Inconsistency creates uncertainty
Each Authorizing Official can, and often does, set different security requirements. Some Authorizing Officials may expect exact adherence to every control while others may require additional overlays or bespoke changes. Vendors struggle with this lack of consistency.
“FedRAMP was supposed to just be like, ‘We’re good to go.’ But no, that’s not at all how it happens in practice.”
“We had to suddenly implement things that the commercial customers were like, ‘Oh, no.’ The 15 minute logout…. I would’ve been ridiculed by my own engineering team if we had pushed that through for our own staff.”
One large technology company we interviewed said that they were managing multiple Authorities to Operate, with different requirements, at the same agency, for the same product, even though that product had already received FedRAMP approval. The company was making significant investments in tailoring their commercial software to meet the requirements of different AOs but they were skeptical of how long authorization would last, given the inconsistent nature of the ATO process.
“I mean, hopefully our little written memos stick and we can just continue doing business with some level of assurance that we won’t be getting requirements changed on us and investments will be lost in the future.”