Matt Goodrich admits it was good to be a little naïve when he took on the Federal Risk Authorization Management Program (FedRAMP) effort in 2011.
Nine years later, Goodrich looked back on his time in government and all the trials and tribulations in leading FedRAMP as “fun.”
Goodrich, the former director of the cloud security program known as FedRAMP and now a principal solutions engineer and security specialist at Salesforce, said even with all the herding of cats, even when some in industry got personal and nasty and even when Congress got involved, the journey of taking FedRAMP from a start up to a mature program was well worth it.
“It was more of an art. It’s not really a science, and with all art, beauty is in the eye of the beholder. Trying to figure out how to make this picture of a program work as effectively as possible knowing that everyone had these different desires was fun, but not without its own set of challenges along the way,” Goodrich said in an exit interview on Ask the CIO. “I really enjoyed the people that I worked with. I really enjoyed the team that we got to do it. We all knew that to change things you are going to ruffle feathers, you are going to step on toes and people are going to get upset. But I considered it fun because I felt like we achieved something and I had a team that we could all congratulate each other, smile and have fun along the way.”
Goodrich said because FedRAMP stakeholders include agencies, contractors, political appointees, lawmakers and others, he had to balance a complex ecosystem of needs and expectations.
That complex ecosystem sometimes put Goodrich in the cross-hairs of vendors, lawmakers and others who took the program on almost as a personal vendetta against him.
Goodrich said he had to keep focused on the importance of the concepts and goals of FedRAMP.
“There were a lot of egos. There were some people who were pretty big naysayers. But at the end of the day, I knew we had a good idea and an idea that made sense. There wasn’t something else that made better sense,” he said. “To make it work, I had to get those naysayers and other people on board. As for the naysayers or people who didn’t like me, I hope by the end they at least got to a respect level because our goals were always the same. Whenever I heard someone who said they didn’t want something or FedRAMP was bad, my goal was to always get back to why are they saying that and why do they think what they are doing now is better than what they could get out of the program?”
Goodrich said his team had to rise above the negativity and attacks to focus on getting to the end result, which was a sustainable and valuable cloud security approval process.
30% increase in cloud approvals
The data supports Goodrich’s self-proclaimed “stubbornness.”
In 2019 alone, FedRAMP says it authorized 45 new cloud services, which is a 30% increase in products approved compared to the year before, the biggest increase in the program’s history. In all, the program has approved 191 cloud services, including 154 at the moderate level.
“I knew what we were doing at the end of the day was always the right thing. I knew what we were doing was good and it was better than what was going on now,” Goodrich said. “There were times where I had to leave early because I was personally offended or personally mad, and take some time, step away, have a moment and then come back and say, ‘this isn’t against me.’ What it comes down to whenever something was said was I would try to put myself in their shoes and say, ‘Do I see their viewpoint? Do I agree? I’m just mad they are making it so loud.’ Usually the answer is ‘I see their viewpoint and I understand why they are saying that.’ So now how do we get to a solution to get this person to agree with the program and see we are doing the right thing?”
Several of these moments led to major improvements to the FedRAMP process. Goodrich said the “FedRAMP accelerated” effort was an example of listening to their customers to improve the program.
When Goodrich arrived in 2011, it would take 12-to-18 months to do a cloud security authorization, which was too long for industry or government.
“I remember sitting in a room with the small fed team we had and said, ‘I’m making a crazy goal, within a year we are coming up with a process to authorize consistently vendors within six months.’ This meant we had six months to define the process, find partners and work with the Joint Authorization Board to determine how their roles would change, and then pilot it and prove it could work. Within a year, we would fundamentally change the program,” he said. “I know the team, at the time, looked at me like I was crazy, but I was fortunate to have a team that also supported me in that crazy. They took it on as their own mission too, and we had great partners from industry, which showed to me industry also believed in the program and what its intent was.”
He said when that first authorization came in under six months was an amazing win for the program. Now he said it takes, on average, four-to-five months to achieve a FedRAMP authorization.
Transparency was key
One of the ways Goodrich and the FedRAMP team revamped the policies and processes was to have contractors do a “tell all” about their cloud security authorization journey. He said over two days, they diagrammed every single action and interaction with vendors.
“We thought we were doing things that were really great and helpful, and they were actually making things harder at times,” he said. “That opened our eyes up and it made us realize we had to look at our internal processes. The program management office was doing a lot of duplicative work to the JAB teams. We realized most of the work was duplicative and wasn’t providing value. So we redefined the roles between who was doing what work and why. Finally, we looked at the process itself. The process was designed for building a system, but the systems we were looking at were already built.”
Goodrich said that’s where the idea of a readiness assessment came, especially as research showed many of the obstacles for vendors getting authorizations more quickly was around readiness.
He credited the support from the Office of Management and Budget and from the General Services Administration for enabling FedRAMP to improve. He also said that his office was aggressive about showing their successes through metrics and security rigor.