Last Wednesday, we held our third Agency Roundtable at GSA headquarters. 70 representatives from 35 agencies joined the discussion about how FedRAMP can enable and accelerate their journey to the cloud. We’re thrilled to report that almost two thirds of attendees were first timers! Our aim is to continue to provide these spaces for agencies to connect with each other, share lessons in cloud security and implementation, and build long-lasting relationships across government.
Our roundtable began with an introduction to GSA’s newly established Secure Cloud Portfolio with Director Jay Huie. Jay provided an overview of his role, shared the Cloud Portfolio’s mission, and debunked some common myths about cloud adoption. Jay also discussed the importance of “changing the conversation” to enable agencies frame cloud services within the scope of their mission and values.
Next, the PMO took a moment to celebrate FedRAMP’s fifth anniversary, highlighting several key accomplishments during that timeframe to include:
A 75% reduction in time to authorization for the Joint Authorization Board (JAB) process (12-18 months to 3-6 months)
- 83 authorized cloud services
- Each cloud service is reused an average of 5.82 times each
- Over 33% of FedRAMP authorized cloud services are small businesses
482 authorization reuses by federal agencies, saving thousands of hours and millions of dollars
- A record number of services In Process for authorization, 87% of which are SaaS solutions
A significant segment of the roundtable revolved around the experiences of two agencies in their journey to the cloud, with a focus on acquisition and governance. Some key elements of these presentations were:
A consolidated, consensus-based enterprise approach to cloud migration is critical to guard against cloud sprawl and headaches down the road
Recommendation that a pilot on a small scale serves as a proof of concept, then learnings can be folded into your cloud migrations in an agile fashion
Many cloud best practices exist in government , talk to you colleagues across government early and often!
Agencies have the power to dictate terms with cloud providers because they own the data
Finally, we held two concurrent breakout sessions. The first focused on Cloud Acquisition where participants learned how to easily implement cloud solicitations without incurring additional risk. Some tips for buying cloud included:
Talk to industry: Conduct market research with cloud service providers and systems integrators with federal experience; visit marketplace.fedramp.gov and read the service descriptions associated with products that currently have a FedRAMP authorization to determine if there is a competitive range.
Think FedRAMP: Incorporate FedRAMP language into your RFP in a way that isn’t restrictive.
Make Security an Evaluation Criteria: Agencies should incorporate security as an evaluation factor when doing acquisitions for IT services.
The second breakout dealt with Agency Authorization where the FedRAMP PMO teamed with HHS to share common issues in the authorization process and provided guidance on how agencies can address each successfully. Highlights of this conversation included:
**Is it really cloud? **Not everything that brands itself as cloud is cloud.
Build in review time: Even if a CSP is FedRAMP authorized, agencies should still review the package and make a risk-based decision before issuing their own authorization.
Document all your decisions: Track why you are giving exceptions to a given systems. Risk-based decisions are dependent on the context of the system.
Dynamic participation from attendees always energizes us at the FedRAMP PMO! We look forward to our next roundtable and seeing what comes from the relationships built during these meetings and the conversations that were started. I would like to thank everyone who came out last week, especially our first timers! If you’d like to attend the next agency roundtable or have questions about the agency authorization process, email me at firstname.lastname@example.org.