General Services Administration now has multiple working groups addressing the Federal Risk and Authorization Management Program and they are getting very close to resolving the issues that delayed FedRAMP's initial launch, said Dave McClure, associate administrator at GSA's office of citizen services and innovative technologies.  

Details of FedRAMP began to take shape in fall 2010, but announcements on the program quickly grew quiet as FedRAMP buzz was overshadowed by Federal CIO Vivek Kundra's 25-point plan for federal IT in December.

The program was wrapping up in October and November 2010 and GSA expected to launch in December, said McClure, who spoke March 9 at a Coalition for Government Procurement event. But, as the tentative deadline drew closer, several policy issues came up, he said.

The CIO Council and GSA decided to more carefully review comments on FedRAMP the week between Christmas and January 1, 2011, and concluded they would step back and slow down the project, he explained. The main policy issue that needed attention was the proposed Joint Authorization Board's accountability in granting authority to operate, said McClure. There has also been a renewed focus on trusted Internet connections and IPv6 compliance, he said.

McClure indicated that marrying FedRAMP and the Federal Information Security Management Act has also been a challenge because the merits of FISMA for each agency vary with the controls at each agency.

FedRAMP is not trying to revise FISMA, he said, but with the Government Accountability Office concerned that FedRAMP doesn't address key FISMA priorities, "we're missing the forest for the trees."

"We need government consensus on controls and risk levels," said McClure.

"Whatever comes out will be a version one of a FedRAMP process," he said. "Nothing is concrete" and beginning the day after launch, the program will be further adapted, McClure added.

Related Articles:
FedRAMP draft specifications out for comment
Cloud computing standards and procurement processes take shape