FedRAMP Fiasco – FITARA Forward?
Action packed this week. FedRAMP mass confusion. Capitol opportunity to get serious about FITARA.
NextGov reports GSA’s making FedRAMP optional. FedScoopreports on OMB’s draft policy revisions – unclear as yet what this means for FedRAMP.
But back to GSA’s comments – two factors here. First, the FedRAMP PMO says it’s drowning in rubbish submissions from CSPs. Babysitting poor submission’s sucking up PMO bandwidth and choking off the supply of certified CSPs. But, if CSPs don’t need to get FedRAMP to win deals, merely to say they’re in process, there’ll be a whole lot more incomplete and poor submissions on the way to the FedRAMP PMO. Second, what smart CSP’s going to spend the $4-5 million – not to mention the anguish of the exercise – to go through the FedRAMP process, if it’s not required? One additional thought. GSA says it’s concerned about limiting competition. Doesn’t FedRAMP limit competition by design?
Think GSA needs to reconsider its position. It’s not just the vendor community – the Hill and GAO sitting up and paying attention.
Guessing the FedRAMP Fast Forward meeting at the Cloud Computing Brainstorm’s going to be a humdinger.
Heads up, there’s a little publicized Oversight and Government Reform IT Subcommittee hearing on the implementation plan for FITARA at 2:00 p.m. EST on June 10th. Witnesses Tony Scott, OMB; Dave Powner, GAO; and Richard Spires, former DHS CIO – and long-time FITARA champion.
We’re all curious to see how this plays out. The fact that appropriators no funded Digital Services, makes you think the Hill’s serious about putting some muscle behind FITARA. Some see Digital Services as an end around some CIO shops. Here’s a wish for the hearing – hoping that we institute a FITARA scorecard. KPIs:
-Percentage of projects delivered on time
-Focus on incremental approach – percentage of projects scheduled for delivery within six months
-Percentage of IT contracts signed off on by the CIO
-Data center efficiency metrics
Now for the dismount – let’s finish as we began with FedRAMP. It’s ironic that almost a year to the day, after VanRoekle’s June 4 mandatory FedRAMP-compliance deadline came and went – like Obama’s line in the sand in Syria – even GSA is questioning the program’s raison d’être and fundamental viability. The statistics say it all – this time last year, there were 16 FedRAMP ATO’d CSP offerings – from 13 vendors. Today, there are 36 – from 29 vendors. Of those ATO’d CSP offerings, 17 came through the FedRAMP PMO and JAB process – 16 from agency the FedRAMP process. A year ago, there were 11 CSPs in the GSA JAB pipeline. Of those CSPs in the pipeline, four ade it through the process in the last year. The remaining seven are still in the pipeline. No matter where the ATOs came from, a total of 36 certified CSP offerings – from 29 vendors – is not nearly enough after more than three years.
The FedRAMP Fast Forward group met on Wednesday to talk about FedRAMP fixes. It’s too early to turn in the papers, but here’s a look over the shoulder at some early suggestions.
Build a capacity and through-put model for the FedRAMP PMO and JAB process based on today’s resources. Publish specific metrics on how many CSPs the FedRAMP PMO and JAB can process in a year. At each phase of the process, state the FedRAMP PMO and JAB SLAs to CSPs from submission to response. This will take the magic out of the machine and allow us to measure performance and allocate resources appropriately. I hear your cries. What if the CSP submissions are rubbish – how’s the FedRAMP PMO supposed to meet its SLAs? Try this on for size – if the submission is materially deficient – and we need to quantify that – then the CSP is disallowed from resubmitting for one year. Tough love – and lawyers will get involved. But we need some more fiber in this diet.
Watch this space for more recommendations from the FedRAMP Fast Forward.
Hope to see you at the Cloud Computing Brainstorm on June 17th.