In one of its first acts, the 117th Congress passed the FedRAMP Authorization Act. This bill codifies the Federal Risk and Authorization Management Program (FedRAMP) and, in the process, speeds up the time it takes for cloud solutions to be implemented in the Federal government. Currently, cloud solutions must frequently gain separate authority to operate statuses for each agency where they are used. This bill looks to have the General Services Administration (GSA) automate processes to promote reciprocity for security validations from one agency to another.
This bill was passed at a critical time for cloud adoption within government as agencies continue to accelerate their digital plans to meet the needs of a remote workforce. While the way has been cleared for "emergency" use of cloud to keep the business of government running, laws and policy like this Act ensure that there is long term support for the move to cloud services.
The Federal Risk and Automation Management Program, more widely known as FedRAMP, was put in place in 2011 to create a standardized approach to evaluating the security controls of cloud solutions for government use. For nearly a decade, FedRAMP has continually evolved to keep up with the growing availability of and demand for cloud solutions. In fact, the number of authorizations granted between 2016 and 2018 increased roughly 33% year over year.
With this in mind, the latest modernization of FedRAMP may be coming via the FedRAMP Authorization Act of 2019, which would expedite the approval process. Of particular interest is language in the bill that introduces the "presumption of adequacy." This means that once a cloud vendor is authorized through the FedRAMP process with one agency, it is cleared to work with other agencies under that initial authorization. The legislation also formalizes roles and responsibilities, designating the Office of Management and Budget as responsible for FedRAMP policy and making the General Services Administration in charge of day-to-day implementation. Finally, the bill stipulates metrics to track the implementation of the program.
Further influencing the demands on FedRAMP is the quick surge of support for flexible cloud solutions to enable telework environments amid the COVID-19 response. These developments may have a significant impact moving forward. While private industry is stepping up and offering technology for free to help secure public health and safety, the federal government must still look to FedRAMP guidance in utilizing cloud solutions. Today, more than ever, a quick and efficient approval process is essential.
Over the past year, there has been a shift in the way government approaches the cloud. No longer are agencies asked to go "cloud first," they are now urged to be "cloud smart." This change is not just a matter of semantics; it is a different way of thinking. Rather than choosing a cloud solution to meet mandates, agencies are examining whether the cloud is the right platform for the application or system in question. Cloud Smart also means picking the right kind of cloud - public, private, or hybrid/multi cloud to meet user, administration, and security needs.
One way to be Cloud Smart is to follow FedRAMP guidance. While this program is not without its challenges (including the speed at which technologies get approval), it is still a valuable tool to ensure that industry standards and security protocols are met. Participation in the program is growing with 150 participating agencies and over 130 FedRAMP-authorized cloud service offerings.
While guidance around how to proceed to the cloud is evolving (along with the cloud technology), agencies are pushing forward and finding their smart path to cloud and, more importantly, creating new ways to interact with their constituents. For example, the U.S. Department of Agriculture's (USDA) Farm Production and Conservation division made the shift to a commercial platform-as-a-service (PaaS) for Farmers.gov. This site "allows farmers, ranchers, foresters and agriculture producers to register their businesses electronically and gain personalized access to the services they need to manage their operations." By using cloud technologies, USDA found they could save their developers time, enabling them to focus on configuring, rather than coding.
There are several events that feature examples of these cloud successes and discuss how to overcome technical, policy, and cultural barriers to smart cloud adoption.
- DC CloudWeek (June 3-7, 2019; Washington, DC) -- This SXSW-style citywide festival brings together thousands of government and tech leaders from around the nation to share how the cloud is transforming government, academia, nonprofits, and the private sector. It includes dozens of community conferences, events, and parties.
- AWS Public Sector Summit (June 11-12, 2019; Washington, DC) -- This event brings together innovators who are changing the world with cloud computing to share their successes and lessons learned to guide wider cloud adoption in government. The conference aims to send attendees back to their office with new strategies and techniques for kicking off new projects, maximizing budgets, and achieving mission goals.
- ATARC Federal Cloud and Infrastructure Summit (June 25, 2019; Washington, DC) -- This educational, one-day symposium will examine the cloud tools and techniques being used by the Federal Government to provide agencies with greater efficiency and cost savings. The morning session will feature speakers and panels with government thought leaders, while the afternoon includes the MITRE-ATARC Cloud Collaboration Symposium, where government, academic, and industry subject matter experts will examine cloud and data center challenge topics.
- 2019 Cyber Security Brainstorm "Cyber Strong: Cyber's New Frontier" (August 8, 2019; Washington, DC) -- This half-day program will discuss integrating cloud and other next-gen technologies, strategies for building cyber strength, and preparing the workforce for these technological changes.
- KubeCon | CloudNativeCon (November 18-21, 2019; San Diego, CA) -- The Cloud Native Computing Foundation's flagship conference gathers adopters and technologists from leading open source and cloud native communities to further the education and advancement of cloud
Let us know your go-to events for cloud information with details in the comments.
The Federal Risk and Automation Management Program, commonly known as FedRAMP, was introduced in 2010 and signed into policy at the end of 2011 as a "standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services." In plain English, it provides a baseline for agencies to determine if a cloud solution is secure enough for them to use. Vendors get FedRAMP certified as a way to prove their solution is ready to plug and play into federal systems.
In recent years, cloud has moved from a curiosity for most agencies to a key part of IT infrastructure. With this change in cloud acceptance and use, FedRAMP has also started to evolve to meet today's needs. Last summer, Rep. Gerry Connolly introduced the FedRAMP Reform Act of 2018 as a more stringent enforcement of the use of FedRAMP guidance. Continue reading
Cloud Computing has moved from a fringe technology that agencies were willing to try to a mainstream part of IT strategy and infrastructure. CloudFirst guidance from the executive branch got agencies looking at cloud as an option as they modernize systems. FedRAMP provided a standard for cloud security for government, easing the fears that a move to cloud meant a less secure system. Agencies have provided a host of guidance on how to use the cloud in their particular environments and for their missions. The intelligence community even went so far as to design a cloud that meets the specific needs of its users.
But even with this growing comfort, it's been a slow implementation process. Earlier this year, the Department of Homeland Security set up a cloud steering group after realizing that of their 584 applications only 29 were currently in the cloud, and another 52 were in the process of moving. They understood the cost and performance benefits of cloud but needed a way to accelerate the move. Beyond the technical aspect of designing cloud for government, there are also policy issues including a Supreme Court-level discussion of how and when cloud providers have to release data that they store. Continue reading