Companies are spending as much as $200,000 to go through the certification process.
Up against a self-imposed Dec. 31 deadline, the government’s purchasing arm has yet to endorse any cloud products for quick acquisition. Some applicants and testers say the General Services Administration has been mum about the hoped for announcement on approvals.
Confusion over paperwork has complicated efforts for the Federal Risk and Authorization Management Program, or FedRAMP, according to interviews with cloud vendors and inspectors. FedRAMP, a security evaluation process, is intended to certify services for immediate use in any government agency. Inspections began in June.
Last week, GSA, which runs the program, released rules on the color scheme, placement and permitted uses of the FedRAMP seal of approval. Several auditors said constructive discussions about the contents of their evaluation reports and providers’ security plans have consumed more time than expected.
On Friday, in a written response to a question from Nextgov during a November industry webinar, FedRAMP officials stated, “At this time, no cloud service providers have received a provisional authorization” -- the term for an endorsement allowing governmentwide plug and play. Officials wrote they “anticipate the first authorizations to come at the end of the year/January 2013.”
Separately, GSA officials said they were not in a position to comment for this article.
All the communications have run up costs for GSA, applicants and auditors, those interviewed said. But no one is complaining, they added, because ever since the government first proposed the concept in 2010 all have understood that this is an experiment.
The goal of FedRAMP is to speed the shutdown of costly federal computer rooms and outsource network operations to shared clouds, thereby reducing expenditures and increasing technical flexibility. The Obama administration expects to save about $5 billion annually by shuttering roughly 40 percent of the government’s data centers. By axing duplicative audits, agencies could pocket between 30 percent to 40 percent of their usual testing and procurement expenses.
Talks between testers and cloud vendors, testers and the FedRAMP office, and vendors and prospective agency clients have drawn out this first certification round. In some cases, an assessor might need more detail from a company. Or the cloud provider might request a second evaluation because it modified a product in response to agencies’ changing needs.
Paul Nguyen, a vice president for FedRAMP auditor Knowledge Consulting Group, said inspectors have had to adjust the amount of information they document for GSA and refine the formatting of reports. “The nuances always come with how people want to see the information,” he said.
Meanwhile, cloud applicants have had to expand their cloud security plans drastically to satisfy the government and auditors, said Tom McAndrew, an executive at Coalfire Federal, another FedRAMP auditor. The hang-ups that cloud companies hit involve mainly book-keeping, not necessarily technical problems, he said.
Plans “go from 80 pages to over 1,000 pages to meet the level of granularity needed for FedRAMP,” McAndrew said.
One administrative issue deals with a list of physical assets, applications, virtual assets and databases that applicants must file. The difficulty is that companies’ data center components and services continuously shift.
“In larger, dynamic environments, there is no finite list and the number of assets changes on a near continuous basis. How do you document an asset list that is dynamic and scalable, and how does an assessor select a sample size that is appropriate?” McAndrew questioned.
Microsoft is experiencing the same accounting challenge. “We added some more data centers, so now that’s added some more assets,” said Susie Adams, Microsoft federal chief technology adviser.
A related predicament: Auditors must fulfill multiple change orders because cloud providers’ equipment and software is evolving in response to what agencies want out of the cloud, McAndrew said. For example, the Pentagon may want military data housed in the European Union, which has unique background check requirements. Meanwhile, civilian U.S.-based agencies may not need those background checks. To meet such demands, the cloud provider alters its product line, which then requires a second security evaluation.
Neither the companies nor GSA have all the answers yet, Adams said. Microsoft expects at least one of its offerings to be accredited by April 2013.
Aside from time, delays cost everyone money. Most companies are facing assessments that last between 500 and 1,000 hours, at a rate of $100 to $200 per hour, so the tab can total $200,000, according to McAndrew. His company sometimes will absorb the extra expenses associated with paperwork changes, he said.
GSA is tight on resources for FedRAMP. The program has the capacity to support only 10 to 12 providers, according to those interviewed. Since June, about 80 providers have expressed interest in applying.
Most cloud companies have hired consultants, such as Ernst and Young, to help them through the audits. Those consultants are on the company’s payroll for as long as the process takes, Adams said.
“FedRAMP will save money over time, but it won’t save money in year one,” McAndrew noted.
Adams added, “It’s just the back and forth nature of getting everyone on the same page.”