The General Services Administration is getting closer to debuting its Federal Risk and Authorization Management Program, or FedRAMP, but that does not necessarily mean the cloud computing cybersecurity standard will fulfill every agencies’ needs, said a GSA official June 29 at an AFCEA Bethesda event in Washington, D.C.
“It would not surprise me if each agency had some customization,” said Bill Lewis, director of the portfolio management division in GSA’s federal acquisition service. “But if the time to get A&A or C&A on the cloud service is decreased [with the help of] FedRAMP, that will have fulfilled the purpose of it.”
The goal of FedRAMP is to provide agencies with commonly accepted risk assessments and cybersecurity evaluations of low- to moderate-impact cloud services, allowing agencies to implement a cloud solution without having to individually certify and accredit the solution for themselves. The Federal Information Security Management Act of 2002 requires “certification and accreditation,” which is sometimes also referred to as “assessment and authorization,” in order for a system to operate within an agency’s network.
Agencies appear to be struggling to acquire cloud services that fit their requirements, within the time frame they would like.
“In the absence of any MOUs or any agreements within the department or with external vendors, our problem is that the certification and accreditation is extremely lengthy. It’s lengthy within the agency, let alone any C&A outside the agency involved with a government-external entity. So that still needs to be resolved,” said Jaspal Sagoo, chief technology officer at the Centers for Disease Control and Prevention.
Sagoo said CDC wants program officers with specific knowledge of cloud computing. Ideally, GSA would like to provide templates that will help program officers more clearly construct cloud computing service level agreements which outline “exactly what you need the SLA to say for administration, for fault management, or whatever,” said Lewis.
“If that guidance is made available, the amount of time program officers at agencies spend will hopefully be reduced,” said Lewis.
“I personally think the program offices shouldn’t have to go in and write a statement of work, send a bunch of paper back and forth between agency and suppliers. We want to get to a point where it’s almost like the book part of Amazon. You can say, ‘Here’s what I need: I need access to this many virtual machines, it’s got this operating system, we’ve got this much memory associated with it.’ You buy it, you know it’s commoditized and it’s the lowest price technically-acceptable to purchase,” he explained.
Whether it’s through education around broader contracts or new acquisition vehicles, the time it takes to procure a cloud solution needs to improve, said Lewis. He added that a governmentwide working group or a task force to address this will likely emerge in the coming months.