First established in 2011, the Federal Risk and Authorization Management Program (FedRAMP) was designed to streamline how agencies make the move to cloud computing. With its standardized approach to security assessment, authorization, and continuous monitoring for cloud service provider (CSP) products and services, FedRAMP was intended to save 30-40% of government costs using a “do once, use many times” framework.
But it didn’t quite pan out that way.
Agencies and CSPs have for some time expressed concern about the efficiencies of the program. In particular, the process of assessing and certifying CSP products for security has become a costly and time-consuming business.
These concerns were recently reiterated in a position paper by the FedRAMP Fast Forward industry advocacy group which encompasses CSPs, federal agencies, Capitol Hill officials, and government IT think tank, MeriTalk:
“Two years ago, the prevailing wisdom held that the time and cost for industry to obtain a FedRAMP Authority to Operate (ATO) was nine months and $250,000. Today, those figures can reach as high as two years and $4 million to $5 million.”
Cloud Vendors Lack Insight into FedRAMP Approval Status
The report also cited a problem with accountability and transparency:
“Both agencies and vendors lack information they need to make educated decisions. CSPs are blind to their status in the approval process and what they need to do to move forward, and agencies lack insight into where authorized cloud solutions are operating,” states the paper.
MeriTalk’s founder, Steve O’Keeffe, blogged about the specific problems with the program in his blog: Fix FedRAMP – Tough Love?. Echoing the position paper, O’Keeffe had this to say:
“We love FedRAMP. How could you not?... But it costs too much, it takes too long. CSPs in the process don’t know their status and CSPs trying to get in, don’t know how. There’s mass confusion about the merits of the three paths to a FedRAMP ATO – JAB, agency, and self-certification. CSPs are afraid to raise issues publicly for fear of reprisals from the PMO.”
FedRAMP 2.0 – A 6-Point Plan
In response to the growing frustration with FedRAMP processes, the Fix FedRAMP group recently published its recommendations for FedRAMP 2.0. The six-point plan calls for the following:
1. Normalize Joint Authorization Board (JAB) and ATO Certification Processes: CSPs see a disparity between having a JAB certification and an ATO. The plan calls for a pathway for CSPS to graduate from an ATO to a JAB.
2. Increase Transparency: The report offers a number of recommendations for helping CSPs figure how long an ATO will take and how much it will cost.
3. Harmonize Security Standards: The reports calls for the mapping of FedRAMP to other industry standards (not just NIST) so that CSPs get credit for having already attained those standards.
4. Reduce Cost of Continuous Monitoring: CSPs are continuously monitored for compliance. The report recommends that the cost of monitoring should be reduced for CSPs who have an ATO.
5. Empower Infrastructure Upgrades: This would allow CSPs to upgrade their cloud environments while awaiting approval, without falling out of compliance.
6. Establish Defense Department Crosswalk: Help CSPs map their FedRAMP compliance to DoD security requirements so that they don’t have to start over again should they wish to provide cloud services to DoD.
FedRAMP Responds
FedRAMP agrees there’s a problem. Following a private briefing on the contents of the Fix FedRAMP paper, on January 20th, FedRAMP Director, Matthew Goodrich posted a blog – The Evolution of FedRAMP – in which he outlined quick and immediate changes focused on key improvements in the following areas:
1. Increasing the speed to authorization
2. Increasing transparency
3. Piloting a high baseline
4. Promoting FedRAMP reuse
The Future of FedRAMP 2.0
GSA is expected to roll out its plan to fix FedRAMP on March 3rd. “We’re delighted to hear GSA’s changing. We love the direction. Now we’d all like to see the operational details,” wrote MeriiTalk’s O’Keeffe.
Watch this space!
Related Blog Posts
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos, Training
Security is paramount in the digital age, especially when it comes to keeping networks secure. Having network security monitoring services stand between your organization and malicious attackers is crucial. Still, the volume of alerts and issues that come with them can easily overwhelm your team.
The volume of these alerts is rising every year too. According to a report by TrendMicro, 54% of teams surveyed felt like they were drowning in alerts, and 27% said they spent most of their time dealing with false positives.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The digital landscape evolves fast, and attackers are even faster. New ways to attack systems and organizations appear every day, and traditional methods are starting to fall behind the times.
Highly Evasive Adaptive Threats (HEAT) are the newest step in the digital world for malicious attackers. These attacks are unlike anything security experts have seen before and lead to some of the most devastating breaches ever seen.
In this article, we’ll explain how HEAT attacks impact companies worldwide and how Menlo Security’s Isolation Core can help protect your organization.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The term "Integrated Management Workplace System" (IWMS) was first used by Gartner in 2004 to refer to a program that could manage and integrate all business and workplace requirements into a single, centralized solution. Since then, a number of solutions have emerged with the aim of bringing together various operational and organizational areas that had previously tended to operate in isolation from one another.
Heather Sweet
Cloud Computing, Cybersecurity, Technology
The development world has changed, and organizations are still adapting to developing in the cloud. Cloud native technology and containers are now at the forefront of software development, meaning that software no longer exists and operates locally. However, despite these quick advancements, cloud native application security still lags behind.
This article will cover how you should approach cloud native application security and why Snyk is the best solution for your needs.
Adam Fyffe
Cloud Computing, IT Infrastructure, Market Intelligence, State & Local Government
The 2022 fiscal year-end is drawing near for 46 states, which means the time to leverage last-minute opportunities is coming to an end as state, local and education (SLED) organizations set their sights on next year’s budget and priorities. With FY23 just around the corner, SLED organizations will start executing on budget plans and drafting request for proposals (RFPs).
Yvonne Maffia
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Cloud Computing, Cybersecurity, Federal Government, IT Perspective
Over the last few years, the federal government has begun to embrace a zero trust approach as the new cybersecurity standard for agencies. Utilizing the latest solutions and best practices, the hope is to bolster federal cybersecurity and create a robust and resilient IT infrastructure that can protect and secure networks from attacks and breaches.
Kevin Tierney
Cloud Computing, Cybersecurity, IT Perspective, Technology
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
David Presgraves
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Cloud, Cloud Computing, Cybersecurity, Federal Government, Technology
As organizations adapt to hybrid work and more and more cloud services are deployed, new service entities that collaborate and exchange data without human interaction, such as virtual machines and containers, are proliferating. The growth of these service accounts and identities and their increasing volumes of permissions, privileges, and entitlements expose organizations to new attack vectors.
Kevin Tierney
Cloud Computing, Federal Government, IT Infrastructure, Technology
You’ve gathered requirements, evaluated technologies, gotten all the right people to sign off on acquiring new technology, and now comes the hard part — procurement. IDIQs, BPAs, GWACs...the contracting officer is throwing out a bunch of complex terms, options, and estimates of how long it will take to get through negotiations. NetDocuments believes our public sector customers should have contracting options that are a lot like our solutions — easy to use.
NetDocuments
Cloud Computing, IT Perspective, Tips and How-Tos
What’s next for cloud in 2022 (and how can you prep for it?)
There were so many noteworthy AWS re:Invent 2021 announcements out of this year’s big Amazon Web Services (AWS) conference. But what will that news mean for the year in cloud ahead? And how can learners and businesses prepare for the opportunities these will create?
Pluralsight
Cloud Computing, Cybersecurity, Federal Government
The Department of Defense (DoD) is taking major steps to boost cloud performance, with the promise of a tangible, positive impact on military missions throughout the world. Specifically, the Joint Warfighter Cloud Capability (JWCC) contract is replacing the Joint Enterprise Defense Infrastructure (JEDI) initiative, which was intended to establish enterprise-class cloud capabilities for the military community.
Carolyn Ford
Business Applications, Cloud Computing, Market Intelligence
At this year’s Department of the Navy (DON) IT Conference, the U.S. Marine Corps discussed its enterprise cloud delivery strategy and how it is derived from its mission to evolve antiquated networks. Before, a Marine working out of headquarters or a U.S. base would use enterprise systems, applications, and infrastructure, but when a Marine goes out in the field, a new email and identity are assigned to operate from different servers and shared drives. For the Marine Corps, that approach is going by the wayside.
Lloyd McCoy
Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"Zero Trust is a cybersecurity strategy and framework that embeds IT security mechanisms throughout an architecture that generate metadata used to secure, manage, and monitor every device user, application, and network transaction at the perimeter and within every network enclave."
From the Department of Defense (DoD) Zero Trust Reference Architecture v1.0
Toan Le
Cloud Computing, Cybersecurity, Federal Government
There has been an increased focus among U.S. government agencies on adapting to modern IT environments and enhancing cybersecurity solutions. This increased focus on security government networks, data, and critical infrastructure is a result of ongoing digital transformation initiatives that are resulting in more mission-critical connected systems and more data for agencies to secure. It’s also a result of the increased number of cyberattacks and more sophisticated cyber-criminals that are targeting our nation’s networks.
Kevin Tierney
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
If you have been looking for the right time to sell your technology product or service to the state, local and education (SLED) market, now is the time to act. With thirty-six states beginning their fiscal year on July 1st, now is the time to position yourself to take advantage of a confluence of once-in-a-lifetime conditions that have left the SLED market booming with opportunity. Here are some of the factors driving that opportunity:
New Leadership
Yvonne Maffia
Analytics & Data Science, Big Data & Analytics, Cloud Computing, Cybersecurity, Market Intelligence
The COVID-19 pandemic has spurned greater demand for health information technology (IT) by demonstrating the importance of having robust medical research, health surveillance and healthcare systems capable of rapidly responding to new and developing situations, something which requires strong IT investment in big data, cybersecurity and cloud. In addition, both the pandemic and emerging technologies have led to numerous changes within the healthcare industry, such as telehealth expansion and increased use of wearables, which necessitate robust health IT solutions.
Gabriel Zighelboim
Cloud Computing, Cybersecurity, Market Intelligence, State & Local Government
On December 8, 2021, the National Association of State Chief Information Officers (NASCIO) released its 2022 annual top 10 priorities list identifying the most pressing technology and policy issues that state CIOs are prioritizing for the upcoming year.
Yvonne Maffia
Big Data & Analytics, Cloud Computing
What is the difference between AI and ML?
Artificial Intelligence and Machine Learning are two of the most transformative technologies in the computing space that are changing the world in which we live. However, there is often confusion in in what constitutes Artificial Intelligence, and what constitutes Machine Learning.
Ricardo Dutton
Business Applications, Cloud Computing, Cybersecurity, Market Intelligence
Recent signals by the U.S. federal government suggest that customer experience (CX), primarily citizen-facing services will receive attention and investment from funding sources like the Technology Modernization Fund (TMF). The initial $311 million awarded by the TMF primarily went to projects focused on cybersecurity in keeping with stated priorities and the prevalence of cybersecurity threats. From the beginning, however, TMF has emphasized CX projects that focus on how taxpayers engage with government services in secure digital environments.
Dawit Blackwell
Cloud Computing, Market Intelligence
The concept of cloud computing has been around for many years now. Anyone positioned in the information technology (IT) world knows the language: SaaS, PaaS, IaaS, multi-cloud, hybrid, on-prem, and the list goes on. How has the concept of cloud morphed? More importantly, what are the cloud buzzwords and concepts that you should be aware of to get in front of end-users? Edge computing, data-centric architecture and sky computing are emerging, and here to stay. Let’s break down what each is and its current or future role in the U.S. federal market.
Susanna Patten
Big Data & Analytics, Cloud Computing, Cybersecurity
With another busy year behind us, it’s time to look ahead to fiscal year (FY) 2022. The official information technology (IT) budget request is $97B, a 4% increase over FY21, which would be a new record. Of course, those numbers undercount all the IT spending that goes unreported. Furthermore, remaining provisions in the American Rescue Plan, the Technology Modernization Fund and IT provisions in the Infrastructure Bill will represent additional pockets of opportunity worth billions for channel partners and technology vendors.
Lloyd McCoy
Business Applications, Cloud Computing
Assuring the best digital employee experience is now a business imperative.
DLT Solutions
Cloud Computing, Market Intelligence
The numbers don't lie. The U.S. public sector is rapidly adopting cloud technologies across the spectrum. According to the NASCIO 2020 State CIO Survey, only 14% of state chief information officer (CIO) organizations do not have a cloud migration strategy, whereas 41% of respondents indicated that they had implemented a cloud first strategy for all new applications.
David Blankenhorn
Cloud, Cloud Computing
As I.T. professionals, security needs to be at the forefront of everything that we do. Even in mature organizations with robust cloud deployments we must always believe there is room for improvement. Here are four considerations to make when evaluating the security of your AWS workloads.
How will you utilize your logging data?
Ricardo Dutton
Cloud, Cloud Computing
Cloud billing can be a tedious and complicated task if not planned for correctly. If you do not have a well thought out plan on how to approach your AWS bill when charging back to various departments or projects, things can get messy when attempting to divide the bill correctly. In this article we will discuss three methods to make strategizing your approach ahead of time to make things much easier when it comes to invoice time.
Cost Allocation Tags
Josh Gazes
Application Lifecycle, Big Data, Cloud, Cloud Computing, DevSecOps
2020 was a transformative year for public sector IT. Accelerated by necessity, agencies rapidly scaled and secured their digital ecosystems to accommodate a newly remote workforce. Against this backdrop, significant cybersecurity hacks revealed continued vulnerabilities in the federal supply chain and state and local IT infrastructures.
Looking forward there is much work to be done. A new administration, new regulations and continued reliance on the cloud will shape public sector IT through 2021.
Brandon Norris
Cloud, Cloud Computing
Teresa Carlson, Vice President, AWS Public Sector held a leadership session, From complexity to clarity: The strategic value of AWS. Teresa’s breakout highlighted how crucial cloud technology has been for organizations. The AWS cloud provides the ability to respond quickly to the new reality brought on by the ongoing global crisis. Several AWS customers shared how they were able to solve some of the world’s most pressing challenges using the cloud. Furthermore, how they are driving impact around big ideas, discoveries, and turning points to solve some of the world’s largest challenges.
Zev Stern-Coder
Cloud Computing
This will be the first in what DLT intends to be an ongoing series of posts highlighting what our partners are building for the Public Sector using AWS.
The Challenge
A Global Service provider wanted a way to develop a messaging solution, to augment, marketing and sales teams for promoting events using a standard Calendar Invite.
Greg Hanchin
Cloud Computing
Before reading this month's Thought Light interview, we invite you to read about BMC's multi/hybrid cloud initiatives for federal government, click here.
What is BMC and how does it help the public sector?
DLT Solutions
Cloud Computing, DevSecOps, IT Infrastructure
Cloud governance shouldn’t be an afterthought. Indeed, it should be a foundational element of any cloud security strategy. Why? Because the cloud is enormous – it’s software, hardware, developer tools and platforms, and more. All delivered by a host of vendors.
DLT Solutions
Cloud, Cloud Computing
It has been 10 years since the U.S. government began warming to cloud computing, beginning with the federal Cloud First initiative in 2010 leading to today’s Cloud Smart strategy – a game plan for bringing processes and applications into a new hardware environment.But to take advantage full advantage of a cloud-driven ecosystem, the government must have more than just a cloud strategy. Agencies also need a data strategy.What is a cloud data strategy?
DLT Solutions
Uncategorized
Article originally posted on GovDesignHub here.
Autodesk University (AU) returns to Las Vegas from November 19-21 – and we have some good news. In addition to discounted conference passes now available on GSA Schedule, Autodesk Certification exams are back at AU 2019!
Caron Beesley
Uncategorized
By Mav Turner, VP, Product Management, SolarWinds
For federal IT pros, moving to a cloud environment is a “when” rather than an “if” proposition. From the government’s recently released Report on IT Modernization, calling for agencies to identify solutions to current barriers regarding agency cloud adoption, to the White House’s draft release of a new “Cloud Smart” policy, which updates the “Cloud First” policy introduced in 2010; cloud migration continues to be a priority.
DLT Solutions
Federal Fiscal Year End, Uncategorized
The old business adage runs, “Nothing happens until somebody sells something.” To which you might add this corollary: nothing good happens in the absence of strong requirements.
Brian Strosser
Cloud Computing, Cybersecurity
It’s often said that there are two types of organizations: those that have been hacked, and those that will be – turning the conversations around security breaches from ‘what if?’ to ‘when?’.
Isabella Jacobovitz
IT Perspective, Uncategorized
The latest data on the progress of federal government agencies’ implementation of the Federal Information Technology Acquisition Reform Act (FITARA) was released on June 26 by the House Oversight and Reform Committee as Scorecard 8.0.
Melissa Perez
Cloud Computing, Uncategorized
Key takeaways show how public sector customers are achieving more with cloud.
As cloud continues to transform the public sector, cloud has had its own metamorphosis: from a trendy buzz word to a catalyst for meaningful change, innovation, and more. Last month, AWS hosted its 10th annual AWS Public Sector Summit. The conference brought together more than 17,000 attendees for 2+ days of insights, sessions, and networking, and explored how cloud is fueling the public sector for a limitless future.
Recap
Isabella Jacobovitz
Cloud Computing, Uncategorized
Key takeaways show how public sector customers are achieving more with cloud.
As cloud continues to transform the public sector, cloud has had its own metamorphosis: from a trendy buzz word to a catalyst for meaningful change, innovation, and more. Last month, AWS hosted its 10th annual AWS Public Sector Summit. The conference brought together more than 17,000 attendees for 2+ days of insights, sessions, and networking, and explored how cloud is fueling the public sector for a limitless future.
Recap
Isabella Jacobovitz
Cloud Computing
The AWS Public Sector Summit is just around the corner. Part of a global series of summits, this year’s event in Washington, D.C. brings the public sector cloud community together to connect, collaborate, and learn about AWS. DLT will be exhibiting at the Summit this year with its technology vendors including AWS, Crowdstrike, NetApp, Quest, and more in booth #800.
DLT Solutions
Uncategorized
Many states' fiscal years are quickly coming to an end, and at DLT we’re committed to making the job of the procurement officer as easy as possible as they scramble to make smart and responsible purchasing decisions with remaining taxpayer dollars. Part of this process is raising awareness of what’s new in our extensive portfolio of IT solutions including big data and analysis, cloud, cybersecurity, application lifecycle, digital design, IT consolidation and management, and more.
Brian Strosser