To say MeriTalk and GSA haven’t always seen eye to eye is a massive understatement. MeriTalk provided a venue for constructive and at times satirical criticism of the General Services Administration’s vaunted FedRAMP and 18F initiatives. We published the Fix FedRAMP paper, hosted the FedRAMP Fast Forward community, and wrote the WT18F? and Why Congress Needs to Take a Long Hard Look at 18F blogs.
That’s why we were both surprised and delighted to get an email from David Shive, CIO at GSA, and the new lead for FedRAMP and Technology Transformation Services–TTS–GSA’s tech innovation accelerator that now includes 18F. Surprised is another understatement–you could have knocked me down with a feather.
But, we were asking for change, and GSA’s actions clearly signal a very healthy change in its position. You see, Shive acknowledges that the task ahead of GSA and the Federal government is challenging. He recognizes that GSA needs to make changes–and he wants industry and government stakeholders to come to the table to provide input, suggestions, and yes, constructive criticism to help improve FedRAMP and TTS programs.
And, more than talk, Shive and his team at GSA will work with MeriTalk to host an open-mic session at the MeriTalk Cyber Security Brainstorm on Sept. 13 at the Newseum in Washington D.C. Here’s your chance to contribute your two cents. Shive will provide a review of his vision, the operational teams at GSA will expand on plans, and you get to ask your questions and provide your feedback in an open forum.
Register here: https://www.meritalk.com/event/gsa-forum-fedramp-tts-18f/. Please submit your questions online at https://www.meritalk.com/technology-transformation-initiative/ to get the ball rolling for Sept. 13–and we’ll keep this forum open beyond the event to keep the conversation going.
OK, to set the table for the collaboration feast on Sept. 13, GSA’s one-time harshest critic sat down with Shive to ask some substantial questions about FedRAMP and TTS. I found David earnest and eager to listen and get change done.
How would you evaluate FedRAMP’s performance to date?
I think FedRAMP’s performance has been very good–and it continues to get better each day. In less than five years, it has created a new standard that is being used across government and is being emulated in industry and overseas.
FedRAMP runs on a finite budget, and it has certified 70 CSPs.
FedRAMP is an iterative process. That process is maturing. We are taking on important learnings, both from internal experience, but also from sources external to GSA, from programs like Fix FedRAMP, from industry, from government stakeholders, and from academia. We’re committed to making FedRAMP better and better.
And we are changing. Our Federal partners have been very clear about what we need to do to increase cloud and FedRAMP adoption across the government. Agencies said they need a FedRAMP High baseline–and we’ve done this.
The fundamental value proposition of FedRAMP is “do once, use many.” How do you address the lack of reciprocity among agencies?
In the first few years, adoption and reuse were slow. We have seen a hockey-stick increase in reuse over the last nine months, a 135 percent increase in reuse. The average cloud provider is being used more than once, and those that are reused are on average being reused by five agencies.
To be clear, success takes many things. It takes a good idea, it takes successful implementation and effective operations, and it takes iteration. We’re committed to change to drive greater adoption. And, we’ll need to keep changing as tech capabilities and agencies’ mission requirements evolve over time.
What services should be JAB certified versus agency certified? The total capacity for the JAB is 50 CSPs. Who picks the JAB CSPs and are there some that should move out of the JAB?
The JAB is designed for cloud services that will be used governmentwide. That means the largest, most technically significant services that will have a strategic impact across government. Agencies should be certifying the services that they will use and those that are niche for their agency.
As the JAB gets crowded, we’ll continue to look at the CSPs that we have authorized. We will look for ways to ensure that JAB CSPs meet the JAB criteria.
This is a dynamic process; for example, AWS was certified by HHS, but we decided to move that certification to the JAB given the significant governmentwide demand for AWS’ cloud services.
Who will pick which CSPs enter the JAB Certification?
This is a joint decision between the JAB and OMB.
Do SaaS CSPs need their own ATO? How do CSPs and agencies understand the inheritance attributes associated with riding a certified IaaS?
All CSPs need a FedRAMP certification. When a software solution sits on another FedRAMP-certified cloud provider–it inherits many security attributes from the IaaS platform. Many of our IaaS CSPs are developing templates. One of the key benefits of FedRAMP is not just about agency reuse and reciprocity, it’s also about reuse by industry. When a SaaS provider uses an approved IaaS, that allows elegant inheritance.
This reuse ecosystem sets up a very positive feedback loop. As we get more approved offerings, that makes it easier for innovative new startups to accelerate into the government space. Reuse saves money and importantly opens the doors for companies who historically might not have entered the government marketplace to provide new capabilities and stimulate competition.
How much should it cost and how long should it take for a CSP to obtain a FedRAMP ATO?
We are aiming for 90 days–regardless of the complexity of the cloud service. That said, cost depends on the complexity of the cloud provider. For example, a nine-module core financial system will cost more to certify than a simple system.
Our industry partners are used to investing in compliance. FedRAMP does not change the fact that investment needs to continue. FedRAMP minimizes and streamlines the compliance process. Early signs are that FedRAMP accelerated is making a very positive change.
What do you say to innovative cloud players that are currently sitting on the sidelines because they’re afraid of the complexity and cost associated with FedRAMP?
We understand that signing up to FedRAMP is a significant investment. We ask industry providers to engage with the FedRAMP PMO. We have a team of smart, focused people and we will find a way to work with you.
How do you measure the success of the FedRAMP program?
We will measure by classic adoption numbers such as numbers of CSPs in the process as well as number of ATOs, utilization, and of course broad cloud adoption and savings across the government. But, we should also consider a series of nontraditional measures. For example, find ways to assess the state of security across Federal IT, because cloud is safer than legacy systems. We should also measure cloud’s ability to allow small businesses to compete in the government IT market. Ultimately, it’s about agility, better functionality, improved security, cost savings, and a government that works better.
We will be transparent about adoption rates and we look forward to input from our industry and government stakeholders on how best to measure. If we only consider FedRAMP adoption, we’re missing a big part of the story.
Who polices FedRAMP noncompliant cloud offerings deployed by agencies?
At GSA, it’s not our job to police agencies’ cloud usage; OMB owns this. Our new FedRAMP dashboard will provide a new level of transparency.
Do you plan to establish an ATO clearinghouse to improve transparency? How do you plan to help agencies price and purchase FedRAMP cloud offerings? How do you bring the various cloud GWACs in the government market into an integrated storefront?
Government should have one complete marketplace for agencies and industry. FedRAMP is the clearinghouse for ATOs across the government. We will work to become a full and complete clearinghouse in new and creative ways–serving up small lightweight SaaS offerings, etc. We will strive to bring new cloud service providers into the clearinghouse. Our partners in Federal Acquisition Service are always looking for ways to improve government procurement. We’re very open to industry feedback and to working together as a public-private partnership.
How do you plan to open up the FedRAMP program to provide for greater transparency and enhanced collaboration with government and industry?
A great idea like FedRAMP does not provide any value if nobody knows about it. That’s why we’re doubling down on things like the new FedRAMP dashboard. We recently brought on Ashley Mahan, the FedRAMP evangelist. My ask for anybody reading this, if Ashley knocks on your door, please answer it.
We have created a whole ecosystem to provide for greater transparency. We plan to continually engage with MeriTalk, ITAPS, ACT/IACT, and the like as we turn up our engagement volume.
What is your vision for TTS?
My vision for the Technology Transformation Service is to really continue this great work and best practices. TTS is here to help agencies pivot to the new and to innovate. Right now, this is through the delivery of digital service into the ever-expanding Federal digital ecosystem. It’s through the increasing use of lean and agile methodologies. It’s through the use of agile and streamlined acquisition processes and through the onboarding of world-class technical talent that walk away from great jobs in the private sector and academia to come do public service for a while. In the future it will be through the next great thing(s) in technology whether deep and rich data sciences capabilities that will allow us to exploit Federal data to its maximum or finding ways to corral the tidal wave of data coming off of the Internet of Things (IoT) or finding creative ways to strengthen the human/digital interface. Our currency is innovation and our output is transformation and we’re here to help our agency partners in any way we can and we’re here to help our industry partners drive their innovations into the Federal government.
We’re here to help agencies pivot and innovate through increasing use of lean and agile and by onboarding really great tech talent.
Today, we’re focused on agile and DevOps. As agencies embrace these new ways of business and they become commonplace, TTS will pivot to the next frontier–perhaps data science or how to surf the tidal wave created by IoT. We’re here to help our agency and industry partners drive their innovation into government.
How should we evaluate TTS performance moving forward?
It looks a lot like FedRAMP. A great start, but we need to mature the business. We need to overlay standard business metrics, like profitability and loss.
But it’s not just about profit and loss; we’ll watch our customer very closely to see if they get better at doing modern IT themselves. We’ll measure our success based on how agencies adopt new operating practices and fundamentally change to realize enhanced agility and efficiency. We’ll invest some mental capital into how to better measure TTS performance, because metrics certainly matter.