Cloud adoption slowed by culture, even with FedRAMP

The federal government maintains a "cloud first" policy, but is that statement backed up by what an agency can do as a practical matter?

"You can't say 'cloud first' with no way to procure it," Tony Summerlin, special advisor to the CIO of the Federal Communications Commission.

Speaking at the ImmixGroup Government Sales Summit, Summerlin complained that the right procurement vehicles aren't available for agency tech buyers.

"Buying software-as-a-service through GSA is painful," he said. "GSA doesn't know how to do it."

The ability to buy secure, effective cloud technology quickly is a key to moving federal agencies over to cloud platforms, he said. "Discipline and speed are key. You have to move rapidly or the goblins will eat you."

What's not so quick, Summerlin suggested, was the relatively slow approval process for the GSA-led Federal Risk and Authorization Management Program. Even with recent improvements, it can still take months to achieve provisional security authorizations via FedRAMP.

Claudio Belloli, FedRAMP's program manager for cybersecurity at GSA's Technology Transformation Service, said the approval process has been overhauled and streamlined to produce faster results and pointed to encouraging results in 2016.

In a conversation with FCW after the presentation, Belloli pointed to FedRAMP's increasing numbers of cloud providers and Authorities to Operate, as well as 2017 goals to grant provisional ATOs in an average of under six months.

Belloli pointed to a Nov. 7 blog post by Matt Goodrich that includes plans for "FedRAMP Tailored" -- an effort to speed authorizations for certain software-as-a-service offerings instead of demanding a "one size fits all" approach.

Belloli also said GSA would review how to make the continuous monitoring component of the risk management process more effective in 2017.

Even with improved authorization processes and speedier approvals, however, both Summerlin and the Securities and Exchange Commission's Mike Fairless said cloud adoption depends largely on agency culture.

"We realized we lived in a siloed world" when it came to IT, said Fairless, who is the SEC's branch chief for servers and storage and has worked to get his agency to accept cloud operations. Most agencies, he said, tend to want technological innovators, but then as legal and jurisdictional interests arises, those innovators can be tossed aside.

The FCC, said Summerlin, was similarly fragmented. "We had 1,800 databases and 1,700 employees," he said. "We had 87 licensing systems" that broadcasters had to navigate to get their operating and ownership licenses.

The best way get around such obstacles, according to Summerlin, is to get experts to "live in the environment" and learn the nitty gritty details of what needs to be done.

"You have to bring in someone who is bulletproof" technologically, he said. "You have to become part of the environment. None of that parachuting in crap."