Last year, the U.S. government spent $12.3 billion on cloud services. That figure is estimated to grow to $16 billion this year. The question before the federal government today is whether that investment will capture the full capabilities of the world’s most innovative clouds held to the highest security standards in the world.
The Office of Management and Budget (OMB) recently released a draft memorandum to modernize the Federal Risk and Authorization Management Program (FedRAMP), which the federal government uses to certify commercial cloud providers as secure and ready for government workloads, including classified information. Its release follows the bipartisan passage of the FedRAMP Authorization Act as part of the fiscal 2023 National Defense Authorization Act (NDAA). The memorandum is bold and will make the most necessary changes urgently, and will fully commit to commercial clouds in an approach that I, and many others, wholeheartedly support. If adopted as written, it will usher in a new era of security, artificial intelligence and automation previously impossible within the strict confines of so-called GovClouds.
Many vendors created GovClouds, or clouds physically separated from commercial infrastructure, to adhere to FedRAMP’s security controls. While understandable more than a decade ago when the FedRAMP program was created, this legacy approach lacks the security, compute power and capabilities the government needs and deserves in the 21st century. OMB is wise to recognize this bottleneck and require the General Services Administration (GSA) to produce a plan to transition federal agencies away from GovClouds and instead prioritize “zero trust” security architecture, cyber resilience and innovation.
OMB’s draft guidance also recognizes that the “speed of certification” must catch up to the “speed of mission” in government. OMB proposes supporting multiple types of FedRAMP authorizations including single- and joint-agency authorization, program authorization, and any other type of authorization designed and approved by the FedRAMP Board and program management office. Replacing the cumbersome process currently in use would allow agencies to greatly speed up the adoption of best-in-class cloud technologies across the government.
Additionally, as part of the creation and evolution of multiple authorization structures, FedRAMP must establish a baseline for the reliability of its authorizations. The program was founded, in part, to reduce duplicative work for agencies and companies, and to bring coherence and consistency to what is required from cloud providers. OMB’s latest guidance brings that aspiration of “certify once, reuse many times“ even closer to reality.
Lastly, the move to streamline through automation is long overdue and will benefit from clarification of how new processes will work. But some questions remain.
For example, the draft guidance states that the GSA must establish a means of automating FedRAMP security assessments and reviews by Dec. 23, 2023. Can providers move away from PDFs and Word documents as of that date? Further, will there be a plan to develop and provide new validation tools or mechanisms for machine-readable data and with respect to continuous monitoring? Will the government identify the data that can be packaged into machine-readable format to expedite these assessments?
OMB’s guidance is an innovative and transformative step in the right direction that reflects the realities of today’s and tomorrow’s cloud computing market. Only commercial clouds can provide the compute power necessary to run widespread AI workloads and the security to protect our nation’s technology from nation-states who wish us harm. Cyberattacks on cloud systems nearly doubled in 2022, and in a notable instance earlier this year, Chinese hackers breached U.S. government email accounts through a vulnerability in a widely used email service. Let’s give the U.S. government access to the same cutting-edge cloud technology and security that the private sector enjoys.
The American people whom our government serves deserve nothing less.
Alan Thomas is the former commissioner of the Federal Acquisition Service at the General Services Administration, which houses the FedRAMP PMO, and served as a permanent member of the Technology Modernization Fund board from inception in March 2018 until October 2019.