While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Ann Dunkin is out of Washington, D.C., and is about as far away as one can get from the nation’s capital and still be in the continental United States. Since mid-February, she has been serving as the CIO of Santa Clara County, Calif., but from February 2015 until her departure from the federal government earlier this year, she served as CIO of the Environmental Protection Agency.
Although she’s now the IT chief for Silicon Valley — Santa Clara County is home to Cupertino and Mountain View, the quarters of Apple and Google, respectively — Dunkin has some pearls of wisdom for her erstwhile colleagues in Washington.
In an interview with FedTech, Dunkin discussed what she would do if she were federal CIO for a day (a position that, as of earlier this month, is being filled on a temporary basis by Margie Graves, formerly deputy CIO of the Department of Homeland Security). Dunkin also talked about improvements she would like to see to the General Services Administration’s Federal Risk and Authorization Management Program, or FedRAMP.
What would Dunkin do if she were federal CIO for a day? “Having worked for the federal government, I have to say that in one day you couldn’t do anything,” Dunkin said.
Agencies face the challenge of keeping up with reporting requirements that the Office of Management and Budget sets for them on various IT metrics, according to Dunkin. “One of the things I would do to make federal IT more efficient is that there is a tremendous amount of oversight that comes from OMB that is not well coordinated,” she said.
Agency CIOs have a lot on their plates, from cloud migrations to meeting with the CFO, managing deputies and thinking through IT modernization.
“If I was looking for something that I could snap my fingers in one day and do, it would be to realign OMB’s oversight to be more coherent and simplified so that federal CIOs didn’t spend so much of their time trying to respond to OMB guidance and data calls,” she said.
FedRAMP, the program charged with certifying that cloud service providers are secure enough to be used by agencies, underwent a series of changes last year designed to streamline the certification process.
This year, FedRAMP plans to give agencies more choices of CSPs, continue to update its modernization process and enhance ties between agencies and cloud firms. One of the steps it is taking is the introduction of “FedRAMP Tailored,” which is aimed at speeding up the approval of low-risk cloud tools — services like collaboration tools, project management, and open-source development. Public comment on the new approach has been extended until April 24.
However, Dunkin said that she thinks “FedRAMP is not operating the way it was designed to operate.”
“Certification should be a very easy process, but it’s not a very easy process for vendors,” she said. “It’s hard, it’s expensive, and it basically locks out small businesses, so if you’re a small cloud provider you can just forget it.”
Moreover, Dunkin said, FedRAMP was envisioned to be the authorization body for the government, but agencies are layering their own authorization-to-operate (ATO) processes on top of FedRAMP. CSPs “are going through the FedRAMP process and then the agencies are coming along and doing an ATO. In some agencies, they are doing multiple ATOs for the same product.”
The government “needs to figure out a way to make FedRAMP work as it was envisioned or agencies need to share their ATOs.”
Security is the No. 1 issue keeping agencies from adopting the cloud, Dunkin said. “People have a lot of issues with legacy apps not being cloud-ready, but I think far and away security is what’s keeping people out of the cloud,” she said.
Looking back, Dunkin said she is most proud of the EPA’s shift to agile development processes. In the summer of 2016 the agency unveiled plans for a $200 million contracting vehicle dedicated to agile services.
Dunkin said she is proud that she helped the agency focus on “building an innovative culture and moving the organization toward agile implementation,” which translated into “a lot of the work we did on the enterprise side.”
“I’m very pleased with that and happy that work is continuing,” she said.
Although Dunkin is now immersed in the technology that underpins many county services — from hospitals to jails and the sheriff’s department — she said, “I wish my federal colleagues the best and certainly hope that IT continues to be treated as what it is, which is a nonpartisan issue that will continue to evolve.”