GSA Offers Guidance on Moving to Cloud With FedRAMP

During a General Services Administration (GSA) webinar on July 18, officials explained why Federal agencies should use GSA tools to move to the cloud, how agencies can utilize IT Schedule 70 to move to the cloud, and how to meet FedRAMP requirements.

Skip Jentsch, an enterprise architect and the IT cloud products manager for GSA, noted that agencies are primarily switching to the cloud to save money. “I put the government mandate last because it’s usually one of these other reasons that agencies talk about when they come to the cloud team here at GSA and want to purchase cloud,” he noted. “Yes, those mandates are important, but first and foremost with program shops and IT shops seems to be the saving money and agility features that are driving agencies to the cloud today.”

For agencies looking to migrate their applications, Jentsch highlighted the importance of having governance policies in place before implementing cloud solutions, as well as target architecture considerations. “Migrating to cloud is no different than migrating from one operating system to another, or one data center to another, or one group of servers to another, requirements have to be developed.”

Jentsch pointed to IT Schedule 70 as key to cloud acquisitions. As the largest Federal contract ever, he noted how Schedule 70 can be used to establish a firm fixed price, award blanket purchase orders, and target solicitations with SIN 132-40, certified cloud providers who meet NIST’s standards.

While Jentsch offered guidance on how to acquire cloud products, Ashley Mahan, FedRAMP evangelist for GSA, offered advice on which products agencies should acquire. (The answer: FedRAMP-approved products.)

“The theme here is that FedRAMP still applies to that underlying cloud environment,” said Mahan. “Keep that in mind whether you’re a value-added reseller, a managed service provider, an integrator – if there is Federal information, and you are directing the government to a cloud-based offering in any way…FedRAMP applies.”

Mahan highlighted how FedRAMP standards allow agencies to reuse the authentication process. “Typically, that authorization is reused seven times across the entire Federal government,” she said, pointing out the benefits for both providers and agencies. Through this Federal-wide collaboration, FedRAMP has helped the government avoid $178 million in costs during its six years.

Mahan also detailed the different classifications of FedRAMP approval and the new classification –  FedRAMP Tailored. “We found that there are several low-risk use cases across the government in which agencies are using cloud offerings, specifically software as a service, and the data agencies were putting in these environments posed very, very little risk to the agency.” The new classification reduces the 125 security requirements from the FedRAMP Low category to 35 requirements.

Despite the hassles of compliance, FedRAMP standards exist for good reason. Both Mahan and Jentsch noted that security is the number one concern of agencies looking to move to the cloud. Mahan detailed the policy framework of FedRAMP, pointing to the Federal Information Security Modernization Act (FISMA) and White House mandates to back it up. “More or less, what we like to say as the tagline is ‘FedRAMP is FISMA for cloud,’” said Mahan.

Recent