In government computing circles this year, discussions of cloud and FedRAMP have been all the rage. While I can’t get into a lot of customer-specific details, I have a good bit of experience with the predecessor to FedRAMP, namely the GSA IaaS blanket purchase agreement. In fact, I’ve helped get several enormous cloud providers through the finish line, which consists of being not only technical translator, but therapist, consultant, language translator and general divinator of government intentions. It’s challenging.
Here’s the big problem I see: even at its most optimal, FedRAMP is too slow. It’s not specific to FedRAMP, as those involved have thought through the issues and done a great job with what they have to work with. The problem is that “what they have to work with” is the NIST SP800-53 framework, and it’s just not something that fits well with the cloud world.
I take that back, it’s not cloud that’s the problem, it’s modern architectures. I faced similar challenges when dealing with a huge SOA-based system developed specifically for a government agency. What is a system when you have hundreds (or thousands) of services that are interdependent in intricate ways? How do you even begin to think about that? Clouds add another layer of complexity and vagueness to the whole recipe.