Cloud: Are we there yet?
Maria Roat, Kevin Dulany and others discuss what's next for FedRAMP.
Where:
AFCEA Bethesda 2014 Cloud Technology Symposium
Who:
Maria Roat, director of FedRAMP, General Services Administration
Kevin Dulany, risk management division chief, Defense Department
James Pyon, vice president, CGI Federal
Greg Bateman, senior director of acquisition programs, Microsoft
Why:
Roat's office at GSA’s Office of Citizen Services and Innovative Technologies was in a frenzy leading up to the June 5 FedRAMP deadline. That date has come and gone, but Roat warned there is still much work ahead to ensure security and consistency for agencies in the cloud.
One of the main purposes of FedRAMP is to simplify the cloud certification process for both agencies and cloud providers, and create consistency in how the parties work together to develop solutions and standards.
Roat said her office often has cloud providers coming in and saying that they’re working with three agencies, and they’re all trying to do something different. That’s where Roat's team comes in; it facilitates a conversation between the three agencies, and looks for opportunities to make everyone’s life a little easier in working with providers.
"We're working to follow the 'Do once, use many times' method," Roat said.
So what is the next year of FedRAMP going to look like? While one audience member asked about 'FedRAMP 2.0,' Roat said that term seems to have appeared out of thin air. It’s not a matter of going from 1.0 to 2.0, she said -- FedRAMP has simply become fully operational.
CGI Federal's Pyon agreed. "In the next year, hopefully we are not talking about the same things we did today," he said. "By then it should be routine, and we should be looking at it from a risk, security and data perspective."
Yet real progress has already been made, Roat and the other panelists stressed, particularly with continuous monitoring to ensure the security of data in the cloud.
"Continuous monitoring as a whole has made the environment more secure," Roat said. "The amount of detail and the rigor we have gone through with cloud providers -- we’re forcing that function of risk and CM documentation."
Looking forward, Dulany said he would like to see industry play more of a role in creating standards -- a move he said would take the weight off of government to create standards on cloud services.