The Federal Risk and Authorization Management Program must scale to keep pace with growth in the as-a-service offerings agencies are using, according to Eric Mill, senior advisor to the federal CIO.
Agencies increasingly avoid having to develop or operate software themselves by connecting to cloud-based apps for everything from hiring to healthcare.
FedRAMP’s creation in 2011 saw government begin to reduce its data center footprint by vetting the security of cloud services once and enabling agencies to reuse the authorized technology — starting with solutions from major cloud service providers. The Office of Management and Budget’s draft FedRAMP memo, released Oct. 27, is built on the notion that as-a-service offerings have transformed agencies’ cloud migrations.
“We really want to see the continued use and growth of Software as a Service inside federal agencies as a general matter, but we’re very comfortable just making the fundamental point that we want agencies to be focusing their finite resources, technical operations, staff and budgets on the technology that’s specific to their mission,” Mill says. “When there is something that can be done, run and hosted externally in a safe way, that is a fundamental benefit to freeing up the agency to do their own mission.”
Click the banner below to learn more about optimizing your cloud connection.
Zero-Trust Security and the Cloud Go Hand in Hand
The government’s Cloud Smart strategy, released in 2019, ushered in the transition to as-a-service solutions with a focus on baking cloud into agencies’ procurement and hiring processes. The FedRAMP memo acknowledges this fact and paves the way for the next wave of cloud migrations, Mill says.
Mill is involved with the Federal CIO Council’s Cloud & Infrastructure Community of Practice (C&I CoP), which has increased its focus on zero-trust security in the past two years.
The federal zero-trust strategy issued in 2022 explains the foundational benefits of commercial cloud in meeting agencies’ cybersecurity requirements.
C&I CoP participants are in the process of updating their agencies’ cloud service acquisition methods and sharing best practices with each other, which will benefit FedRAMP.
“Their experience is going to be critical for actually operationalizing the kinds of authorization processes that we think are going to have to scale up over the coming years,” Mill says.
FedRAMP Aims to Maximize the Cloud Services Agencies Can Use
The C&I CoP’s recommendations aren’t prescriptive on adopting a hybrid or multicloud model; rather, they encourage agencies to identify what they’re trying to achieve and choose the approach that makes the most sense, Mill says.
Many agencies have already embraced multicloud, and the FedRAMP strategy is to “bring in as wide an array of services as possible” to support them wherever they are in their cloud journeys, he adds.
Similarly, the federal zero-trust strategy acknowledges there are a few ways to connect to the cloud; agencies aren’t limited to software-defined WAN or using cloud access security brokers. The requirement for agencies is to ensure they can handle direct internet connections, when appropriate, at the Federal Information Security Management Act’s moderate level.
“What we want to see is that agencies are taking the concept behind zero trust of real, environmental isolation and achieving that in a consistent way that can pull together the data points that they need to maintain secure connectivity between their users and their resources,” Mill says.
UP NEXT: How agencies are tackling cybersecurity concerns on their way to the cloud.