The Potomac Officers Club — owned by this website’s parent company Executive Mosaic — held its FedRAMP Forum Thursday in Falls Church, Va. for government and contracting executives to discuss the governmentwide cloud computing initiative’s current state and exchange ideas on how to navigate this program.
Matt Goodrich, FedRAMP’s program director, was the first speaker at the forum and later moderated a panel discussion that featured Claudio Belloli, head of cybersecurity for the FedRAMP program office; Chad Andersen, FedRAMP program manager at Noblis; and Katie Lewin, who helped launch FedRAMP in her former role as cloud computing director for the General Services Administration.
Goodrich caught up with ExecutiveGov before the forum to discuss the new updates and features on FedRAMP.gov and how he sees the program evolving in the year ahead, as well as the culture change at agencies he thinks needs to happen in cloud adoption.
ExecutiveBiz: What is a typical day like for the FedRAMP team?
Matt Goodrich: A typical day for the team is pretty busy. We have five major workstreams across three teams. We have an operations team, quality management team and security team.
The operations team, led by John Hamilton, runs the day-to-day operations, communicates with our stakeholders, does phone calls, requests, questions and maintains the website. Additionally they also work on our major initiatives and movethem forward. As the R&D at FedRAMP, the team also works on our major policy developments that are always happening.
We have the security team which is led by Claudio Belloli. He manages all the vendors going for the JAB authorization process. He coordinates with vendors we are currently working with for authorization with DoD, DHS and GSA.
Then our quality management team is a new team we’ve created. They ensure quality of the work we produce and look at running the office as smooth as possible.They introduce new efficiencies and make our processes and programs as easy and quick as possible for all our stakeholders to interact with us.
No matter which part of the program you are focused on, a typical day is really busy. I’m lucky to have an awesome team that makes it all happen.
ExecutiveBiz: What is the government looking to do with the updates and redesign of the FedRAMP website?
Matt Goodrich: We want our stakeholders to have a better user experience. FedRAMP.gov is the official sitefor relaying all the information about FedRAMP. If the site itself isn’t user-friendly or stakeholders don’t find what they need on the website in an easy way, that makes everyone’s job harder.
We just want to make sure that it’s not a static website where people can’t find the new information. We want to make sure that people can easily find information that they need to see so we have an engaged community around FedRAMP with the website.
We want the training program we launched to be totally free. That will helpour stakeholders understand the details of the program and how they interact with it. We want to make sure they can be quizzed on whether they actually understand it or not as well.
Additionally, we have been putting out a monthly newsletter for a while as well for the website. And recentlywe started putting out weekly tips and cues, sharing quick tips and suggestions for shareholders to correct common misconceptions.
ExecutiveBiz: How are the responses to the updates been so far?
Matt Goodrich: So far it has been great. We spent a lot of time thinking how to do the redesign. We didn’t just do it in a vacuum of government land. We did a bunch of interviews around all of our different types of stakeholders including agencies, trade associations, and all of our vendors.
ExecutiveBiz: What barriers still exist in cloud adoption for agencies and how do you see FedRAMP’s role in removing those barriers?
Matt Goodrich: The first barrier to cloud adoption was security. Under the cloud computing initiative, our mission was to remove the barriers to adoption of cloud, one of which was to make sure security would work for cloud. That is why we created FedRAMP. The biggest barrier, security, has been removed. However, there is still a large amount of culture shift in security and how agencies can consume security from a cloud provider.
In legacy systems, you created the system and you knew how the security of the system was managed since you managed the security yourself. When you shift the model to using a cloud service you are now consuming that security for the system and you are not managing the security yourself. You are outsourcing that to the cloud provider. Taking in and managing those data feeds and reports is proving to be difficult.
In order to help alleviate that difficulty, education is one of the things we are focused on. The FedRAMP roadmap details how we’re going to provide agencies with functional guidance. With the PMO or the JAB authorizations across 30 different cloud systems and growing, we’ve got experienceon how to manage those respectively across providers.
Also, the battle for most agencies is the simple cultural battle of normal culture change. It is hard for agencies to give up control of their systems that you see, touch and can actually manage. At this point you are outsourcing that management of the system to someone else. There is a culture shift from managing your system to actually using it. Instead of creating it, you are using a service and managing it from a different perspective.
So part of our roadmap is trying to get more guidance out there to our agencies and on how to functionally consume and use these new services to enable that culture shift and make it not scary for them.
ExecutiveBiz: What aspects of industry engagements do you prioritize in your role as head of FedRAMP?
Matt Goodrich: We want to engage with our stakeholders and industry as much as possible. We try to meet with as many groups as possible. We are always happy to schedule calls with them or have strategy sessions. We created the FedRAMP Ready category in order to help vendors make sure that they understood if they were ready for the process, have enough information or knew their system or FedRAMP well enough to begin the authorization process.
One of our key goals in our FedRAMP Forward plan is stakeholder engagement. We prioritize talking with anyone who is actually engaged and has the desire to meet the FedRAMP requirements. There isn’t really prioritization because if you are interested in FedRAMP then we are interested in talking with you.
ExecutiveBiz: How do you want to see FedRAMP and industry’s role evolve this year?
Matt Goodrich: Industry has been really engaged with FedRAMP from the beginning. I would like to see that the outskirts of industry, which are beginning to see their role through FedRAMP through a clearer lens, get a deeper understanding of FedRAMP. Some of our true partners of the program helped us iron out some of the kinks of the process of the program itself. They are actively engaged and understood FedRAMP from the beginning so they knew what it was going to take to get through.
So a key part of our industry engagement is making sure our industry providers know what it takes to get through FedRAMP. It is not a simple process but it enforces security on your system. At this the day and age when cybersecurity and cyber attacks are only increasing and it is becoming the new battleground, we want to make sure our vendors understand what they need to do for providing adequate security for federal data.
We want to make sure that industry knows what it takes to get through FedRAMP and understand that the speed through which you can get through really depends on the security they have. We want to make sure they understand the rigor of the program isn’t going away but their ability to get through that or the speed which they want to get through is really dependent on our vendor’s ability to implement the security that is needed and have adequate documentation to back that up.
Our goal in FedRAMP is to have as many providers get through the process as possible, but not ha at the risk of losing the rigor of the security process. Our goal is to make sure that every cloud provider that the government uses is secure.