Why FedRAMP Is Worth Caring About

on December 12, 2011 at 10:51 AM

If you have been at a recent Washington Capitals hockey game when the opponent scores a goal, you know the crowd routinely shouts out “Who cares!”

Last week, Steven VanRoekel, Federal CIO, released the long awaited OMB plan for the Federal Risk and Authorization Management Program, or FedRAMP; which reminds me to be thankful for pronounceable acronyms. The purpose of FedRAMP per the implementing OMB memorandum, is to “provide a cost-effective, risk-based approach for the adoption and use of cloud services”.

This blog entry is my attempt to answer the question “Who cares!”

So were I a federal CIO, which I was, or an executive working for a provider to the Federal Government, which I am, what are the short- and long-term implications?

First, and most important, I think there are short- and long-term implications, which is not always the case with long awaited announcements and OMB produced memoranda.

However, I suggest the longer term implications tie more to the general topic of infrastructure rationalization than focusing specifically on the ever popular and impossible to avoid ongoing cloud frenzy.

It has long been my contention that while the IT focus in commercial organizations should be top-down to be most effective, in federal government it is the opposite: better off focused on a bottoms-up approach.

This difference reflects how funding, or revenue, is achieved.

In a commercial company revenue comes in from customers, is filtered through a sales organization and the decisions are controlled by executive leadership. IT leadership focuses on using the defined strategic goals to drive derived IT goals down into the rest of the organization.

In a government entity, funding comes through the appropriations process, and except in very rare circumstances, such as the Veterans Administration, is associated with the individual components that make up larger agencies or department, rather than with the overall mission of the department.

The real value of initial cloud implementations is they represent the next big step in allowing federal CIOs to get a handle on what IT provisioning is going on within the organizations.”

Because of this, the first hurdle for government CIOs is overall situation awareness; discovering what IT assets exist and figuring out how to put in place configuration management to keep track of those IT assets.

To just take one example, when OMB started pushing to consolidate data centers, it took months or longer to get an accurate inventory of how many data centers there were, let alone put together a plan to consolidate them.

Reducing costs is a reasonable goal to associate with cloud computing. Be warned that recent articles question whether cost savings will be large as some are articulating. See, for example, the discussion I participated in this last Friday on the Federal News Radio Countdown, hosted by Francis Rose.

The real value of initial cloud implementations is that they represent the next big step in allowing federal CIOs to get a handle on what IT provisioning is going on within the organizations. Every application that is moved to the cloud is one that now is visible to and can be managed and measured by the CIO. Consistent security approaches can be taken. And it is the inconsistencies, not whether an application is internally hosted or externally hosted, that lead to security weaknesses.

There are a few additional specifics from the OMB memorandum that I wanted to note.

First, the process still has some time before it will be put into place. The goal is to have the FedRAMP PMO, to be run by GSA, operational no later than 180 days from issuance. This follows interim steps including establishing formally the list of security controls, creating a Concept of Operations, and creating a charter for the Joint Authorization Board (run by DoD, DHS, and GSA) dealing with governance.

Second, it will interesting to see how robustly the effort will be funded over the next few years. Congress has not been consistently supportive of shared service implementations. From my stint at DOT, I remember the difficulties that OMB had keeping the various eGovernment initiatives sufficiently funded.

While outside the scope of this write-up, I contend that one reason that DoD continues to make progress in this area is because of the existence of a home, what I refer to as a “center of gravity”, for managing the resulting shared infrastructure, namely DISA. While I have nothing but the greatest admiration for Richard Spires and Casey Coleman, running shared services is not currently the primary mission of either DHS or GSA respectively.

Third, I found it interesting that both the CIO and the chief financial officer need to certify together the list of all cloud services that cannot meet FedRAMP security authorization requirements within their agency. The dividing line between what is expected from CIO’s and CFOs regarding program management is not always clear cut, and is made even less clear when the CIO has been folded underneath the CFO.

In April, 2009, I asked the question “Why are 42 or so different procurements now looking at clouds?” I was quoted as saying that I thought that instead cloud computing could be offered in a way … in which any federal agency can access a handful of major … contracts.”

And now a little over 2 ½ years later, we are only six months away from saying “You can.”

Powertek Corp. He served as CIO of the Department of Transportation from 2006-2009.