Civilian agencies for years have debated cloud security services and how to best to use them to meet their mission, and as new administration faces join the workforce ranks, there’s no better time to take another look at their cloud approach.
Speaking at a Feb. 9 Cloud Computing Caucus Advisory Group event in Washington, David Bray, CIO for the Federal Communications Commission, said when it comes to helping new agency heads or department secretaries understand the value of cloud services, “it’s really about if you want to move with speed to transform how your agency operates, to reform processes to get off legacy ones, and move faster.”
“The value proposition is by moving to cloud, at the same time you can revisit how you do the business of your agency,” said Bray, whose agency relies 100 percent on public cloud and commercial service providers. “That’s the language we should be speaking.”
Cloud can be useful for services like email, said Marlon Andrews, the deputy chief information officer for the National Archives and Records Administration, but moving everything to the cloud “makes me a little leery.”
“The end goal to me is not everything in the cloud, the end goal is to have the best functioning product possible, and if that’s the cloud that’s great, and if it’s something else that’s great as well,” Andrews said. “I’m not saying it is or is not the cloud, I’m just looking at each individual system and moving forward.”
But moving forward in whichever direction with cloud services can pose hurdles for agencies.
Since the cloud security effort known as the Federal Risk Authorization and Management Program (FedRAMP), launched in 2012, price tags and timelines rose for companies looking to get the approval from the Joint Authorization Board agencies [Defense and Homeland Security departments, and the General Services Administration] which gives a provisional go-ahead to operate for cloud services.
Bray said FedRAMP needs to be seen as a fast lane, and not an obstacle, and if something is certified, the program should be the ones to handle responsibility for security.
“Why are we all doing individual, continuous diagnostic and data monitoring on our systems, when in fact — if something is FedRAMP certified — they should take the responsibility for the security. I can do it for things I’ve customized, but part of the value proposition of FedRAMP is if you get a [software as a service] solution, we will take care of the basic security and making sure it’s up to date for you. Anything custom you have to do, but we shouldn’t multiply that times 100 diff agencies each trying to do their own thing.”
FedRAMP Accelerated launched in late March 2016, with the goal of cutting the current 6-12 month authorization wait time down to 3-6 months. A FedRAMP dashboard also launched last summer, which provides a way to see the status of a vendor’s authorization.
Improving FedRAMP is a bipartisan issue, and one Reps. Blake Farenthold (R-Texas) and Gerry Connolly (D-Va.), both members of the cloud caucus, brought up during the event.
“A lot of government information is sensitive and it’s gotta be secure, so we end up with things like FedRAMP, that, though well-intentioned, really do slow innovation,” Farenthold said. “The beauty of technology is it moves fast and the government has got to find a way to keep up with the technology, whether it’s patches for security or new features.”
Connolly pointed out that the program started with the goal of a one-stop-shop for certification, that would be fast and not overly expensive, and if need be, Congress would take the reigns to put that goal back on track.
“That efficiency has turned into a long, drawn, torturous process with a big backlog. It costs millions of dollars on average. That’s not an efficiency, that’s actually government at its worst. And we can’t say that’s OK, that’s not what it was designed to do,” Connolly said. “So we have some work to do. If the government itself can’t do this, then I fear … I’m happy to do it … but it’s not always the ideal solution to put things in statute because Congress does not do nuance.”
VA ‘confident we’re going to commercial’ for EHR, scheduling fixes