What agencies are asking about FedRAMP

As the official Federal Risk and Authorization Management Program evangelist at the General Services Administration, Ashley Mahan addresses federal agencies’ cloud computing and security concerns.

She does not simply laud the benefits of cloud computing and FedRAMP security, however. Mahan has the technical knowledge to back up her pitch to agencies and the collaborative skills to help them find the right cloud service provider.

Although she started as FedRAMP evangelist in October, she’s been helping get cloud service providers through FedRAMP's Joint Authorization Board approvals since 2014, when she was an information security officer.

Before that, she served as a cybersecurity adviser for the federal government for 10 years. She also developed and implemented robust cybersecurity awareness training programs to educate federal workers about evolving cyberthreats and helped support agencies as they went through cybersecurity inspections.

According to Mahan, there are still misconceptions about how FedRAMP operates, but that’s why she’s working hard to explain the technology and the process. Her job involves creating a unified vision of cloud and security for all agencies.

And that mission of creating a unified vision is infectious, she said. As one agency develops a cloud mission policy or practice, other agencies eagerly pick it up. "You don’t have to reinvent the wheel," she said.

The interview below has been edited for length and clarity.

Why evangelist?

I’m spreading good news that can empower agencies. I’m the liaison between agencies and cloud service providers. I’m here to scratch an itch for knowledge and provide agencies with assistance.

What are agencies telling you about FedRAMP?

They’re saying FedRAMP is valuable. Before authorizations, there were big differences in how agencies did security. There were stovepipes. Each agency had its own process. Anytime we can reuse a process or framework that’s proven, it saves time and money.

It’s a two-sided issue. Agencies want to move to the cloud, and they want to move to the cloud fast.

What are their pain points in doing so?

Across the board, they want more visibility into where cloud service providers are in the authorization process.

They see FedRAMP as a marketplace. They want to see where it is to transition, along with faster authorization.

They want to learn how to sponsor service providers, as well as how to get provisional authorizations from the JAB. They want to use cool cloud services that haven’t been used before. They want a dedicated person as a liaison to help navigate the cloud.

Have agencies changed their approach to cloud in the past year?

Each agency is different. They’re learning to remain flexible. Where they had relied on information security officers to know the requirements, it now trends agency to agency. Each agency is specific.

But one thing goes on: They’re really eager to learn about cloud and what they need to do.

How deep into federal IT offices do you go with discussions on cloud and FedRAMP?

We’re working with CIOs focused on the big picture. We’re also talking with program managers and systems engineers who are using a product or considering one.

We have FedRAMP points of contact at agencies who get information for their agencies.

Has interest in FedRAMP filtered down to state and local governments?

It’s a federal program, but yes, they really want information about the program. FedRAMP means something to them. It can drive their business decisions.

There is a lot of anticipation for the high baseline for cloud computing systems that require high-impact level security under the Federal Information Security Management Act. When will that be issued?

That’s been the biggest question in the last few weeks. We’re putting the finishing touches on it now. The baseline has been a true collaboration among [the departments of Homeland Security and Defense], GSA and FedRAMP. It’s been a big accomplishment.

As agencies become grounded in cloud technology in the coming years, do you think you might evangelize yourself out of a job?

I’m here to stay. It’s a continuous process. Agencies have evolving needs. I’m here to help.