FedRAMP’s Role in a Post-COVID World

The Federal Risk and Automation Management Program, more widely known as FedRAMP, was put in place in 2011 to create a standardized approach to evaluating the security controls of cloud solutions for government use. For nearly a decade, FedRAMP has continually evolved to keep up with the growing availability of and demand for cloud solutions. In fact, the number of authorizations granted between 2016 and 2018 increased roughly 33% year over year.

With this in mind, the latest modernization of FedRAMP may be coming via the FedRAMP Authorization Act of 2019, which would expedite the approval process. Of particular interest is language in the bill that introduces the "presumption of adequacy." This means that once a cloud vendor is authorized through the FedRAMP process with one agency, it is cleared to work with other agencies under that initial authorization. The legislation also formalizes roles and responsibilities, designating the Office of Management and Budget as responsible for FedRAMP policy and making the General Services Administration in charge of day-to-day implementation. Finally, the bill stipulates metrics to track the implementation of the program.

Further influencing the demands on FedRAMP is the quick surge of support for flexible cloud solutions to enable telework environments amid the COVID-19 response. These developments may have a significant impact moving forward. While private industry is stepping up and offering technology for free to help secure public health and safety, the federal government must still look to FedRAMP guidance in utilizing cloud solutions. Today, more than ever, a quick and efficient approval process is essential.

Continue reading

Get to Know the CDO

Chief Data Officer (CDO) may be one of the newest C-suite designations, and it's quickly becoming one of the most important. With data-driven government becoming a mandate via the Federal Data Strategy and the Evidence Act, accountability around data management is essential. More than just a way to check a compliance box, having a CDO is a smart business decision in a world where data is critical to how government organizations interact with constituents. However, having a CDO is only a start. The CDO needs to be set up for success as well.

One report indicated that 60% of federal CDOs lack a clear understanding of their role. According to Gartner, a CDO is a senior executive who bears responsibility for enterprise-wide data and information strategy, governance, control, policy development, and effective exploitation. This role makes sure data is secured appropriately for access, as well as privacy concerns, and sets the rules and processes for managing the data lifecycle. The CDO also develops solutions to use that data to create business value.

Even if the role is defined within an organization, CDOs report they lack budget authority or insight into what budget they have to complete their jobs. This mirrors what we have seen with another "young" position, CIOs. Chief Information Officers have seen their role elevated by its measurement in the FITARA scorecard, and with that tracking, are getting more budget authority and input. In addition to budget, CDOs also need the authority to set and enforce policies and processes across their organization and, in doing so, streamline communication among related groups. Continue reading

When the Show Simply Cannot Go On

The Coronavirus has made many organizations take a hard look at how and if they should proceed with events in the coming months. Decisions made in response to this virus should be informed by security and contingency best practices and should serve to inform planners in the future.

Best practices include:

  • Hygiene - Have antibacterial sanitizers available throughout your event venue. Ensure that bathrooms are stocked with anti-bacterial soap. Confirm with caterers how they stock buffets to reduce the risk of people grabbing for food with hands instead of utensils.
  • Have a Plan B - Consider how you can take the show virtual if needed. Look into virtual event and webcast technologies in advance of an issue arising to provide an alternate option should an event have to be canceled or postponed.
  • Review Contracts - Look carefully at cancellation clauses so you understand what falls into each vendor's (including insurance provider's) definition of "force majeure." This ensures that you fully understand the reimbursement policies when making cancellation decisions.
  • Plug into the Community - Tune in to what is happening in the city/community where you are holding the event. It's critical to know what is going on in the community so you can plan accordingly. For example, if there has there been a rash of recent protests or a spike in crime, you may want to increase security at your venue. In the case of a public health issue, you'll know what is actually happening on the ground in terms of infections and general reactions so you can inform attendees and plan accordingly.

We've been in touch with many of our partners and have pulled together this list of events that have been canceled, postponed or rescheduled due to health concerns.

We'd love to hear from you. How have precautions around the Coronavirus impacted your event planning? Share your stories in the comments. For more government events worldwide, visit GovEvents.

FITARA is Evolving and Agencies are Keeping Up

The ninth Federal Information Technology Acquisition Reform Act (FITARA) Scorecard, released in December, showed promising progress in meeting goals and in holding agencies accountable for their modernization efforts. For the first time, three different agencies earned an "A" or higher. The General Services Administration and Department of Education both received an "A+" and The United States Agency for International Development got an "A." This scorecard was the only time a failing grade was not handed out. Overall, agencies have upped their scores from a "D" average on the first scorecard in 2015 to a current "C+" average.

Scores are not the only thing that has increased. What is being measured has also grown. The first scorecard only measured four areas -- data center consolidation, IT portfolio review savings, incremental development, and risk assessment transparency. The latest version has nine subcategories that include measuring progress against recently enacted legislation.

Big gains in scores were found in regard to compliance with the Megabyte Act, legislation that aims to improve the way agencies manage their software licenses. Gains were also found in giving CIOs more authority. In fact, the reporting found that 22 agencies had permanent CIOs, two had acting CIOs and, of those, 16 reported directly to leadership.

Progress on data center consolidation also continues, though not without controversy. Rep. Gerry Connolly (D-Va.) voiced concern with the Office of Management and Budget's latest guidance on data center consolidation that changes the language to "optimization" and not "consolidation." He argued that consolidation is what frees up capital and drives cost savings, an area where agencies still struggle. Continue reading

The Insecurity Around Election Security

The delays and confusion over the Iowa Caucus results has once again brought election security into the national spotlight. Voting has increasingly moved to electronic means following the 2000 elections that put the fate of the election in the "hanging chads" of Florida. Electronic voting machines seek to remove human-error in the actual voting process as well as vote tallying. However, many voting precincts are using technology that is 10-20 years old, introducing problems around maintaining and securing the systems for today's use.

One surprising conclusion around election security is the critical role of a paper trail. Having a paper back-up to electronic voting proved to be important in Iowa and is making counties nationwide re-examine the role of paper in modern elections with the end goal of accuracy being more important than speed.

To modernize voting procedures, systems, and products, Congress has earmarked over $700 million to replace paperless voting machines with more secure digital options that offer a paper trail. While voting is handled at the state and local level, more support from the federal level comes with a new policy that ensures the FBI brief state election officials when local election infrastructure has been compromised. However, many argue this does not go far enough and that the FBI should loop in election officials if they discover breaches of private sector companies involved in providing election technology and support. Continue reading