Amazon, IBM, HPE: Government Cloud Security Process Broken

An industry group representing Amazon, IBM, HPE, and several other companies, as well as some federal agencies and lawmakers, is calling on the government to fix its process for certifying government cloud service providers as fit for serving the federal government.

The certification process, called FedRAMP, or Federal Risk and Authorization Management Program, was created to make it easier for government agencies to use cloud services. By choosing from a list of FedRAMP-certified providers, agency IT heads are guaranteed that the services they choose meet federal cloud security standards.

The FedRAMP certification process, however, is “fundamentally broken,” according to an industry advocacy group whose affiliates include Amazon Web Services, HPE, IBM, CGI, General Dynamics, and CenturyLink, among others. The group, called FedRAMP Fast Forward, today published a six-step plan for reforming the process.

There are problems of transparency, accountability, and cost, the group claims.

“The real promise of FedRAMP — embodied in the ‘certify once, use many times’ framework — has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” the report that outlines the suggested reform plan, reads.

Government cloud adoption promises to generate billions in IT savings. Much of the current $80 billion government IT budget goes to maintaining the sprawling legacy data center infrastructure, and the thinking is that cloud computing will enable the government to shut down old and expensive data centers faster than it has been to date.

Read more: Ten Key Figures from Latest Progress Report on US Government IT Reform

A broken FedRAMP certification process, however, is a big impediment to government cloud adoption, according to the group. Cloud service providers don’t have visibility into their status in the approval process or guidance about the steps necessary to move the process along, the group said in a statement. Agencies don’t have insight into where cloud services that have been authorized operate.

Both time and costs necessary for a cloud service provider to get certified went from nine months and $250,000 two years ago to two years and $4 million to $5 million today, according to an annual report by the Cloud Computing Caucus, a congressional member organization that consists of 11 Democrats and Republicans. The Caucus gets advised by technology companies and industry groups.

Here is the six-step FedRAMP reform plan FedRAMP Fast Forward is proposing:

1. Normalize the certification process. CSPs can take several routes to an ATO, and not all are seen as equal, which fundamentally undermines the value proposition of the FedRAMP program (DCK: ATO stands for Authority to Operate. Individual agencies issue ATOs to FedRAMP-compliant cloud service providers whose services they want to use)
2. Increase transparency about the approval process, what it takes to gain approval, and the time and cost involved
3. Harmonize security standards, so that CSPs can meet some FedRAMP requirements through compliance with existing international and privacy standards
4. Reduce the cost of continuous monitoring for CSPs that have achieved an ATO
5. Enable CSPs to upgrade their cloud environments while remaining compliant with FedRAMP requirements
6. Help CSPs map their FedRAMP compliance to Department of Defense security requirements, rather than forcing them to start over again to obtain the ability to provide cloud services to DoD