The White House’s modernization efforts are accelerating agencies’ move away from legacy systems. Additionally, citizens are demanding a new way of interacting with the government which is not effectively supported by outdated legacy systems.
Agencies that are not undergoing a digital transformation risk becoming stale and outdated.
The way forward for governments are with cloud services. If leveraged in a strategic and prioritized way, the cloud allows agencies to properly take advantage of this transformational moment. Moreover, the Federal Risk and Authorization Management Program (FedRAMP) is enabling agencies across federal, state and local, to safely access a wide range of cloud-based technologies.
In GovLoop’s recent Government Innovators Virtual Summit, experts shared the tangible benefits of migrating to digital tools.
These experts included:
- Joe Arthur, Strategy and Innovation Executive, Infor Public Sector
- Lon D. Gowen, Chief Technologist and Special Advisor to the CIO, USAID
- John Hamilton, FedRAMP Operations Manager, GSA
- Claudio Belloli, FedRAMP Program Manager for Cybersecurity, GSA
The challenge is, even though FedRAMP has been around for 6 years, many government employees are still unfamiliar with it. The experts weighed in to help elaborate.
“FedRAMP is a way to standardize federal operations with our customers and implement continuous monitoring for authorization,” Hamilton said. “We standardize documentation all the way to continuous monitoring of cloud systems. It also ensures controls to make cloud services more secure and effective on an annual basis.”
As technological trends rapidly advance, agencies have been tasked with meeting the increasing needs of employees and citizens by relying on digital transformation. FedRAMP is an enabler of digital transformation through the cloud.
Cloud computing is especially important to driving government digital transformation as it has helped agencies in mitigating risk, improving productivity and leveraging new capabilities to meet citizen and employee needs.
FedRAMP was designed to help agencies safely and securely access a wide range of cloud-based technologies without having to invest heavy amounts of time and resources.
“FedRAMP has been instrumental in pushing cloud-first policy in government and helping agencies get to cloud,” Belloli said. “We make these packages available to agencies so they can come in, pick one that meets their needs and not have to worry about whether it’s compliant with security regulations. It saves the agency time and resources.”
Investing in cloud can be a serious undertaking for agencies across all levels of government.
Gowen works with various elements of USAID and guides them toward cloud service providers that can meet FedRAMP criteria.
“There’s a fairly big cost associated with trying to get a system and authority to operate,” Gowen said. “Being able to have a FedRAMP cloud solution, like SaaS or PaaS, makes a big difference when we can look at a package that another agency has already done to get accredited. This can save agencies anywhere from $25 to $100,000.”
Not only can FedRAMP provide enhanced security and efficiency in the cloud as well as cost savings, but it also paves the way for agencies to reap the benefits of true digital transformation.
“From a digital transformation perspective, FedRAMP provides a reliable cloud environment, which serves as an enabler for digital transformation,” Arthur said. “As more government entities put their information in the cloud, it will allow them to establish integrated data that will give them access to that information and provide real-time visibility with a common business platform for analytics as well as self-service analytics.”
Under FedRAMP, cloud companies must meet a list of requirements defined by the National Institute of Standards and Technology (NIST) before receiving approval to sell cloud services to government. These security controls span all aspects of technology service delivery and management including:
- Rules for governance: audit and accountability, contingency planning, program management, risk assessment, security assessment and authorization.
- Rules for information: access control, identification and authentication, media protection, configuration management, system and communications protection, and system and information integrity.
- Rules for people: awareness and training for personnel and security.
- Rules for external factors: incident response, physical and environmental protection and system and service acquisition.
“There’s a lot of traditional, legacy IT in government,” Belloli said. “But moving to the cloud allows them to save money. Once they get into the cloud they can take advantage of newer technologies in the cloud. With FedRAMP authorization, agencies can get access to more secure cloud packages a lot faster.”
In fact, some of these processes could take upwards of 2 years or more. With FedRAMP, agencies can get the authorization for the cloud technologies they need within 3 to 6 months.
And while FedRAMP is designed for federal government, state and local entities can still harness the same or similar packages by authorized cloud service providers. According to Belloli, states like Arizona are modeling their own cloud programs after FedRAMP.
The biggest challenge agencies may encounter with FedRAMP going forward is ensuring their organizations are culturally prepared for cloud. “Some agencies are willing to move to the cloud while some still don’t really know what it is,” Belloli said. “There’s a cultural tendency in government where it’s hard to let go of control to allow for innovation to happen in the culture of the organization.”
Arthur suggested documenting touchpoints as agencies go through the process of migrating to cloud as well as partnering with industry. “Look for fast solutions and establish interoperability standards for operations,” he said. “You should build once and reuse – that will drive down costs. Reach out to your FedRAMP liaison. They are a wealth of knowledge. It’s a collaboration process. Try not to be prescriptive in what infrastructure is used but focus more on usability and functionality.”
Hamilton and his team at GSA developed a playbook with best practices from the pre-authorization phase all the way through continuous monitoring for cloud. “FedRAMP resources and templates can get you through the process while promoting further transparency,” he concluded.
Check out the rest of our coverage and insights from the 2018 Government Innovators Virtual Summit: