New policy guidance is coming soon to help agencies comply with the Federal Risk and Authorization Management Program (FedRAMP) as the cloud landscape evolves, according to the federal government’s No. 2 IT official.
Drew Myklegard, deputy federal CIO, said Thursday at FedScoop’s FedTalks that the forthcoming guidance comes as the federal cloud marketplace has evolved to be more dominated by software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings.
“The landscape has changed. SaaS — and now it’s heavy, heavy SaaS — and a lot of PaaS providers really need access to the government and their mission. So now we’re pivoting and it takes a couple of years to do that, but we’re pivoting towards that market,” Myklegard said.
He continued: “We’ve seen an exponential growth every couple of years of these SaaS providers and the tools. But what we haven’t seen is similar exponential growth in their adoption, at least like ATO-ed [authority to operate], secured and monitored by the CIOs out there of those types of products.”
Myklegard said shortly after he joined the Office of Management and Budget a little more than a year ago, he began leading efforts to talk to agencies to get feedback on the state of FedRAMP, and that has informed the decision to provide updated guidance.
“We talked to a lot of agencies and their experiences with FedRAMP, and they talked about a lot of the problems,” he said. “We listened to probably 30 different agencies and got a lot of great feedback. It’s going to inform the policy that’s forthcoming in some period of time in the future,” which he doesn’t want to put a deadline on, he said.
That document will be put out for public comment to hear “where we’re missing, where we’re hitting” with the direction of the policy.
The recent passage of the FedRAMP Authorization Act, which codified the program into law, has also bolstered its effectiveness by expanding the Joint Authorization Board and providing a Federal Secure Cloud Advisory Committee in line with the Federal Advisory Committee Act, Myklegard added.
The committee has had two meetings so far with another planned for this month, he said.
“We want to make sure that we’re really close in understanding what challenges the people on the ground are facing, as well as the industry products that are coming to market,” Myklegard said.