Agencies are increasingly adopting software and other applications underpinned by cloud computing infrastructure.
Before the current COVID-19 calamity and since, federal agencies have been quietly building the foundation for expanding the collection and use of data to improve their performance. This includes appointing data officers, developing learning agendas and assessing agency data-building capacity. While some treated things like this as a compliance exercise in the past, a global pandemic underscores the fact that data and collaboration have never been so critical to our ability to move forward effectively.
Meanwhile, law enforcement and security agencies are also looking to adopt mobile capabilities and other digital technologies to quickly share data across a remote and dispersed workforce.
“I think IT leaders in the public sector, and quite frankly, across industry have learned from this period, and how tremendous digital agility was critical, and now they have the space to make those decisions about the future,” Delie Minaie, vice president for civil sector at Booz Allen Hamilton, said on Federal News Network.
But agencies are not a monolith. Each one is a unique combination of independent bureaus, divisions and offices. Minaei said “governance” is a crucial component of agency cloud adoption, with executive leadership needing to coordinate adoption at the highest levels so agencies can gain the cost and collaboration benefits of cloud, instead of making duplicative and disparate investments.
“Being able to have standard, repeatable processes is going to be really important,” she said.
One process that’s already in place? The Federal Risk and Authorization Management Program, or FedRAMP, which was established by the White House Office of Management and Budget in 2011 to ensure the security of cloud services used by agencies.
Cloud service providers can obtain a FedRAMP authorization for one of its services by getting an authority-to-operate (ATO) from an agency seeking to use the service, or by getting a provisional ATO from FedRAMP’s Joint Authorization Board. The JAB is a governing body of chief information officers from several agencies. Agencies can rely on a previously granted ATO to adopt a cloud service, rather than putting the application through its own security assessment and authorization process.
In the past, gaining an ATO from the JAB has been “more art than science,” Minaie said. But the program has matured and evolved over the years, she added.
“I think we’re to the point where a lot of what FedRAMP has put in place by way of the controls, and inheritance of those controls, is making it easier to get ATOs at the application layer much faster,” Minaie said. “You think about your various CSPs or your platform providers, being able to inherit, a lot of those controls down to the application teams. And so I think we’re seeing quicker times to ATO. Things that were taking months are happening now in weeks. And a lot of that is due, I believe, to the FedRAMP control inheritance.”
FedRAMP was given another boost recently when the program was codified into law under the FedRAMP Authorization Act. Congress passed the bill as part of the broader Fiscal Year 2023 National Defense Authorization Act in December.
The law also includes a “presumption of adequacy” clause to prevent duplicative security assessments and, in theory, speed up the adoption of cloud services across agencies. It also establishes both a FedRAMP Board and a Federal Secure Cloud Advisory Committee to provide oversight and feedback on the process.
The continued evolution of FedRAMP may be just one crucial piece to agencies’ ongoing adoption of cloud-based technologies as they look to address challenges ranging from cybersecurity to climate change to improving the delivery of public services.
“I think gathering the right data and drawing real time insights can really supercharge mission outcomes and move towards solving some of the most dire challenges we face today,” Minaie said. “But the first step is you must modernize your IT infrastructure and have it capable of ingesting really high volumes of data and supporting kind of cutting edge tools that make it all make sense.”