[xemdetia]

I think you misunderstand the roadblock. Especially for any higher security like FedRAMP it is up to the FedRAMP certified holder to vet and have a very solid understanding of that remote service or system they are using at a moderate to deep level. Most sec people will do enough research to know if the service provider are at least an immediate no or not, but even if they are same-or-better FedRAMP level you still need to document them in your SSP (a system security plan for your whole org from HR to Engineering). This also doesn't prevent the situation that you then need to do a deep dive with this other organization to find out how FedRAMP their FedRAMP program like this, because more often than not organizations hide a lot of skeletons on what features/services are actually FedRAMP and what are features they intend to have FedRAMP 6-10 months from now.

Then you have to keep on them forever, and stay apprised of features people would like you to use but aren't FedRAMP appropriate yet or do not have appropriate controls. I think you would be surprised how many SaaS providers really don't meet the muster under scrutiny, or your engineering teams are trying to use features that just haven't been brought into compliance yet. For example, the number of times I have had to use https://aws.amazon.com/compliance/services-in-scope/ (click the FedRAMP tab) as a hammer is extremely high. Then you get on the phone with AWS and you find out that only a certain subset of the service that meets their FedRAMP do not provide adequate controls for your usage of the service. There's a lot of defer to vendor and defer to user games being played by both sides and you have to go line by line and figure out who is responsible for what. More often than not the service's people that are catering to the customer are not appropriately educated too, so there's layers of escalations by a security team just to get someone who can answer security questions accurately.

So no, a security person can only see from most organizations that you tried to attest to some of these random certifications, but that doesn't mean I have an accurate map of how I'm supposed to meet my compliance goals with your stuff.

(This is not aimed at any one provider in particular, just my personal feelings on where this 'internal roadblock' argument falls apart).