Facing criticism over the awkward nature of the FedRAMP process and the use of $150,000 to create a FedRAMP dashboard that already exists in the private sector, the General Services Administration (GSA) was told on Tuesday that it needed to clean up the program or have Congress step in.
“If GSA can’t fix this, then Congress will. And the problem with that is that Congress is always a blunt instrument. We don’t do subtle,” said Rep. Gerry Connolly, D-Va., at the MeriTalk 2016 Cyber Security Brainstorm in Washington. “You’ll get legislation that is overly prescriptive.”
Featured in the center of the room, a pile of fake money representing the $150,000 spent on the FedRAMP dashboard was presented as an example of agency spending waste.
Connolly said that although going through the FedRAMP program was supposed to take six months and $250,000, it now takes two years or more and requires millions of dollars. He also noted that companies wishing to authorize their product through FedRAMP have to sometimes go through the FedRAMP process twice, once for general authorization and again for a specific agency.
“This process has now become an extra layer and burden for industry,” Connolly said. “[Congress] will absolutely insist that it be a one-step process, not a two-step. Either JAB [Joint Authorization Board] certifies and that’s good enough for everybody, or you go to a system where you’ve got to go to each individual agency, and I predict Congress will go for the former.”
“When we launched FedRAMP, every agency said, ‘we don’t want the department of FedRAMP, we don’t want everything to go through one centralized place, we still want some control over the IT that we manage, that we buy, and that we use,’ ” said Matt Goodrich, director of FedRAMP. “In the vision of FedRAMP from the beginning, we’ve always said the vast majority of authorizations should go through agencies, they should not be going to the Joint Authorization Board.”
Goodrich added that those products that were widely used across government agencies should be the ones going through the JAB, as it would be redundant for them to go through each individual agency for authorization.
Many in industry, however, still feel that the current FedRAMP authorization process is difficult to get through.
“I spoke at the MeriTalk conference on this subject in March,” Connolly said. “The only people in the room who thought things were going well were government folks involved in managing it. And I even did a poll, and every single private sector hand in the room, which was most of the hands in the room, was dissatisfied.”
Despite harsh criticism, representatives from GSA expressed how important it was to hear such commentary and to have the hard discussions about how to make the program better.
“I invite those comments. I invite this dialogue,” said David Shive, CIO at GSA. “Without this conversation we can’t get better.”
Also from the Brainstorm:
Cybersecurity Initiatives Will Continue to Next Administration
Commerce CISO Says Playing Defense is Essential