Teri Takai juggles many duties as CIO of the Department of Defense, one of which is to help decide whether commercial cloud services meet a rigorous set of government security standards as part of the FedRAMP program.
Cloud service providers can still receive direct operating authority from an individual federal agency, as Amazon Web Services did last May from the Department of Health and Human Services. But approval by FedRAMP's Joint Authorization Board, on which Takai sits, offers an added badge of authority that a cloud service conforms to a baseline of security standards that, subject to provisional review, will satisfy the demands of most federal agencies. The JAB, which meets once a month, also includes the CIOs at the Department of Homeland Security and the General Services Administration, as well as all three agencies' technical support teams.
"FedRAMP in many ways is having a strong influence, and will have a strong influence, on the industry," Takai said in an interview with InformationWeek Government. "We think it is an important effort, not just for the government, but to help commercial providers be better for everyone...
"We were finding there were so many cloud models, and so many offerings, with a lot of providers claiming to offer cloud services without really understanding what government needs."
Takai recalled a time two years ago when a vendor approached her and announced, "We're standing up a cloud environment just for you," to which she responded: "How would that work since you don't even know what I need?"
Teri Takai, CIO, Department of Defense
Takai, who spent 30 years in IT at Ford Motor Co. and served as the CIO for the states of Michigan and California before joining the DOD as CIO in 2010, thinks FedRAMP faces challenges on two fronts:
"It isn't only getting companies to be Fed-RAMP-certified, but also getting federal agencies to utilize the services that are Fed-RAMP-certified. We tend to talk about FedRAMP as being the certification of a company. It's actually not. Many larger companies offer cloud services in different ways to many customers. It's only a particular service that is FedRAMP-certified." The program is trying to get a wider variety of cloud services certified, so that more agencies move to the cloud, she says.
The second challenge is moving more providers through the application process. It took nearly 10 months for Autonomic Resources, the first of a dozen applicants, to get FedRAMP authorization for a platform that lets DOD users provision processing, storage, and other resources. The process now takes about six months.
"While six months sounds like the typical bureaucratic drag, I look at those six months differently," Takai says. "It's extremely productive and important -- both for us and for the company -- to understand what it takes to meet government security requirements," including the need for continuous system monitoring, clearly defined system boundaries, and encryption tools to safeguard data during transmission.
"In many cases, those aren't requirements they've had to follow," she says. "I'd rather have the assurance that a provider can offer us services that are secure, even if it takes a couple of more months, than to rush it and not have that assurance."
To some degree, Takai's reputation is on the line. "I've effectively told my fellow federal CIOs that if you go and buy this service, you will be OK from a security perspective."
Gaining ground The fact that service providers are starting to advertise and market their FedRAMP certification to potential commercial customers is one indication that FedRAMP is gaining stature outside of government, Takai tells us. "One of the things we had to write that we didn't anticipate is a document to give to companies on how to use the FedRAMP brand."
Takai's experience with FedRAMP elicited two other observations from her: the importance of federal CIO Steven VanRoekel and his predecessor, Vivek Kundra, in setting the vision for adopting cloud computing; and the importance of airtight security in moving cloud computing forward.
Perhaps given her private sector background, Takai was quick to note that FedRAMP isn't a funded government organization. The program works because agencies are dedicating full-time people "for the good of all of government and for the benefit of commercial providers. It doesn't cost taxpayers one dime."
Wyatt Kash is editor of InformationWeek Government.
Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. Find out more on this Dark Reading report, The Risky Business Of Managing Risk. (Free registration required.)