The FedRAMP Fast Forward advocacy group, which represents Hewlett-Packard Enterprise, IBM and several other big technology firms, as well as a number of federal lawmakers and agencies, has hit out at the government’s process for certifying government cloud providers, saying it’s “fundamentally broken”.

The Federal Risk and Authorization Management Program (FedRAMP) certification process was designed to be a security benchmark for federal government agencies looking to use cloud service providers for their IT requirements. The idea is simple – FedRAMP provides a list of certified cloud providers government agencies can choose from when considering their cloud needs.

However, the FedRAMP Fast Forward group says the certification process is mired with problems around transparency, accountability and cost.

“The real promise of FedRAMP — embodied in the ‘certify once, use many times’ framework — has been jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability,” the group said in a report that proposed several reforms.

The federal government is keen to move to the cloud because it believes it can save billions on its IT spending. The bulk of its annual $80 billion IT budget currently goes towards maintaining the cost of its sprawling legacy data centers, many of which the government is looking to close down.

However, the group says the broken FedRAMP certification process is a major roadblock to making this happen. The current process doesn’t allow cloud service providers any visibility into the current status of their applications, nor does it provide any guidance of the steps required to help their applications along. In addition, the process doesn’t give agencies themselves any insights into where authorized cloud services operate.

It takes cloud service providers an average of two years and costs around $4 million to $5 million to achieve FedRAMP certification, compared to just nine months and $250,000 just two years ago, according to a recent Cloud Computing Caucus report.

As such, the FedRAMP Fast Forward has made a number of proposals to fix the certification process and help speed things up:

1. Normalize the certification process. CSPs can take several routes to an ATO, and not all are seen as equal, which fundamentally undermines the value proposition of the FedRAMP program (DCK: ATO stands for Authority to Operate. Individual agencies issue ATOs to FedRAMP-compliant cloud service providers whose services they want to use)
2. Increase transparency about the approval process, what it takes to gain approval, and the time and cost involved
3. Harmonize security standards, so that CSPs can meet some FedRAMP requirements through compliance with existing international and privacy standards
4. Reduce the cost of continuous monitoring for CSPs that have achieved an ATO
5. Enable CSPs to upgrade their cloud environments while remaining compliant with FedRAMP requirements
6. Help CSPs map their FedRAMP compliance to Department of Defense security requirements, rather than forcing them to start over again to obtain the ability to provide cloud services to DoD

Image credit: Humusak via pixabay.com