Cloud adoption slowed by culture, even with FedRAMP

Image from Shutterstock. 

The federal government maintains a "cloud first" policy, but is that statement backed up by what an agency can do as a practical matter?

"You can't say 'cloud first' with no way to procure it," Tony Summerlin, special advisor to the CIO of the Federal Communications Commission.

Speaking at the ImmixGroup Government Sales Summit, Summerlin complained that the right procurement vehicles aren't available for agency tech buyers.

"Buying software-as-a-service through GSA is painful," he said. "GSA doesn't know how to do it."

The ability to buy secure, effective cloud technology quickly is a key to moving federal agencies over to cloud platforms, he said. "Discipline and speed are key. You have to move rapidly or the goblins will eat you."

What's not so quick, Summerlin suggested, was the relatively slow approval process for the GSA-led Federal Risk and Authorization Management Program. Even with recent improvements, it can still take months to achieve provisional security authorizations via FedRAMP.

Claudio Belloli, FedRAMP's program manager for cybersecurity at GSA's Technology Transformation Service, said the approval process has been overhauled and streamlined to produce faster results and pointed to encouraging results in 2016.

In a conversation with FCW after the presentation, Belloli pointed to FedRAMP's increasing numbers of cloud providers and Authorities to Operate, as well as 2017 goals to grant provisional ATOs in an average of under six months.

Belloli pointed to a Nov. 7 blog post by Matt Goodrich that includes plans for "FedRAMP Tailored" -- an effort to speed authorizations for certain software-as-a-service offerings instead of demanding a "one size fits all" approach.

Belloli also said GSA would review how to make the continuous monitoring component of the risk management process more effective in 2017.

Even with improved authorization processes and speedier approvals, however, both Summerlin and the Securities and Exchange Commission's Mike Fairless said cloud adoption depends largely on agency culture.

"We realized we lived in a siloed world" when it came to IT, said Fairless, who is the SEC's branch chief for servers and storage and has worked to get his agency to accept cloud operations. Most agencies, he said, tend to want technological innovators, but then as legal and jurisdictional interests arises, those innovators can be tossed aside.

The FCC, said Summerlin, was similarly fragmented. "We had 1,800 databases and 1,700 employees," he said. "We had 87 licensing systems" that broadcasters had to navigate to get their operating and ownership licenses.

The best way get around such obstacles, according to Summerlin, is to get experts to "live in the environment" and learn the nitty gritty details of what needs to be done.

"You have to bring in someone who is bulletproof" technologically, he said. "You have to become part of the environment. None of that parachuting in crap."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Nominate Today!

Nominations for the 2018 Federal 100 Awards are now being accepted, and are due by Dec. 23. 


Reader comments

Mon, Nov 21, 2016 career evolve Springfield

Is the slow down due to the real lack of trust between Cloud Providers and the Government agencies? A tailored model is much needed and the approval process must be expedited. It will be interesting to see how this manual intervention in the buying process may actually further private cloud attempts even though it is not the primary desired selection.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group