Top officials from several private sector firms that are helping the Federal government modernize its technology and cybersecurity capabilities told MeriTalk that last week’s FITARA Scorecard gradings for the largest Federal agencies in several IT-driven categories are shining a necessary light on government’s need to make more progress in implementing longstanding cloud policy directives.
On the 17th edition of the FITARA Scorecard, 11 agencies saw their overall grades decline, while only one agency earned a higher grade, and the other 12 saw their grades remain unchanged from the previous scorecard issued in September 2023.
Much of that downward trend can be traced to grading category changes, with the most impactful being the introduction of a new category gauging agency progress on cloud computing. Of the 24 agencies graded on the scorecard, only the Defense Department earned an “A” grade in the new category, six agencies received “D” grades, and 16 agencies got failing grades.
The cloud computing grades were tied to how agencies are meeting five requirements of the Office of Management and Budget’s Federal Cloud Computing Strategy issued in 2019 that aims to speed agency cloud adoption. Notably, none of those five requirements appear to directly correlate with the amount of cloud services that agencies may actually be using.
“The five requirements focus on ensuring that the CIO oversees modernization, agency cloud-related policies and guidance are iteratively improved, service level agreements are in place, service level agreement contracts are standardized, and visibility in high value asset contracts is continuously ensured,” the scorecard said.
“With the FITARA 17.0 Scorecard including cloud computing as a new scoring category this year, I’m unsurprised that we saw an overall decline in scores,” said Gary Barlet, Federal Field CTO at Illumio. “It’s no secret that cloud security – especially across the federal government – isn’t where it needs to be.”
“These results only highlight the need for agencies to prioritize improving their cloud security posture, particularly as more critical assets and workloads move to hybrid cloud environments and foreign adversaries increasingly target vulnerabilities across cloud infrastructure,” Barlet said.
“As agencies continue to implement the practices and strategies outlined in the 2019 Federal Cloud Computing Strategy from the Office of Management and Budget, it’s evident that more progress and better prioritization of cloud security resources are needed to drive real change and resilience,” he said. “But to do this, agencies must have the right tools and strategies in place to keep pace with the evolving threat landscape, and we know that traditional cloud security tools and legacy solutions often fall short in the era of agility and interoperability afforded by the cloud.”
Gary Hix, Chief Technology Officer at Hitachi Vantara Federal, said that “the recent FITARA assessment highlights the ongoing delay in cloud adoption and emphasizes the critical need to redirect our focus toward investing in technologies that bolster robust cybersecurity and national security postures for Federal agencies.”
“It’s unfortunate that these agencies have yet to achieve the optimal level of readiness, particularly in light of the current state of rapid technological advancements, leaving us susceptible to vulnerabilities, sophisticated attacks and the like,” he said.
“In light of the latest FITARA scores, which includes the new Cloud Computing category, it’s evident that Federal agencies still need to prioritize and improve their cloud adoption strategies beyond email, large scale SaaS and public facing websites,” said Stephen Kovac, Global Chief Compliance Officer at Zscaler.
“With increasing investment in cloud technology within the government and the modernization of the FedRAMP program to accelerate cloud adoption, it is essential for agencies to consider beginning to move more critical business application to the cloud while aligning with best practices outlined in the Federal Cloud Computing Strategy, known as CloudSmart,” he said.
Looking forward, Kovac said, “with key initiatives underway from the National Cybersecurity Strategy to the Cyber Executive Order, along with cohesive public-private and government collaboration efforts, there is solid guidance and concrete steps agencies can take to modernize and secure their systems through cloud migration.”
“Agencies need to show marked improvement from these initial FITARA Cloud Computing scores,” he emphasized. “To achieve this, they need to lean into programs like the Technology Modernization Fund and other funding sources, look at moving to more cloud services such as SASE and EDM, as we as a nation progress into a new and safer CloudSecure era.”
Hix echoed some of those policy priorities, saying, “despite this challenge, we already have guiding frameworks in progress, like the CloudSmart policy, other executive orders and standards that enhance the overall implementation of cloud security measures, so I think it’s time to lean into those initiatives as part of agencies’ pursuit towards hybrid cloud.”
“This will require a ‘heads down’ approach in our efforts to catch up and I’m confident we’ll get there, but it will take a village,” he said. “Just as we continue to witness the collaborative efforts driving safe, secure and trustworthy AI adoption, it’s evident that cross-sector unity is essential in navigating these critical strategies to achieve resilient cybersecurity and adapt to evolving threats.”
Illumio’s Barlet added, “I’m hopeful that agencies will reflect on the latest scores and prioritize implementing effective cloud security strategies in the year ahead. Starting with the basics – prioritizing increased end to end visibility, continuous monitoring across workloads, adopting an ‘assume breach’ mindset, and embracing containment strategies to proactively limit the impact of inevitable breaches.
“But we need to start seeing improvements when it comes to cloud security, and we need to see them sooner rather than later,” he said.
