This blog post is an excerpt from GovLoop’s recent guide, Mapping Government's Journey to the Cloud: 8 Success Stories. The guide includes interviews with federal, state and local officials who have overcome common barriers to cloud adoption, including procurement and security. Download the full guide here to get their insights and tips for success.
In the federal government, you can’t talk cloud security without mentioning FedRAMP. It’s short for the Federal Risk and Authorization Management Program, but you’ll rarely hear people rattle off the entire name.
The governmentwide program was designed to speed secure cloud adoption across federal agencies by establishing standard security requirements for cloud vendors. In March 2016, the FedRAMP program office announced plans for getting vendors through that process quicker.
Both industry and government have been working through the growing pains of speeding the process and addressing lingering security concerns often associated with cloud computing. To better understand agencies’ needs and support their cloud journey, the program brought on Ashley Mahan, its first Agency Evangelist. Her goal is to help agencies embrace FedRAMP and ultimately adopt secure cloud services.
GovLoop spoke with Mahan about her new role and the cloud computing issues she’s seeing across government.
GovLoop: What does a typical day/week look like for you? What types of people are you meeting with and what do you discuss?
Mahan: Each day and week looks different. I do regularly meet with agencies, cloud service providers (CSPs), 3PAOs [Third Party Assessment Organizations], the Joint Authorization Board and the FedRAMP Program Management Office team. While each conversation is different, I always focus on: How can FedRAMP facilitate more cloud adoption by the federal government by using FedRAMP-compliant cloud services?
GovLoop: What are you seeing at the agency level in terms of cloud adoption and the types of capabilities agencies are looking for in the cloud?
Mahan: Recently, one of the trending conversations I have with agencies is in regards to innovative SaaS offerings that are not yet FedRAMP-compliant. Agencies are very interested in learning more about the specific capabilities FedRAMP-compliant and in-process cloud services offer. In addition to solving their practical challenges, agencies are expressing their desire to learn from one another and ask for my assistance to help. It is a very exciting time as the FedRAMP Agency Evangelist!
GovLoop: What have you seen as the pain points and concerns agencies face when it comes to security in the cloud? What advice/tips are you sharing with those agencies?
Mahan: Agencies are primarily concerned with effectively managing risk, and secure cloud products are pivotal to their risk-management strategies. We are noticing that agencies have a couple of concerns when it comes to cloud security: The cloud is “newer” and less tangible than legacy IT solutions that agencies are used to, and with that comes a discomfort in adopting a new way of doing business via the cloud.
Individual agencies can accept their own level of risk associated with a cloud service when authorizing that cloud service (as allowed by the Federal Information Security Management Act), [but] one agency may be hesitant to “re-use” another agency’s authorized cloud solution because it may not trust the risk tolerance associated with that authorized cloud solution.
To help ease these concerns, FedRAMP is supporting agencies to:
1) Provide highlevel education about the cloud, security and the FedRAMP program.
2) Standardize the documentation and review process. FedRAMP encourages agencies to perform their due diligence in reviewing all security documentation that is located within the FedRAMP secure repository prior to issuing an authorization.
3) Clarify the risks that the authorizing agency accepted. FedRAMP is applying safeguards to ensure agencies are well informed prior to reusing an agency-sponsored Authority to Operate (ATO). The FedRAMP team reviews each sponsored agency standard ATO package and provides a summary report (three to four pages) outlining the system risk to ensure each agency makes an informed review and decision. FedRAMP retains a copy of all authorized CSP security documentation, and we assist agencies to perform their due diligence in reviewing all security documentation.
GovLoop: What specific challenges do agencies face when it comes to fully embracing FedRAMP? What advice/tips are you sharing with those agencies?
Mahan: Some agencies are still trying to understand how FedRAMP will help them, and we offer more services than just the “authorization.” As stakeholders better understand the services we can provide, they will know that they can come to us for more support. We are strengthening communication channels among agencies and between agencies and the FedRAMP PMO by establishing a FedRAMP Agency Point of Contact at each of the 24 CFO Act agencies. An agency’s FedRAMP liaison will coordinate and facilitate increased collaboration among agency partners and cloud adoption.
GovLoop: How do you measure success in your role, and what does that mean for the agencies you serve? What gap do you see yourself filling?
Mahan: FedRAMP has done a lot of great work over the last few years. And, as we have evolved, we have made it a priority to help agencies adopt the secure cloud. We have already seen success — as can be measured by an increase in the number of agency ATOs and an increase in the number of conversations I am having with agencies regarding their cloud needs and solutions. Of course, FedRAMP is not solely responsible for agency cloud adoption, but we are doing what we can to help.
GovLoop: What three takeaways about cloud and security do you want our government readers to know?
Mahan: Cloud technologies provide cost-effective solutions to business and mission needs. Agencies need cloud capabilities to improve their core agency functions to meet their mission and cost-effectively optimize business functions. FedRAMP exists to help provide a unified framework for federal agencies to securely adopt cloud technologies; we are proactively working with agencies to promote collaboration and share information. I am here to help — if you are an agency or a CSP working with an agency in obtaining an authorization and need FedRAMP assistance, please contact me at [email protected] or @FedRAMPAshley