June 5 is behind us now. It came and went, and you may not have even noticed. At least, you may not have noticed its coming and going any more than you do any other day of the year. But if cloud hosting and/or government data security are things that are at all important to you, then maybe you should have taken note of this particular dayâ€™s passing.
If youâ€™ve been following our series of blog posts on the subject of FedRAMP (Federal Risk Authorization Management Program) starting with this one right here explaining in-depth what the program is and how it is designed to help streamline government cloud provider selection, then you should already have an idea as to what the significance of June 5 was. Thatâ€™s right â€“ it was the deadline for United States federal government agencies and companies known as CSPs (cloud service providers) to achieve compliance with FedRAMP.
The date came some three years after the governmentâ€™s former CIO, Vivek Kundra, introduced his Cloud First initiative. Kundra wrote the policy to put rules in place that required the governmentâ€™s many, many, many agencies to think about deploying applications through the cloud prior to considering other alternatives. How exactly would it do that? By making the entire process more efficient through the standardization of requirements for potential government CSPs.
There are many measures designed to make that happen, as weâ€™ve been covering in our FedRAMP blog series. Basically, though, third-party organizations (3PAOs) would receive certifications allowing them to inspect and evaluate cloud hosting providers before rating them as FedRAMP-compliant, which in turn allows them to court federal agencies for cloud server contracts. Unfortunately for cloud lovers whoâ€™d like to see Uncle Sam get with the 21st century, swaths of agencies have dragged their feet when it comes to adopting cloud services over the past three years.
A survey conducted by IT services firm Accenture found that 70 percent of agency respondees stated that they hadnâ€™t moved to the cloud yet because of insufficient staffing. The remaining survey respondees cited elongated CSP procurement procedures as being the biggest hurdle preventing them from adopting cloud services. FedRAMP was designed to correct these exact issues, and it has led to 16 different service offerings from 11 providers that have been ruled to be compliant with the program by 3PAOs. Many of them come from the big boys of IT: Microsoft, IBM, HP, Amazon Web Services, Oracle, etc.
Missing the Deadline Isnâ€™t a Big Deal, Apparently
So now that the deadline has passed and many agencies have failed to reach compliancy despite having a decent-sized pool of certified CSPs from which to choose, is the government going to come down hard on them? Not exactly, no. Itâ€™s clear that the General Services Administration (GSA), which is in charge of the entire FedRAMP initiative, and the White House Office of Management and Budget (OMB), which is tasked with ensuring FedRAMP is adhered to by agencies, are cutting those agencies some slack.
OMB released a statement to FCW on June 9 detailing the penalties and consequences that it will liberally distribute to agencies who have made its naughty list by not achieving compliancy: none. Thatâ€™s right â€“ the statement says absolutely nothing at all about repercussions for those who havenâ€™t yet fallen in line. Instead of bringing down the hammer hard on offenders, OMB is taking a more wait and see approach; it will closely monitor quarterly progress reports in the months ahead to see how much progress is made government-wide towards compliancy.
“The Office of Management and Budget will conduct oversight through PortfolioStat and other processes to support the annual FISMA Report to gauge agency efforts to meet the June 2014 deadline,” reads the statement. “As necessary, OMB will work with agencies if the deadline isn’t met.”
The statement essentially reiterated the words of FedRAMP Director Maria Roat and Program Manager Matt Goodrich in an FCW interview conducted on the eve of the deadline, so its contents should come as no surprise to anyone who has closely followed FedRAMP. Parsing through all of the data and identifying which agencies do and which agencies do not adhere to the programâ€™s regulations is predicted to take until as late as September, so it really isnâ€™t even feasible for OMB to begin fairly and consistently enforcing deadline penalties just yet even if it wanted to.
For now, it must continue its PorfolioStat review and assessment process. That process is expected to end soon, on June 19, to be specific. The next step is to then have OMB and the agencies itâ€™s overseeing come to an agreement as to what the, um, next step should be and what the exact deadlines for ensuing moves should be. So basically nothing of consequence is going to happen for some time yet. In fact, it will be at least three weeks after June 19 and possibly as late as the end of August when OMB distributes formal memos on the matter to agencies.
Goodrich has a positive outlook on the program’s future, however. He has stated that â€œThereâ€™s a new appetite for authorizationâ€ among CSPs. He noted that the list of approved ones has been growing at an encouraging rate, and that his agency was available to respond to any questions that cloud hosting companies have about becoming FedRAMP compliant.
Why Are So Many Agencies Still Non-Compliant?
Beyond not just knowing which agencies havenâ€™t reached compliancy, there are other reasons why OMB canâ€™t really come down hard on them yet. Brian Burns is the cloud division director at system integrator Agile Defense, which assists federal government agencies in their use of cloud services. Burns told Data Center Knowledge that many agencies have failed to reach compliancy because they either host their own applications that have not yet gone through the FedRAMP certification process or because they have lingering long-term service contracts with non-compliant companies.
FedRAMP does actually contain a clause for enabling agencies currently stuck with non-compliant hosts to pursue waivers. Requests for these waivers, however, are reviewed by a special board, and there are no guarantees whatsoever that the board will approve any specific request. One of the worst-case scenarios for agencies is being forced to move apps from non-compliant service providers over to compliant ones.
â€œYouâ€™re going to have to tear that application down, move it to a new cloud and start all over,â€ Burns explained.
While that excuse may remain viable, though, another popular one no longer does. The total government cloud budget for the year 2015 is $3 billion, according to OMB. About half of that will be spent on software-as-a-service offerings; 20 percent of it will go towards platform-as-a-service; and the remainder will be spent on infrastructure-as-a-service. Amazon Web Services is getting most of the action, but that large budget has attracted 10 rival CSPs, meaning lack of choice is no longer an accepted excuse. Burns noted that continuing to find ways to justify non-compliance will be difficult for agencies moving forward.
â€œIt really is on the agencies now to make the shift and move into one of those clouds.â€
Image Source: Federal Technology Insider