‘Mr. FedRAMP’ Reflects on His Career, Forecasts Program’s Future

Former FedRAMP Director Matt Goodrich can’t help but laugh when he talks about his first day as a government employee.

“I got my laptop, and I got a Blackberry,” Goodrich recalled. “I still miss that Blackberry.”

A 26-year-old fresh out of law school, Goodrich was eager to tackle something new. It was the height of the recession and, frankly, he – along with any other working graduate — was grateful to have a job.

His first assignment after joining the General Services Administration (GSA) nearly a decade ago was to register the domain apps.gov, which served as an online storefront for cloud and software services before it was decommissioned in 2012. Cloud was still a fairly new concept in government, so he searched Wikipedia to figure out what cloud was, in addition to researching how to register a domain name.

His rise from joining GSA as a member of the highly selective Presidential Management Fellows training and development program to eventually helping to shape — and later leading — the government’s cloud security program is a story within itself.

Goodrich quickly became synonymous with the cloud program and was even dubbed Mr. FedRAMP, a title that was used as a branding technique but a name he later shied away from. FedRAMP’s success was and is bigger than any individual, he said. But in true fashion, Goodrich can still rattle off how many rounds of policy reviews the FedRAMP memo went through before it was publicly released in December 2011. Curious to know? A whopping 78.

Fast-forward to August 2018. Goodrich left his post as FedRAMP Director to serve as Acting Assistant Commissioner for GSA’s Office of Products and Programs. About a month shy of his one-year anniversary in the role, Goodrich shared with his social media followers that his last day at GSA would be July 26. “I’ve spent the last ten years walking in and out this door, and today I walked out of it for the last time as an employee,” he wrote in a LinkedIn post.

I recently sat down with Goodrich as he embarks on his latest journey outside the walls of government. He recently joined Salesforce’s Global Public Sector’s Security Specialist team. We spoke about his appetite for out-of-the-box thinking that guided the early days of the Federal Risk and Authorization Management Program (FedRAMP), the program’s progress, where it’s heading and what he wishes he would’ve done differently.

Goodrich has undoubtedly shepherded the FedRAMP program to a place where nearly 150 cloud products and services are now authorized through the program, with dozens more in the pipeline. State and local governments are even using FedRAMP requirements to gauge the security of vendors, but it’s nearly impossible to know the program’s far-reaching impact and exactly who is using it. Goodrich has worked closely with current FedRAMP Acting Director Ashley Mahan to evangelize the program, spread awareness and address lingering issues of agencies reusing the security assessments rather than conducting their own — sometimes from scratch.

These are all metrics of a healthy program and issues that the FedRAMP program management office tracks closely. Customers also use these metrics to measure the success of the program.

Is FedRAMP Successful?

“I think it’s a successful program,” Goodrich said, pointing out that industries, markets and other governments share similar sentiments. “There are other countries who are trying to model similar efforts after it.”

Goodrich explained that the household names in cloud aren’t the only ones eyeing FedRAMP. Niche providers and medical device suppliers are showing interest. Consider scenarios where soldiers must be transported from combat to a hospital. The secure and reliable sharing of that soldier’s medical status, via the cloud or other means, is crucial. That’s where FedRAMP adds value.

But boosting widespread FedRAMP adoption in government has its challenges. The program management office within GSA that runs it doesn’t have the authority to make agencies use FedRAMP, Goodrich said. “It doesn’t mean we have some magic wand that we can [use] to get people to do what they’re supposed to do. So, I think there’s going to be critiques, and there’s plenty of things that we know work for the program and things we wish we had changed.”

The FedRAMP office includes about five federal employees, give or take, and roughly 40 to 50 support contractors to manage the governmentwide program. The modest staff has managed to get companies through FedRAMP’s Joint Authorization Board in under four months. On average, it takes less than six months for vendors to complete the FedRAMP process, down from 12 to 18 months when the program launched.

Despite FedRAMP’s growing customer base, the program’s budget hasn’t had commensurate increases in funding. Part of the strategy forward for FedRAMP will be refocusing on cloud vendors that have the greatest impact on federal data, meaning they are already in use today or there is a high demand for their products and services.

Generally, the number of agencies using FedRAMP, reciprocity issues and the cadence of reviews and authorizations are among the big-ticket items for the program office. “We are seven years past the [FedRAMP policy] memo date when it was launched,” Goodrich said. “There are agencies that still don’t have memos of how [to implement] FedRAMP at their agency.” One of the few regrets Goodrich said he has is not explicitly requiring in the original policy memo that agencies create a plan to implement FedRAMP. Today, more than 150 agencies are using the program, including all of the largest federal agencies. But there still isn’t a standardized way that agencies are implementing it.

“There’s plenty to talk through,” Goodrich said. But there is no denying that FedRAMP has helped to reduce duplicative security efforts across agencies.

The Defense Department is proof. In his July 17 written testimony to House lawmakers, John Wilmer, Deputy CIO for Cybersecurity at DoD, wrote that to date, DoD has issued 130 provisional authorizations to use a cloud system that relied on FedRAMP reciprocity — without any additional DoD evaluation. That is huge, particularly for DoD, which at one point touted its FedRAMP+ program, which added defense-specific requirements to the security assessment process.

FedRAMP has made waves in recent weeks following Reps. Gerry Connolly, D-Va., and Mark Meadows, R-N.C., reintroduction of the FedRAMP Act. The bill aims to codify the program into law, set metrics to ensure it is properly implemented and widely used across government — as is currently required by the Office of Management and Budget — and help cut down on redundant security assessments, among other things.

“One thing that I found interesting as time has evolved is, when we started FedRAMP, it was because we ran the cloud computing initiative to remove the barriers to adoption,” Goodrich said. “Somehow, over time, it’s become that FedRAMP was supposed to accelerate the adoption of cloud computing. And it does because it removes a barrier. But that doesn’t mean security is accelerating your implementation or accelerating your acquisition. It’s removing a barrier.”

Shepherding FedRAMP With Strong Leadership and Customer Experience

Since the earlier days of FedRAMP, education and transparency have been a big focus for Goodrich and his former team. When he came onboard as FedRAMP Director in 2011, Goodrich hired consultants to assess the program. The goal was to glean real feedback from customers.

“What we were hearing was basically things that we agreed with but also things that people didn’t know we were doing,” Goodrich said. “People had great things to say about the value of the program, and what the program could do, but they had problems with how it was working for them. And so at that point I realized that it doesn’t matter how good of a product we had, or [how] good of a program we have. If people have misperceptions about it, and they’re not engaging with us, it’s never going to get to them.”

Despite FedRAMP being a technology program, Goodrich realized that outreach – one-on-one time spent talking and working with customers – was the key to greater transparency. Customer satisfaction scores rose by double digits to over 90%, which he attributes to improved customer outreach.

He credits former GSA leaders such as Casey Coleman, Kathy Conrad, Katie Lewin and others as instrumental in elevating FedRAMP and related efforts. These leaders served as both mentors and sponsors, who had bold visions and were generous in sharing their powers, Goodrich explained.

“Part of my naiveté and being new to government really helped because I just didn’t see all of the roadblocks that were going to be coming my way, and I think that helps, and not having bosses that were telling me that, ‘This isn’t going to happen,’” he said.

The level of access and partnership with the White House was also key to FedRAMP’s development. Goodrich remembers meeting at the Eisenhower Executive Office Building every Thursday at 9 a.m. with his colleagues and former Federal Chief Information Officer Vivek Kundra to discuss the iterative development of the program. “It was like agile before agile,” Goodrich said.

“Having that kind of top-level support, I don’t think any ideas were too crazy,” he added. There were constant dialogues and a willingness to push boundaries where needed and dial back certain ideas. In many ways, Goodrich’s FedRAMP journey has had a profound impact on him personally and professionally.

“People talk about their time in government as being like a tour of duty, or their service to our government,” he said. “I feel so lucky, that I just view it as an amazing job, and I got to do really cool things. And that’s why I say my time in government is not over.”

When asked about the words people use to describe him — impressive, incredible, legend — Goodrich paused.

“I don’t take compliments well,” he said. “But, you know, on my arm, I have tattooed honesty and loyalty and respect in binary code. And there’s a line connecting them that goes out my right hand. And there’s an energy principle, that when you shake hands with someone you’re transferring energy to them. It makes me really happy that those are the words I try and live my life by, and I think the comments have reflected that I guess I’m doing a decent job at that.”