, ,

When the Levee Breaks – and the Authority to Opine


If it keeps on rainin’, levee’s goin’ to break

If it keeps on rainin’, levee’s goin’ to break

When the levee breaks, I’ll have no place to stay.

Where is the levee?

Many know this song, created off the events of a damaging flood in Mississippi in 1927, which destroyed many homes and devastated the agricultural economy of the Mississippi Basin. Many people were forced to flee to the cities of the Midwest in search of work.

That levee, IMO, is about to break again when the finishing parts of the opining or reciprocity (pick your lexical favorite) of the FedRAMP High baseline to the Department of Defense (DoD) Impact Level (IL) 4/5 are completed. The FedRAMP High baseline was to match the cloud security requirements of the DoD Security Requirement Guide (SRG) at inception, but the SRG was in flux (revision) and to date and to my knowledge has not been mapped in entirety. Just as a cloud service providers’ (CSP) FedRAMP moderate baseline Authority to Operate (ATO) allows for a one-to-one mapping of DoD SRG IL 2 (Internet not NIPRnet facing), the mapping of FedRAMP High for DoD SRG 4/5 would allow cloud service providers to sell more to the DoD market.

Without going into all the DoD impact levels and SRG requirements in this piece of writing, I would say that (hopefully) the  FedRAMP High reciprocity to IL 4/5 will assist the federal cloud marketplace to break the DoD levee (or barriers) to cloud adoption. This marketplace arguably makes for one-half of the total information technology spent in the US Government marketplace and highly protected by incumbent processes.

See DoD SRG info here.

Why the mystery?

To stay on the current theme, a levee is a barrier, and when it breaks, it messes stuff up. All those who are hiding behind the DoD restrictions of cloud security have something to lose if the reciprocity is completed. This is not a proper capitalist and free market mindset. It will threaten those who hold their security knowledge as job security and a contractual lock (death grip) on the way “it is.”

You say that FedRAMP has created barriers to the entry of CSPs? Yes, but it is for good reason. The ATO process should be hard, but it proves a CSP is following the gold standard for cloud security practices. Those cloud services that meet FedRAMP High should be granted P-ATO by DoD at these higher impact levels.

However, the completion of the FedRAMP High to DoD SRG alignment has yet to occur (but not for the lack of attempts on the part of the FedRAMP). The mystery of the Defense Information Systems Network’s (DISN) boundary cloud access point (BCAP) and how you connect are not rocket science, but they are closely guarded secrets of the few who wish no competition.

See DoD SRG info for DISN BCAPs here.

OK but…

So far Amazon, Oracle, and Microsoft have made it to the promised land of IL 4/5 (as per DISA, and note that it was last updated in 2016). That is nowhere close to the number of FedRAMP accreditations, which at last count was 89, with 528 reuses of the ATOs. These approved IL 4/5 CSPs have paved the way for PaaS and SaaS providers to leverage their IaaS as a launch point for “everything else as a service” (EEaS? Maybe I just made that up). Additionally, Autonomic Resources’ (CSRA) ARC-P will be connecting its IaaS wagon to IL 5 soon due to their recent DSIA milcoud 2.0 award. So, IaaS at the proper IL exists, but what about the solutions that the DoD could utilize above the hypervisor (above IaaS)? These solutions need to find their collective way to the DoD promised land. All those cloud solutions leveraging the IaaS providers that have or will have IL 4/5 will need to gain access to the NIPRnet.

What can be done?

One, support the efforts the FedRAMP PMO is undertaking to allow DoD reciprocity at IL 4/5. Getting the trains on the same tracks, if you will.

Two, PaaS and SaaS providers at the FedRAMP moderate level need to make efforts to rise to the FedRAMP High baseline. This is to get ready for that Authority to Operate at IL 4/5.

Three, alternatively, buy a plot of IaaS IL 4/5 “land” from an approved provider and build your PaaS / SaaS atop that to inherit IaaS IL 4/5 controls and BCAP access, then follow the FedRAMP High/SRG guidelines to achieve your desired level of impact accreditation.

Then, “game on” for the entrenched DoD system integrator who likes it just the way it is.

Game changer!

Legal Note – my blog reflects my opinions, not those of my employer, my former employers, neither of distant dead relatives, nor my cats (well, maybe my cats).

John Keese is part of the GovLoop Featured Blogger program, where we feature blog posts by government voices from all across the country (and world!). To see more Featured Blogger posts, click here.

Leave a Comment

Leave a comment

Leave a Reply