New goals being set forth by the leadership of the Federal Risk and Authorization Management Program (FedRAMP), coupled by some new shifts in direction and strategy, could have a profound impact on the cloud and its eco system of services available to government agencies. And the timing simply couldn’t be better.
Federal News Radio recently hosted a podcast discussion with Matt Goodrich, who directs FedRAMP for the General Services Administration (GSA); David McOmber, Executive Vice President of Public Sector and Federal Sales for QTS Realty Trust; and Seth Abrams, the Chief Technology Officer for CSRA’s Homeland Security. The panel discussed the importance of FedRAMP for helping agencies move to the cloud by standardizing requirements in addition to how FedRAMP is working to address the challenges facing the federal government when it comes to cloud adoption.
Ultimately, the demands on IT departments and data centers have exploded as federal government agencies are relying on cloud-driven capabilities and associated services to accomplish their missions in a more agile and cost efficient manner.
Today, federal agencies and organizations across all government sectors—from civilian to intelligence and defense—depend on advanced mobility, big data and analytics and communications technologies to collaborate, stay connected, increase effectiveness and become more proactive.
While these requirements may be driving increased effectiveness and efficiency across the government, they are also taxing existing federal IT infrastructures and have resulted in a new dependence on cloud and hybrid cloud infrastructure. The use of hybrid cloud effectively gives the federal government the best of both worlds—having essential mission critical workloads in physical data centers, while taking advantage of the agility, cost savings and accessibility of the cloud for other workloads.
“I really love the expression that you buy the base and you rent the surge,” CSRA’s Abrams said when talking about the concept of hybrid cloud. “The base…the bread and butter of your databases and really large data sets…sometimes you just need to own that. But, you still want an access to it, and you want to be able to scale like an Amazon…What this hybrid environment really does is put your data next to the cloud so that you can take advantage of both [the servers] you own [and] the agile approach of the cloud.”
Matt Goodrich noted that FedRAMP removes the obstacles for agencies to move to the cloud while ensuring that agencies can access the cloud securely. FedRAMP also enables Cloud Service Providers to sell cloud solutions across federal agencies without having to deal with a patchwork of disparate authorizations and security testing requirements.
The program hasn’t been without criticism or flaws. However, as Goodrich shared, FedRAMP is a relatively new program and constantly improving. His focus at the moment is expediting applications and certifications. When the program first started, authorizations could take upwards of 18 months and with constant process improvement authorization now averages 15 weeks despite “100 percent growth year-over-year.”
The other important step that FedRAMP is taking involves a fundamental shift away from its traditional “one size fits all” approach to cloud authorization and certification. Traditionally, FedRAMP has held all cloud solutions—from infrastructure as a service (IaaS) platforms to SaaS solutions—to the same controls. But not all of these solutions and services are equal and as such adopting a tailored FedRamp approach based on the solution makes a whole lot of sense.
The data contained, accessed and utilized by a cloud-based email service at a civilian agency isn’t as sensitive as the data that could be contained in the systems of a defense, homeland security or intelligence agency—where troop locations or the identities of CIA operatives could be at stake should the system be breached by a cyber attack. As Matt explained, “…we're seeing that there are a lot of tools out there that people are using in the commercial space that we're not using in the government space because the security and compliance regime is too onerous and too difficult, and it doesn't match the type or the reason why you're using it, or the type of data that's going into that service.”
To combat this issue, Goodrich is looking to segment FedRAMP—effectively treating these systems differently, and not necessarily holding them to the same rigorous controls.
“…We're taking a look at how we can make the security process match the actual use of the system,” Matt explained regarding the segmentation of FedRAMP, “We're looking at very low risk, very specific use cases for why you'd be using the service and having security that matches that …if you're looking at very specific use cases, you can look at those controls and say that maybe some of those aren't needed because of the data we're looking at.”
This movement away from a “one size fits all” approach for FedRAMP, and a desire to more quickly process authorizations and grant cloud solutions certifications, will only benefit the federal government. At a time when cloud solutions are increasingly essential for delivering the requisite IT services within tight agency IT budgets, the FedRAMP program is taking positive steps to ensure that advanced cloud technologies are certified and ready to be utilized across all agencies and that new low-risk solutions with specific use cases that are being utilized across the private sector with much success and benefit are available for use within the federal government.
All these proposed changes ensure that the federal government is better positioned for their digital transformation which is inevitable in order to meet critical mission goals with agility and budget constraints while providing a secure environment with a rich user experience, where cloud gets to play an even major role than it does currently.