What really goes on inside the FedRAMP office
One tiny team is at the center of the federal government’s push for cloud computing — and all the loud, complicated competing interests that go along with it.
FedRAMP director Matt Goodrich is looking to shake up the government cloud program to make it more friendly to vendors.
Matt Goodrich doesn't drink coffee. How he gets through his jam-packed days remains unclear.
As director of the Federal Risk and Authorization Management Program, Goodrich is at the bustling, bureaucratic center of the federal government's cloud market.
Bidding has closed and interviews have started for a new FedRAMP dashboard, due to be completed 60 days after the impending award under 18F's agile blanket purchase agreement. FedRAMP is also testing a new "accelerated" process with three cloud providers: Unisys, Microsoft's Customer Relationship Management (CRM) and 18F's Cloud.gov. The plan is to launch the new approach to Joint Authorization Board (JAB) reviews by this summer.
Both pushes are part of a FedRAMP shakeup that is spurred in part by discontent from vendors who say the process has gotten too time-consuming and expensive.
FCW recently spent the day with Goodrich's team to see that process in action.
Constant contact
In the open-air offices of the General Services Administration's headquarters, the FedRAMP Program Management Office is all about meetings.
Goodrich has only three other feds working with him, so each has to pinch-hit in a variety of program support positions. They're aided by 35 contractors from Noblis, CSRA and The Clearing.
The FedRAMP players, each with demands on the team's time, include cloud service providers (CSPs) seeking authorization, third-party assessment organizations (3PAOs) that vet the services, JAB with its own vetting process and the agencies that want to use the cloud services.
The four feds share nicknames and "The Real Housewives" slogans as they slog through their morning scheduling meeting. Goodrich might eschew coffee, but his office's color-drenched whiteboard walls have their own caffeinating effect.
Then the team members split up, taking different contractors with them to different huddles.
FedRAMP Agency Evangelist Ashley Mahan takes point on the agency side, hosting feds from across government in ones and twos as they seek cloud solutions. Sometimes she can work with them on creative approaches; sometimes she spends the meeting defending FedRAMP's security-vetting rigor.
On the vetting front, Program Manager for Cybersecurity Claudio Belloli leads FedRAMP's contractor corps of information system security officers (ISSOs) through meetings with 3PAOs, where they hash out the finer details of CSP security assessments.
"No two providers are the same," Belloli told FCW. "Every CSP is unique." That diversity presents a challenge for 3PAOs, which sometimes struggle to explain security setups within the confines of FedRAMP documentation.
FedRAMP's ISSOs must study the systems and reports carefully — by the end of the process, "they're experts on the systems for sure," Belloli laughed — and make sure standards remain high and consistent.
The meetings aren't exactly combative, but they're not always cordial either.
Standards-setting meetings with representatives from the CIO shops of the three JAB agencies — GSA, the Defense Department and the Department of Homeland Security — can be similarly exhaustive and exhausting.
Expanding reuse
When all's said and done, meetings with the CSPs start to seem like the easy part.
Susie Adams, CTO for Microsoft Federal's civilian business, was in the FedRAMP offices the same day as FCW, and she conceded that the process had perhaps become tough for smaller players to tackle.
Even for Microsoft, the extensive security reviews are taxing. But thousands of pages of documentation are "necessary evils [in a] very much needed process" that has, overall, cut down on the number of times CSPs must run a federal review gauntlet, Adams said.
She added that she's excited Microsoft's CRM will be among the first to pass through FedRAMP Accelerated.
Adams and Belloli said, however, that FedRAMP works best when agencies trust and reuse authorizations. That has not always been the case — to the frustration of government and industry participants alike.
The number of FedRAMP authorizations exploded in the last six months of 2015, with agency authorizations growing 53 percent and JAB authorizations up 25 percent. With that increase comes more documentation for FedRAMP to track.
Ideally, Belloli said, the number of authorizations will start to plateau at some point once a robust market of authorized cloud services is established.
The breathing room — if and when it comes — will likely be welcome.
Goodrich told FCW that he's always looking for talented employees, but he's not planning to grow his team at the moment. He said the four feds — Goodrich, Belloli, Mahan and Program Manager for Operations John Hamilton — balance one another well.
Goodrich has been involved in government cloud work for nearly seven years, starting with the Federal Cloud Computing Initiative back in 2009. His enthusiasm for the technology helps him get through days that often don't end until 11 p.m.
"I actually like my job," Goodrich said.