cloud toolkit

Lawmakers eye FedRAMP improvements

The Federal Risk and Authorization Management Program that evaluates and approves cloud services for government use has made significant strides since it was launched in 2011, but lawmakers are drafting legislation to address continuing issues of complexity, cost and the length of the authorization process.

Some of the cloud service providers that have gone through the FedRAMP approval process told a House Committee and on Oversight and Reform subcommittee on July 17 that they're also having difficulties getting agencies to accept approvals uniformly.

Those costs, time and confusion, Connolly said, are what FedRAMP was created to address, Government Operations Subcommittee Chairman Gerry Connolly (D-Va.) said. "What was supposed to be a six-month process costing $250,000 instead could take years and cost a company millions of dollars," he said.

Will Ackerly, CTO at startup Virtru, said his company probably wouldn't have made it through the FedRAMP authorization process if not for advocates inside federal agencies who helped shepherd it through. It took 20 months to get the company's product through the approval cycle at a cost of $1.6 million, Ackerly said. Plus, Virtru still must spend $150,000 to $200,000 a year to maintain the certification, he said.

Connolly, as well as vendors testifying at the hearing, commended FedRAMP on making significant progress. Nevertheless, said Connolly, new legislation is needed to define roles, including how FedRAMP's Joint Authorization Board (JAB) and agencies see each other's approvals, as well as other issues.

The JAB authority to operate should "be accepted at all [agency] windows," Connolly said, while agency ATOs might set some basic approval foundations that could be more readily reused by companies without starting each approval from scratch. That's not happening, he said.

Anil Cheriyan, deputy commissioner of the Federal Acquisition Service and director of the Technology Transformation Service at the General Services Administration, told the committee that FedRAMP has made significant progress. In fiscal 2018, he said, the government issued about 40 authorizations, including provisional ATOs. It took three years, he said, for the program to issue its first 40 ATOs.

Currently, he said, the government has authorized 143 cloud products from 115 companies, with 69 more ATOs coming.

Despite the successes, Connolly and Rep. Mark Meadows (R-N.C.) are drafting a bill with industry input that will instill some official discipline in the process.

The two introduced a FedRAMP reform bill last July, but it didn't get out of the House. The new bill is very similar to last year's.

"There will be legislation in your future," Connolly told witnesses at the hearing. "We're determined" to provide a legislative "anchor" for FedRAMP provisions, he said.

According to Connolly, the legislation now being drafted will codify and define the roles and responsibilities of federal agencies and third-party assessment organizations; address how to further reduce long approval times for vendor applicants, particularly small businesses; tackle the uneven application of vendors' ATOs across federal agencies; and set metrics on time, costs and assessment quality.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected