Government // Leadership
News
1/21/2014
09:20 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Defense CIO Takai: Why FedRAMP Helps Everyone

FedRAMP, and Teri Takai's role on the Joint Authorization Board, are helping redefine cloud computing security standards.


Download the entire February 2014 InformationWeek Government issue
, distributed in an all-digital format (registration required).

Teri Takai juggles many duties as CIO of the Department of Defense, one of which is to help decide whether commercial cloud services meet a rigorous set of government security standards as part of the FedRAMP program.

Cloud service providers can still receive direct operating authority from an individual federal agency, as Amazon Web Services did last May from the Department of Health and Human Services. But approval by FedRAMP's Joint Authorization Board, on which Takai sits, offers an added badge of authority that a cloud service conforms to a baseline of security standards that, subject to provisional review, will satisfy the demands of most federal agencies. The JAB, which meets once a month, also includes the CIOs at the Department of Homeland Security and the General Services Administration, as well as all three agencies' technical support teams.

"FedRAMP in many ways is having a strong influence, and will have a strong influence, on the industry," Takai said in an interview with InformationWeek Government. "We think it is an important effort, not just for the government, but to help commercial providers be better for everyone...

"We were finding there were so many cloud models, and so many offerings, with a lot of providers claiming to offer cloud services without really understanding what government needs."

Takai recalled a time two years ago when a vendor approached her and announced, "We're standing up a cloud environment just for you," to which she responded: "How would that work since you don't even know what I need?"


Teri Takai, CIO,
Department of Defense

Takai, who spent 30 years in IT at Ford Motor Co. and served as the CIO for the states of Michigan and California before joining the DOD as CIO in 2010, thinks FedRAMP faces challenges on two fronts: 

"It isn't only getting companies to be Fed-RAMP-certified, but also getting federal agencies to utilize the services that are Fed-RAMP-certified. We tend to talk about FedRAMP as being the certification of a company. It's actually not. Many larger companies offer cloud services in different ways to many customers. It's only a particular service that is FedRAMP-certified." The program is trying to get a wider variety of cloud services certified, so that more agencies move to the cloud, she says.

The second challenge is moving more providers through the application process. It took nearly 10 months for Autonomic Resources, the first of a dozen applicants, to get FedRAMP authorization for a platform that lets DOD users provision processing, storage, and other resources. The process now takes about six months.

"While six months sounds like the typical bureaucratic drag, I look at those six months differently," Takai says. "It's extremely productive and important -- both for us and for the company -- to understand what it takes to meet government security requirements," including the need for continuous system monitoring, clearly defined system boundaries, and encryption tools to safeguard data during transmission. 

"In many cases, those aren't requirements they've had to follow," she says. "I'd rather have the assurance that a provider can offer us services that are secure, even if it takes a couple of more months, than to rush it and not have that assurance."

To some degree, Takai's reputation is on the line. "I've effectively told my fellow federal CIOs that if you go and buy this service, you will be OK from a security perspective." 

Gaining ground
The fact that service providers are starting to advertise and market their FedRAMP certification to potential commercial customers is one indication that FedRAMP is gaining stature outside of government, Takai tells us. "One of the things we had to write that we didn't anticipate is a document to give to companies on how to use the FedRAMP brand."

Takai's experience with FedRAMP elicited two other observations from her: the importance of federal CIO Steven VanRoekel and his predecessor, Vivek Kundra, in setting the vision for adopting cloud computing; and the importance of airtight security in moving cloud computing forward.

Perhaps given her private sector background, Takai was quick to note that FedRAMP isn't a funded government organization. The program works because agencies are dedicating full-time people "for the good of all of government and for the benefit of commercial providers. It doesn't cost taxpayers one dime."

Wyatt Kash is editor of InformationWeek Government. 

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. Find out more on this Dark Reading report, The Risky Business Of Managing Risk. (Free registration required.)

Download the entire February 2014 InformationWeek Government issue,
distributed in an all-digital format (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
1/22/2014 | 12:29:06 PM
Re: FedRAMP vs DOD's standards
Chris, you raise a fair point that FedRAMP isn't an easy thing to grasp and that its branding message could use some work. In this case, Defense CIO Takai was talking about the use of the FedRAMP certification, and its logo, and the need for FedRAMP-authorized services to follow some clear cut rules on how they promote the FedRAMP seal of approval.  The problem is similar to what other certification groups (ISO certification comes to mind) where its important to police how firms promote the certifications they've earned.

 
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
1/22/2014 | 9:48:00 AM
Re: FedRAMP vs DOD's standards
Ms. Takai talks about using the FedRAMP brand. I don't have a good feel for what that brand stands for, though, to would-be cloud buyers. Does it convey security, reliability, ease of use, or more narrowly "government-readiness"? Or something else?  
WKash
50%
50%
WKash,
User Rank: Author
1/21/2014 | 6:13:25 PM
FedRAMP vs DOD's standards
One of the open questions about FedRAMP and its adoption at the Department of Defense revolves around FedRAMP's reliance on the NIST 800-53 standards while DOD's still relies on its own DIACAP IT certifcation standards.

I asked Teri Takai about that.  She told me that the Defense Department is close to finallzing recommendations to shift from the  DIACAP process to the NIST standard.  It's part of a broader decision to move away from unique DOD standards to more broad-based standards, including NIST's standards. Not surprisingly, the recommendations are getting a heavy legal review at the Pentagon.

 

 
Register for InformationWeek Newsletters
White Papers
Current Issue
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.