As cloud has become commonplace, even table stakes, in government agencies, overarching policies and procedures are evolving to support the secure and sustainable use of cloud in government.
The General Services Administration (GSA) has played a leading role in the evolution of cloud use in government, starting with its oversight of FedRAMP. Today the agency is overseeing a number of government-wide initiatives to meet today’s need for cloud. This includes improvements to the FedRAMP process, the introduction of acquisition vehicles, and general cloud guidance.
Ramping up FedRAMP
Established in 2011, FedRAMP established baseline requirements for cloud solutions to be used by government agencies. As the need for cloud solutions increased and became more mission critical, the speed (or lack thereof) at which cloud solutions could be certified as FedRAMP compliant became a stumbling block for cloud adoption. Today, there are multiple efforts underway to improve the FedRAMP process. New requirements include:
- Updating continuous monitoring for cloud authorizations within six months
- Automating security assessments and reviews
- Moving off of cloud infrastructure designed solely for government use
The Federal Acquisition Regulation (FAR), the primary regulation governing how agencies acquire supplies and services, does not have a definition for “cloud.” This provides a key challenge as there is no definitive resource to point to when determining what qualifies as a cloud purchase and therefore must meet cloud guidelines, including FedRAMP. The FAR also lacks a consumption-based model for contracts, further complicating the purchase of “as a service” offerings. As a result, agencies across government have developed a wide set of workarounds to get the technology they need.
One way GSA is looking to address these gaps is with a blanket purchase agreement (BPA). Termed ASCEND, the GSA-held BPA could be the prime destination for cloud solutions for agencies throughout the government.
Guiding the Government in the Cloud
GSA’s cloud efforts are not siloed within the agency. The Federal Secure Cloud Advisory Committee hosted a series of public meetings in late 2023 to provide recommendations on the evolution of FedRAMP. These include ways to increase agency reuse of FedRAMP authorizations, actions to simplify and streamline FedRAMP authorizations for commercial cloud service providers and agencies, and measures to increase small business authorizations under the program.
In 2023, GSA named the first executive director for cloud strategy. This role will work across government to help lead the implementation of cloud initiatives government-wide.
For more insights into government cloud acquisition and use, check out these resources from GovWhitePapers and GovEvents.
- Navigating Complexity and Uncertainty in Cloud Computing (white paper) – In this ever-evolving field, uncertainty abounds as agencies adopt and integrate into hybrid work environments, cloud-native applications, and multi-cloud platforms. Procurement practices, hiring skilled talent, continuous training,and the future of artificial intelligence (AI) are other challenges agencies are facing in the evolving cloud-computing landscape. In a recent roundtable discussion, experts from federal agencies shared their experiences navigating the complexities of cloud computing.
- The Single Cloud Security Platform for Government (white paper) – As agencies move to the cloud, they often face a lack of visibility into their environment, leading to blind spots and the inability to ensure Zero Trust. The cloud also introduces new attack vectors that are challenging to identify, leaving agencies to struggle scaling their traditional compliance and security processes in this new environment.
- Cloud Native vs. Cloud Smart: Cloud Success Reimagined (white paper) – As agencies reflect on the various approaches to migrate legacy systems to the cloud, several strategies have emerged that have proven to help agencies mitigate risks and reimagine cloud success. Learn from government experts about the strategies, challenges, and successes they have had with cloud migration.
- How to Buy Cloud Computing for Government (January 31, 2024; webcast) – This webinar shares how agencies can procure cloud computing. Learn about the advantages of cloud computing and how to use GSA’s contracts to make the cloud acquisition process easier and more efficient.
- The Future of Cloud 2028: From Technology to Business Necessity (February 8, 2024; webcast) – By 2028, cloud computing will be a necessity not just for business competitiveness, but business survival. Business outcomes will depend on an enterprise’s ability to execute its cloud-computing strategy. Gartner expert Dennis Smith explores how to prepare enterprises and technology vendors for trends that will face them from now to 2028.
- Securing the Cloud (March 21, 2024; webcast) – Government-wide pressure to improve service to citizens, incorporate telework, and optimize IT operations has led many agencies to further embrace cloud computing. This virtual workshop will review Cloud Computing Security best practices to include review and updating of existing IT guidelines, controls, and processes, with the specific goal of protecting data and systems while also meeting regulatory obligations.