omputing — and all the loud, complicated competing interests that go along with it
YOU REALLY HAVE TO GET KIND OF
AN INTIMATE UNDERSTANDING OF THAT CLOUD SERVICE PROVIDER, AND WE GET THAT BY WORKING WITH THEM AS THEY
GO THROUGH THE PROCESS.
IT’S A CONTINUOUS PROCESS. AGENCIES HAVE EVOLVING NEEDS. I’M HERE TO HELP.
Claudio Belloli Ashley Mahan
Goodrich might eschew coffee, but his office’s color-drenched whiteboard walls have their own caffeinating effect.
Then the team members split up, taking different contractors with them to different huddles.
FedRAMP Agency Evangelist Ashley Mahan takes point on the agency side, hosting feds from across government in ones and twos as they seek cloud solutions. Sometimes she can work with them on creative approaches; sometimes she spends the meeting defending FedRAMP’s security-vetting rigor.
On the vetting front, Program Manager for Cybersecurity Claudio Belloli leads FedRAMP’s contractor corps of information system security officers (ISSOs) through meetings with 3PAOs, where they hash out the finer details of CSP security assessments.
“No two providers are the same,” Belloli told FCW. “Every CSP is unique.” That diversity presents a challenge for 3PAOs, which sometimes struggle to explain security setups within the confines of FedRAMP documentation.
FedRAMP’s ISSOs must study the systems and reports carefully — by the end of the process, “they’re experts on the systems for sure,” Belloli laughed — and make sure standards remain high and consistent.
The meetings aren’t exactly combative, but they’re not always cordial either.
Standards-setting meetings with representatives from the CIO shops of the three JAB agencies — GSA, the Defense Department and the Department of Homeland Security — can be similarly exhaustive and exhausting.
Expanding reuse
When all’s said and done, meetings with the CSPs start to seem like the easy part.
Susie Adams, CTO for Microsoft Federal’s civilian business,
was in the FedRAMP office the same day as FCW, and she conceded that the process had perhaps become tough for smaller players to tackle.
Even for Microsoft, the extensive security reviews are taxing. But thousands of pages of documentation are “necessary evils [in a] very much needed process” that has, overall, cut down on the number of times CSPs must run a federal review gauntlet, Adams said.
She added that she’s excited Microsoft’s CRM will be among the first to pass through FedRAMP Accelerated.
Adams and Belloli said, however, that FedRAMP works best when agencies trust and reuse authorizations. That has not always been the case — to the frustration of government and industry participants alike.
The number of FedRAMP authorizations exploded in the last six months of 2015, with agency authorizations growing 53 percent and JAB authorizations up 25 percent. With that increase comes more documentation for FedRAMP to track.
Ideally, Belloli said, the number of authorizations will start to plateau at some point once a robust market of authorized cloud services is established.
The breathing room — if and when it comes — will likely be welcome.
Goodrich told FCW that he’s always looking for talented employees, but he’s not planning to grow his team at the moment. He said the four feds — Goodrich, Belloli, Mahan and Program Manager for Operations John Hamilton — balance one another well.
Goodrich has been involved in government cloud work for nearly seven years, starting with the Federal Cloud Computing Initiative back in 2009. His enthusiasm for the technology helps him get through days that often don’t end until 11 p.m.
“I actually like my job,” Goodrich said. n
May 30, 2016 FCW.COM 13