP certification process is 'broken'

An advocacy group representing cloud providers such as Hewlett Packard Enterprise and IBM has criticized FedRAMP and called on the government to fix the cloud certification program.

An advocacy group representing some of the biggest technology companies in the industry this week called upon the...

U.S. government to fix the Federal Risk and Authorization Program for cloud services before it's too late.

The Federal Risk and Authorization Program (FedRAMP) was introduced in 2012 to provide a standardized process for assessing and authorizing cloud service providers that are used by federal government agencies. However, four years later, the advocacy group FedRAMP Fast Forward has called the FedRAMP certification process "fundamentally broken" and published a plan to fix various issues the group claims is plaguing the program.

FedRAMP Fast Forward was launched last spring by MeriTalk, a government IT advocacy group based in Alexandria, Va., and its affiliates include such technology giants as IBM and Hewlett Packard Enterprise.  In the "Fix FedRAMP" report published this week, the group claimed that the FedRAMP certification process was projected to cost $250,000 and require nine months for cloud providers to achieve "Authority to Operate" (ATO) status. But the report cites data from the Cloud Computing Caucus Advisory Group, a bipartisan non-profit group that includes 11 members of Congress, that claims the FedRAMP certification process actually requires two years and between $4 and $5 million to complete.

In addition to the higher costs and longer-than-expected process times, the report also criticized FedRAMP's lack of transparency, claiming that cloud providers are often left in the dark about their approval status and what they need to do achieve FedRAMP certification.

"Fix the program or it'll fall under its own weight," said MeriTalk founder Steve O'Keeffe in a press statement. "We can't afford to wait -- it's time for action on FedRAMP 2.0.

The Fix FedRAMP report highlighted six areas of need for the government certification program. The number one priority, according to the report, was normalizing the FedRAMP certification process so that the different types of ATO statuses and their value propositions are clearly defined. FedRAMP Fast Forward claims that currently not all ATO types are viewed as equal by cloud providers, which has created a bottleneck around one specific ATO (the Joint Authorization Board or "JAB" ATO) that prolongs the certification process.

In addition, the Fix FedRAMP plan claims that the FedRAMP certification plan does not currently recognize cloud providers' compliance with the security requirements of other government and industry standards such as HIPAA and ISO 27001. The report called for FedRAMP to work with the NIST to map and harmonize these standards so cloud providers can meet FedRAMP requirements through their existing compliance with other standards.

The report also called for increased transparency in the FedRAMP certification approval process; reductions in the costs of the government's "continuous monitoring" requirement for cloud providers; enabling cloud providers to upgrade their services without losing their FedRAMP compliance; and mapping FedRAMP compliance with Department of Defense security requirements to give cloud providers a clear view of the commonalities and overlaps.

The Fix FedRAMP report will be discussed during a Cloud Computing Caucus Advisory Group meeting with lawmakers on March 3 in Washington, D.C.

Next Steps

Read more about slow FedRAMP approvals for cloud providers.

Discover how FedRAMP could influence broader cloud security standards.

Find out why the federal government lacks basic cloud security controls.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations