GSA and other agencies are considering how to revamp and streamline the FedRAMP program for authorizing cloud services, including SaaS.
The General Services Administration’s new cloud strategy leader says that “speed is a security property,” as GSA and other agencies consider how to revamp the FedRAMP program for authorizing cloud services on government networks.
“Control and speed are two of the areas that I’m really focused on in my role and just in general working as a civil servant,” Eric Mill, the executive director for cloud strategy within GSA’s Technology Transformation Services division, said during a Monday event hosted by Google in Washington.
Before taking on his GSA role in January, Mill served at the White House Office of Management and Budget as senior advisor to Federal Chief Information Security Officer Chris DeRusha.
With Monday’s event focused on the Biden administration’s “Secure by Design” initiative, Mill highlighted efforts to bring consistency to how the government evaluates the security of cloud services.
“The government is filled with many buyers, many agencies,” Mill said. “And each of them may be making the right decision of what’s right for them to ask for something to be pulled in their direction. But if that’s adding up to something where we now have made it absolutely impossible for a cloud provider to just say a consistent thing about a very important security area, then in the large, we may be shooting ourselves in the foot a little bit.”
In a January report, the Government Accountability Office found agencies have increased their use of the Federal Risk and Authorization Management program in recent years. But GAO also documented numerous challenges with FedRAMP.
For instance, agencies told GAO that cloud service providers were not always prepared for the FedRAMP process. And CSPs told GAO that they had to update their infrastructure to meet federal security requirements, while third party-assessment organizations applied the FedRAMP criteria inconsistently.
Meanwhile, OMB released draft guidance in October to overhaul aspects of the FedRAMP program and better support the increasing demand for Software-as-a-Service (SaaS).
The proposed changes would transition the Joint Authorization Board to a seven-member FedRAMP Board. OMB also wants to promote more shared authorizations between agencies, while being more transparent with companies about where they stand in the FedRAMP process.
During his comments Monday, Mill said ensuring cloud companies can quickly introduce new security features, rather than being hindered by government authorization processes, is another major priority for him at GSA.
“We need to be making sure that we, in the service of visibility and oversight and security, are not making it impossible for companies to operate at the speed that produces as many security features and security improvements as possible,” he said.
“That doesn’t always come naturally to the government,” Mill added. “I work a lot with FedRAMP – doesn’t always come naturally there. But working on that is a priority here.”
GSA is also among the agencies tasked with increasing the speed of authorizations and the use of reciprocity across agencies under the FedRAMP Authorization Act, passed as part of the 2023 defense policy bill.
“We will get more secure-by-design services if we are helping the security teams around the world that form the backbone of the infrastructure that we’re relying on, to work at speed,” Mill said. “Speed is a security property. And that’s something that we should be encouraging. That’s something on my mind.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED