Executives from government and its contractors met Thursday at the Potomac Officers Club‘s FedRAMP Forum in Falls Church, Va. to discuss the governmentwide cloud computing initiative, as well as ways for vendors and agencies to collaborate further on cloud adoption.
A panel of three executives from both sides of the public and private sectors — led by FedRAMP Program Director Matt Goodrich — discussed the origins of FedRAMP and security implications they believe companies and agencies should consider in cloud technology acquisitions.
Goodrich started the breakfast event with a keynote address to update attendees on the updates to FedRAMP.gov and new features the General Services Administration — which manages FedRAMP — included in order to give vendors and other stakeholders more information on the program.
The updated website and an outlook on the year ahead for FedRAMP were among the topics our sister site ExecutiveGov discussed with Goodrich as part of a wide-ranging conversation that took place before the forum (click here to read that full Q&A).
Panel participants included Katie Lewin, a FedRAMP architect in her former role as GSA’s cloud computing director; Claudio Belloli, FedRAMP’s cybersecurity program manager; and Chad Andersen, cyber capability lead and FedRAMP program manager at Noblis.
Lewin described the original intent behind FedRAMP as a process for vendors to get their cloud products an authority-to-operate at one agency and quickly get a similar ATO at other agencies.
That process now sees many vendors instead try to go through FedRAMP’s Joint Authorization Board one time in order for all agencies to accept that approval for cloud technologies, Lewin said.
“We need to encourage agencies to accept each other’s ATOs and scale down the approval processes to the agency level, ” she said.
Belloli discussed the security issues that surround the larger cloud adoption push at agencies and how FedRAMP is intended as a similar approach for approvals to that of FISMA, which agencies use for information security standards.
GSA is looking for ways to automate the approval processes and other methods for vendors to submit their documentation, Belloli said.
“We need to demystify the process and help and advise vendors.”
Andersen also highlighted how potential security risks factor into the FedRAMP approval process and told attendees to consider other agencies besides GSA as the audience for their cloud proposal.
Documentation from vendors should also stand on their own in applications for an ATO and help agencies understand security of systems, Anderson said.
“Any risk makes it multiplied across all agencies, think about (that) when going through JAB, ” he said.