New FedRAMP Initiatives Driving Cloud Adoption in DOD
January 28, 2016 Leave a comment
by Stephanie Meloni, Senior Analyst
Matt Goodrich, the director of the Federal Risk and Authorization Management Program (FedRAMP) at GSA, recently published a blog outlining some big changes ahead in the mandated cloud security certification program. The changes center around accelerating authorization time so users can capitalize on the speed of building systems using cloud capabilities.
These technology enhancements will create a publicly available dashboard, demonstrating how agencies are using the cloud. Additionally, changes include finalizing requirements for high impact security systems so Cloud Services Providers (CSPs) can start working with data and applications at higher security classifications. All of these efforts are aimed at making FedRAMP scalable and increasing cloud adoption at government agencies.
The demand for cloud at the Department of Defense (DOD) has not waivered, but slower cloud adoption has plagued the Department. Additionally, a recent Inspector General report criticized the lack of a DOD definition for the cloud, alluding to the fact that they are unable to measure cost savings realized by cloud migration. The DOD relies on FedRAMP security standards for their lower-level security data. About a year ago, the Department withdrew the mandate for DOD agencies to use DISA exclusively as their cloud broker, providing DOD customers with more choices, while increasing competition and driving down costs. Expect this to remain the case going forward — though some of DOD’s data will still need to be hosted on-premise via milCloud, simply due to security requirements.
These new FedRAMP changes should improve cloud adoption in DOD, particularly with speed-to-market. Additionally, the dashboard will be of value for technology companies selling cloud solutions to the DOD, as it will provide insight into which agencies are using FedRAMP — possibly even assisting the DOD to better define the cloud. The dashboard will also show where companies are in the approval process, giving visibility into what has been criticized as a lengthy process, leading to procedural reforms.
There are still many things DOD needs to figure out when it comes to the cloud, like determining the right security levels, the process for hosting commercial cloud on DOD premises, and acquiring cloud services through resellers. These changes to FedRAMP are meant to accelerate adoption and spell out security requirements more clearly, aiding a department that still faces an uphill battle capitalizing on cloud capabilities.
Want to learn more about FedRAMP? Watch this quick video from the Government IT Sales Summit where the Program Manager for Cybersecurity at FedRAMP, Claudio Belloli, gives advice on resources available for IT vendors to better understand FedRAMP requirements and the authorization process.