US FedRAMP has turned into a slow lane for government cloud says protest group

Fedramp logoA cloud industry protest group has called on the US government to fix its FedRAMP process for certifying government cloud service providers. The inefficiencies of the system are neutralising any benefits the cloud can bring to the US taxpayer, it claims.

A collective of disgruntled agents, that ranges from top tier cloud operators such as AWS, IBM and HPE to support agencies and corporate lawyers, has appealed for a review of the Federal Risk and Authorization Management Program, a certification process that has been dubbed FedRAMP.

Though FedRAMP was designed to simplify the use of cloud services by government agencies, the system has been described by a cloud industry advocate group as ‘fundamentally broken’. An aggrieved group of cloud players calling itself FedRAMP Fast Forward claims that a simple system, for helping US civil servants to select between FedRAMP-certified providers, has become too complicated and unwieldy. The pressure group has proposed a six point plan to address the system’s lack of clarity, high costs and lack of accountability.

The promised ‘certify once, use many times’ framework has not been delivered, claims the pressure group. Instead, the system has become expensive and time-consuming to use. As a result, the planned government savings from using cloud services are unlikely to materialise, says the group.

One of the reported problems is that the system does not provide the level of monitoring and management that cloud service providers would expect from any service. Potential suppliers to a government tender cannot gauge their status in the approval process or get feedback on the how to improve things or move the process to its next stage, according to a group statement. Agencies have also complained that they can’t see where the listed authorised cloud services might operate.

The Cloud Computing Caucus, a cross party group of US Congress Members, claims that the certification process is now nearly three times as lengthy as it first was. Worse, it can be 20 times more expensive. The group’s latest annual report says certification time has gone from nine months to two years, on average, while the typical cost expanded from $250,000 to up to $5 million.

The pressure group has now posted a six point reform plan calling for a single route to authorisation, more transparency over the approval process, harmonised security standards, cheaper monitoring, the option to upgrade without dropping out and a simpler road map for compliance.

FedRAMP Fast Forward members include AWS, HPE, IBM, CGI, General Dynamics and CenturyLink.