Less than three months after a wave of negative feedback from industry forced the General Services Administration to revamp the Federal Risk and Authorization Management Program, a new MeriTalk survey shows for the first time that many government IT officials doubt the value of the program in its current form.

According to the survey of 150 Federal IT decision-makers, four out of five officials (79 percent) are frustrated with FedRAMP, characterizing the process as “a compliance exercise.” In fact, some officials ignore the program entirely even though it is mandatory for Federal agency cloud deployments and service models at the low and moderate risk impact levels. Nearly one in five officials surveyed (17 percent) report FedRAMP compliance does not factor into their cloud decisions, while 59 percent would consider a non-FedRAMP-compliant cloud.

The report also found that government IT decision-makers share industry’s frustration with the lack of transparency into the FedRAMP process and feel unsatisfied with its efforts to increase security.  More than half of Federal officials (55 percent)–and 65 percent of defense agencies–do not believe FedRAMP has increased security.

FedRAMP Director Matt Goodrich has blamed lack of ATO sharing on industry's failure to capture business. But a new MeriTalk survey shows agencies are not sharing.
FedRAMP Director Matt Goodrich has blamed lack of ATO sharing on industry’s failure to capture business. But a new MeriTalk survey shows agencies are not sharing.

Industry has been highly critical of the lack of sharing between agencies of their cloud service provider authorizations, known as authority to operate (ATO). Earlier this month, FedRAMP Director Matt Goodrich took issue with this criticism, arguing that the perceived lack of sharing of ATOs is actually the inability of CSPs to capture new business.

But the latest survey tells a different story. Forty-one percent of Federal IT officials report not using another agency’s FedRAMP ATO. Thirty-five percent of those agencies with an ATO said they have not allowed others to use it. And 26 percent have been denied another agency’s ATO.

Launched in 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. But government agencies and CSPs have voiced concerns in recent years about the efficiency of the program, as well as the perceived lack of effectiveness and transparency. A major study released in January by the FedRAMP Fast Forward Industry Advocacy Group called for changes in many of these areas, including the sharing of agency ATOs.

In response to that avalanche of criticism, GSA launched a major restructuring of FedRAMP in March. Known as FedRAMP Accelerated, the effort is designed to streamline the process for CSPs and enable them to achieve a provisional ATO within three to six months.

Despite those changes, 41 percent of government officials remain unfamiliar with GSA’s plans.

When it comes to improving FedRAMP, 47 percent recommend establishing an ATO clearinghouse where agencies have access to–and are required to accept–all ATOs. Some (27 percent) also recommend changing leadership at the GSA Program Management Office (PMO)–civilian agencies are more likely to suggest this change, with 37 percent recommending a change in leadership.

Read More About
More Topics
MeriTalk Staff