Federal IT Leaders Want Cloud Vendors to Provide Clarity

WASHINGTON — If you’re a cloud service provider, the federal government wants to hear from you.

[ Related: Federal IT Leaders Look for Trust, Transparency in Cloud Vendors ]

Federal agencies are actively shopping for new cloud computing technologies, but vendors will help their cause by packaging their services to be more readily implemented in a government environment that is highly security conscious and almost preternaturally cautious about rolling out new IT systems.

The feds have been developing a system for streamlining the security requirements for cloud service providers (CSPs). Under the FedRAMP program, vendors can submit their cloud service for a review by an inter-agency panel to gain clearance to operate across the government, or can seek approval of a single department or agency.

One of the early adopters of the FedRAMP program was the Department of Health and Human Services, which granted the government’s first agency-specific approval of a cloud service to Amazon in 2013.

The department has continued to sign off on additional vendors in the time since, including Salesforce and Microsoft, but with each review comes a fresh — if familiar — set of headaches.

Government Needs Better Documentation From Cloud Service Providers

“There is often a fundamental misunderstanding with the CSPs about what the government expects to see in terms of documentation,” says Christopher Bollerer, director of security governance at the Risk Management and Compliance division of HHS. “We have struggled with every single CSP that we have gone through with documentation.”

At a FedRAMP conference on Thursday, Bollerer described the challenges that can emerge when various business units within HHS consider implementing a particular cloud service. The initial agency-specific review is conducted at a high level, involving Bollerer’s team, the CSP and perhaps leaders of the component agencies within the department.

Too often, Bollerer explains, the CSPs fail to incorporate in their documentation the substance of those discussions, leaving potential end users unsure about red-letter security issues like the internal controls in place with the vendor.

“Here’s the thing — we all get to sit in a room for maybe two weeks and talk about this,” Bollerer says.

“Nobody else, no other government consumer that is going to leverage that package has the benefit of those conversations, so those packages need to be absolutely clear about how security is implemented,” he adds. “And be very clear about it, because they do not have the benefit of sitting in a room with us for two weeks.”

As a concept, FedRAMP aims to confer a security compliance standard that can be recognized and trusted across the government, saving individual organizations the trouble of conducting their own independent reviews of services and applications, in the process addressing one of the chief barriers to moving to the cloud. That system, which the CIO Council describes as taking a “do once, use many times” approach, also seeks to dramatically ease the burden for cloud vendors looking to do business with the government.

Matthew Goodrich, the FedRAMP director at the General Services Administration, acknowledges that the system is hardly perfect, and remains very much a work in progress.

However, he pegs the cost savings the feds have garnered through FedRAMP-compliant services at $40 million over the past two years, what he calls “a really conservative estimate.”

But that’s only a start.

Raising Awareness and Winning Support Key to FedRAMP Success

Goodrich sees a central part of his job as raising awareness of FedRAMP and winning support of the program among agency CIOs and other government leaders. He talks of “stakeholder engagement” as a crucial element of the effort to expand the adoption of FedRAMP-complaint services.

[ Related: Federal CIOs Must Reframe Security Around Data, Access ]

“We want to make sure the entire government understands that FedRAMP is truly a government-wide program,” he says.

Goodrich is also looking ahead to a series of reforms to FedRAMP that will aim to make the review process “as nimble and agile as possible” to address the “ever-evolving landscape in cybersecurity.”

“Want to make this process as easy as possible for vendors and as easy as possible for government to get through,” Goodrich says.

To start, Goodrich is working to develop better baseline guidance for agencies to adopt FedRAMP-compliant systems, an effort that would produce a best practices reference guide and implementation guidance and eventually offer support options for CIOs rolling out new cloud technologies.

Other areas that Goodrich is looking to address include mechanisms to improve collaboration among agencies and enhance the quality and consistency of third-party evaluations of FedRAMP candidate technologies.