VA’s enterprise cloud office streamlines ATO process

The Department of Veterans Affairs enterprise cloud office is working with vendors to cut down the amount of time it takes to move a software product through the cybersecurity authorization process.

Joe Fourcade, lead cybersecurity analyst at the VA’s Enterprise Cloud Solutions Office, says the “authority-to-operate” process for new cloud projects used to take nine to 12 months. But after his team developed a Federal Risk and Authorization Management [FedRAMP] inheritance process, teams can typically...

READ MORE

The Department of Veterans Affairs enterprise cloud office is working with vendors to cut down the amount of time it takes to move a software product through the cybersecurity authorization process.

Joe Fourcade, lead cybersecurity analyst at the VA’s Enterprise Cloud Solutions Office, says the “authority-to-operate” process for new cloud projects used to take nine to 12 months. But after his team developed a Federal Risk and Authorization Management [FedRAMP] inheritance process, teams can typically bring an application into VA cloud environments in as little as 60-90 days today, according to Fourcade.

“It reduces the number of controls that a project becomes responsible for,” he said.

“We’ve really improved a lot of these processes that we’ve worked out with them from organizing their scans to making sure that we have checklists, and we’re hand in hand with them on developing those entire processes,” Fourcade added.

The streamlined ATO process also gives project owners more assurance when they go through a Federal Information Security Modernization Act (FISMA) audit, according to FOurcade.

“It gives the projects the ability to focus our resources on the operation of their system, and only the controls that are really required of them,” he said.

The enterprise cloud office also works with cloud service providers to ensure their application and service vendors are compliant with federal cyber requirements, Fourcade said. The VA primarily relies on Microsoft Azure and Amazon Web Services for its enterprise cloud environment.

“We start giving them the guidance of where they would actually need to go, whether it’s to bring them in through the FedRAMP process, or different actions that might need to be performed by the CSP, to bring that vendor within their boundaries, to get them through the process to get them accredited through the FISMA requirements under FedRAMP,” Fourcade said.

The enterprise cloud office has a team dedicated to working with vendors on such issues, and can help them navigate whether to go through the FedRAMP process or try to achieve VA-specific controls as a managed service provider instead, according to Fourcade.

The experience is often instructive for software vendors who developed their product for commercial use.

“Some of the big areas that I see that a lot of vendors don’t pay attention to when they first tried to bring a product to a different federal space is thinking about whether or not they meet the FISMA requirements with how they built their images or develop their tools,” Fourcade said.

Agencies like the VA also have to meet an increasing number of software supply chain requirements to help reduce the chance of attacks like the 2020 SolarWinds exploit.

“A lot of times we have to talk to them about their supply chain, and whether or not they’re able to meet the requirements of keeping the steady flow of what the VA requires for that support,” Fourcade said.