GSA making ‘significant’ investments to automate FedRAMP processes
The General Services Administration’s Technology Transformation Services arm is making “significant” investments in automating security authorization processes for cloud service providers, Director Dave Zvenyach said on Wednesday.
Zvenyach said these new investments under the Federal Risk and Authorization Management Program (FedRAMP) will focus on automation, process improvements and additional resources to help plug gaps, as well as make agencies more aware of existing authorities to operate (ATOs).
FedRAMP approves secure cloud technologies for agencies’ reuse via ATOs. Onboarding new cloud service providers, however, carries significant costs, not only that of the initial authorization but also annual reassessments, significant change requests and continuous monitoring as well.
CSPs and CIOs regularly urge the FedRAMP Program Management Office to automate what processes they can to streamline onboarding, but investment hasn’t kept up with demand.
“As we add cloud service providers to FedRAMP, it ends up having a nonlinear cost,” Zvenyach said, during an ACT-IAC event.
TTS investments in automation, process improvements and additional resources will help plug gaps, as well as make agencies more aware of existing ATOs, he added.
The thousands of ATOs agencies already reuse save taxpayer dollars, improve security and lower vendors’ overhead costs.
TTS is collaborating with the FedRAMP PMO and Joint Authorization Board on process work, as well as the Federal CIO, CIO Council and Office of Management and Budget to ensure FedRAMP’s reciprocity with the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program. The Department of Defense‘s CIO office is already represented on the JAB, which makes things easier, Zvenyach said.
“This isn’t just a [General Services Administration] thing,” he said. “We really do need to have partnership.”
Tasked with improving the public’s digital experience with government, TTS is still responding to the pandemic, economic recovery, racial inequity and climate change in its work. Major investments are also being made to improve the security and usability of Login.gov, the government’s identity and authentication platform, Zvenyach said.
But now agencies including GSA also need to finalize return-to-office plans by July 19, as required by the Safer Federal Workforce Task Force.
Under Zvenyach’s leadership, TTS has adopted a “distributed-by-default” mindset.
“My experience is distributed by default is a better pattern than the hybrid approach,” Zvenyach said. “I think people should be distributed, or they should be in person. And we should try and think about how you use the best of each, rather than trying to blend them together.”
People working in person shouldn’t receive more benefits than those who opt not to, which, in turn, allows TTS to focus on outcome delivery and measuring success, he added.
To that end, TTS has invested in collaboration tools, restructured how it conducts meetings and rethought results measurement to enable employees to live across the country in a more equitable, accessible work environment.
One downside to a more distributed workforce is feedback is harder to come by, so Zvenyach set up an anonymous, digital feedback form.
“I really do read all of the comments that come in,” he said.