Government, industry, and the Hill got together for a collaborative powwow about government cloud progress, and specifically FedRAMP, the standardized cloud security certification, at the MeriTalk Cloud Computing Brainstorm on June 7 at the Newseum. The session reviewed progress to date and the path forward for the once-embattled GSA program–and revealed new transparency and important new milestones.
On March 28, 2016, GSA unveiled a new FedRAMP Accelerated process, which modifies how FedRAMP Joint Authorization Board Provisional Authorizations are conducted in an effort to speed up the certification process. Susie Adams, chief technology officer of Microsoft Federal, said that the Accelerated process marked a positive step.
“This is the pace of change of cloud,” Adams said. “If you think about a nirvana world for shared services, that’s really what cloud gives you.”
Quickening the pace of cloud adoption across the board is vital for its success, according to Adams. For example, her office created its own accelerated process to add new services every couple of weeks, rather than every few months.
She also recommended shifting to an outcomes-based approach to security controls.
“For each control in the FedRAMP list, companies should be able to show they’ve secured that risk,” Adams said. “Moving to an outcomes-based approach would go a long way.”
Agencies invariably have different needs and different goals. The department of the Interior’s cyber agenda may bear little resemblance to that of the department of Health and Human Services. However, Doug Bourgeois, managing director of Federal Technology Strategy and Architecture for Deloitte, stressed the importance of establishing standards to which all agencies can adhere.
Bourgeois, who sponsored and led cloud services programs during his time at the Department of Interior National Business Center, said standardizing agencies’ cloud computing practices would benefit not only the agencies, but also the companies that work with them.
“We need to make it as easy as possible for authorizing officials to approve controls from one agency to the other. We really need to standardize the definition of major change,” Bourgeois said. “Take that through the educational process so they can be consistent.”
FedRAMP’s success is a balance of standardization across the government and consideration of each agency’s needs, according to Prem Jadhwani, chief technology officer for Government Acquisitions. Jadhwani, who has been following FedRAMP since 2012, said that the speed of cloud service provider certification has improved.
“Transparency has gotten better, but there are still challenges. From the sharing perspective, there’s still a long way to go,” Jadhwani said. “Each agency has a different appetite, and they don’t know what that appetite is.”
In the past, some companies have found FedRAMP’s compliance path difficult to navigate. Confusion also surrounds the Federal Information Security Management Act of 2014, which updated the Federal government’s cybersecurity policies by cementing the Department of Homeland Security’s role as the administrator of information security policy, according to Peter Durand, vice president of Federal Sector for Acquia.
Durand oversaw Acquia’s dual FedRAMP certification processes at the departments of the Treasury and Transportation. He said cloud adoption requires a level of trust that some agencies are not ready to display.
“Acceptance hasn’t been very consistent. It’s trust and verify,” Durand said. “A lot of security practitioners treat the cloud like their own data center. They want to touch the box.”
Bourgeois agreed with Durand, stating that the crux of the matter is accepting the idea of an ATO.
During his time in the Federal government, he said he feared he was the sole person responsible for his agency’s risk, a fear commonly shared by CIOs.
The basic provisions of FedRAMP can extend to spheres other than the Federal space. For example, state and local government systems, while smaller than their Federal counterparts, still require basic cybersecurity measures. Durand said he has seen FedRAMP-like policies appear across several state government agencies.
“The state and local government market creates an opportunity to leverage the FedRAMP platform beyond Federal agencies,” said Joe Moye, senior vice president of Public Sector for Virtustream. “The focus on expediting some of the process is crucial.”