New Pressures on FedRAMP, OPM
All indicators are blinking red at the Office of Personnel Management. The Situation Report has picked up on some disturbing reports that the Chinese may not have been alone when they hacked into OPM’s network and made off with more than 21 million security clearance files. My mobile intercept operator has forwarded a debriefing report with a human source who said multiple intruders, including Iran and more than a couple of “friendly” countries, are believed to have rummaged through the vulnerable files.
That’s the tone of the reporting coming in from all directions as far as the Federal Risk and Authorization Management (FedRAMP) program is concerned. The Federal government’s main program for evaluating and authorizing commercial cloud service providers is under attack along four different fronts.
Attacking from south of the Beltway is the FedRAMP Fast Forward industry advocacy group, which plans to issue a major policy paper in January that will call for fundamental changes to the FedRAMP program. The group is taking aim at what many CSPs consider to be a flawed process that takes too long, costs too much, lacks transparency, and is adhered to (ignored?) differently from agency to agency. This avenue of approach holds the most promise, as the Fix FedRAMP position paper will get a high-profile public airing on Capitol Hill Feb. 4 during the next Cloud Computing Caucus Advisory Group meeting.
The High Ground
My forward observers on Capitol Hill report increasing activity by troops under the commands of Sens. Tom Udall, D-N.M., and Jerry Moran, R-Kan. Udall and Moran are planning a coordinated assault to help save FedRAMP. Code-named operation Cloud IT Act—the bill has started making its way through intelligence circles in the form of a “discussion draft.” MeriTalk obtained a summary of the legislation. You can read the full story here.
The General Services Administration division, under the command of Associate Administrator for Citizen Services and Innovative Technologies Phaedra Chrousos, also reports it is ready to open a new front along FedRAMP’s left flank. A mole in Chrousos’ command center reports the battle plan is “ambitious” and has identified “FedRAMP 2.0” as its main target.
Chrousos tipped her hand earlier this week when she told an audience at a National Contracts Management Association event that GSA is busy “reimagining” FedRAMP. Although there is no shortage of horror stories from industry, the tipping point came from the experience reported by Unisys Corp., she said. According to Chrousos, it took Unisys—a major Federal IT player with plenty of resources at its disposal—18 months and eight attempts to successfully navigate the FedRAMP certification process.
Last week, my Force Reconnaissance teams reported suspicious activities at the Department of Veterans Affairs’ IT office, under the command of newly appointed Chief Information Officer LaVerne Coucil. A senior commander within VA has since responded to The Situation Report with a denial that its Continuous Readiness in Information Security Program (CRISP) is over budget and offered a similar denial that there are any plans to allow its identity theft analytics contract to expire without renewal.
However, a source interrogation recently revealed that VA’s former Acting Chief Information Security Officer Dan Galik wasn’t very happy with the level of cooperation taking place throughout VA on cybersecurity issues before he left the agency in November. According to the source, who has reported accurately in the past, Galik saw the enemy at the gates and made a hasty retreat while there was still time.