Prioritizing agency needs is next step for officials behind new FedRAMP memo
The release last week of long-awaited FedRAMP modernization guidance for federal agencies began with “a novel approach” from a pair of Office of Management and Budget colleagues that included room to test out some of their ideas.
Drew Myklegard, the deputy federal CIO, recalled that he and Eric Mill, now the General Services Administration’s executive director for cloud strategy, put their heads together when both were at OMB and began the process of drafting the memo, which aims to tighten the FedRAMP process’ timeline and reduce program participants’ burden through methods like automation.
“We took a novel approach in that we were going to simultaneously build out an existing program and make it better and test some of the ideas that we had in the memo,” Myklegard said in an interview with FedScoop. “At the same time, we were going to seek extensive feedback from public comment — a lot of agency partners, a lot of our key leaders inside of that space — and also ensure that some of the longer transition and cultural changes that needed to take place were prioritized.”
Additional goals called out in the memo include leading an information security program grounded in technical expertise and risk management, increasing the marketplace rapidly through offering additional authorization paths, and leveraging shared infrastructure in public and private relationships.
As the team was building out the memo, the “extensive feedback” Myklegard referred to came not only from public comment from agency partners and key leaders inside the cloud computing space, but also sessions with industry. Ultimately, OMB in partnership with the GSA sought to focus on how to ensure agency success in implementing the guidance and what the next steps look like.
Agency voices
To understand the priorities, experiences and risk appetites of the federal agency community, Mill told FedScoop that the team looked to the FedRAMP board, which he called a “really important representative of the agency community” and a representative of the “agency technology and security leadership community.”
“We’ve really been very excited about the way that this FedRAMP board has been constituted and operationalized to make it so that we can have much greater confidence,” Mill said. “And there’s a process that’s going to help us when we have a direction that we feel we need to go in, that we think is in the best interest of the federal community.”
Myklegard agreed and also credited the Technical Advisory Board — which was included in the draft memo and implemented before the issuance — for hosting the “best and brightest … people from across the federal government at the agency level.” He also pointed to the public and private collaboration with the Federal Secure Cloud Advisory Committee (FSCAC) for the spotlighting of both agency and industry voices.
Specifically, the deputy federal CIO offered the example of GSA, the Department of Veterans Affairs and the Department of Health and Human Services as collaborating partners on products that are “already on their pathway to FedRAMP,” adding that the agencies are “going to decide how they do it jointly.”
“Everybody shares in the work and [it] delivers value faster,” Myklegard said. “So we hope to see pockets of these, where agencies have similar missions and similar requirements and [Software-as-a-Service] products that they need to authorize — and they will be leading the way.”
FedRAMP’s future
While Mill described the past year as a “series of next steps at the GSA,” he said that technical capacity within his agency is critical to the memo’s implementation.
“I want to draw a connection to the work we did throughout the year leading up to a roadmap and anticipating this memorandum, which has been that we’ve made very real resource realignments internal of hour our finite number of people and time and money are being allocated,” Mill said.
GSA administratively houses FedRAMP and is in the final stages of hiring a director, but also has had staff working at FedRAMP on things included in the memo, such as automation. Mill acknowledged that automation work within the program “requires significant amounts of work and a dedicated ability to run your technical leadership inside the government with a focus over a period of time with multiple people involved.”
Mill placed the burden of handling the evolving nature of the cloud on whether or not the GSA is a “very smart, leaderly, technically grounded organization.”
“Our actual authorization process and the substance of the mission of FedRAMP is something that we think is going to only be able to truly meet the goals that you can see expressed in that memorandum … and the hopes and dreams that people have for FedRAMP,” Mill said.
Myklegard, on the other hand, shared that the OMB team is doing “agency road shows,” which involve talking to agency leaders and staffers handling implementation tasks so that “they clearly understand the agency expectations that we’re putting out in the memo.”
“As we look to the future, [we’re] looking [at those agency staffers] to make commitments around both the number of products that they’re going to authorize in the next couple of years,” Myklegard said. “Especially the reuse and adoption of [governance, risk and compliance], those underlying … tools that will enable a faster sharing of security packages between agencies.”
As for next steps following the memo, Myklegard noted the “supply chain of trust” and the adoption of external frameworks that the government can leverage to allow cloud service products to come in and be authorized.
