Top tech officials at the White House Office of Management and Budget (OMB) and the General Services Administration (GSA) on Thursday called for more public feedback on a proposed set of metrics that would measure the Federal Risk and Authorization Management Program (FedRAMP) authorization experience, which they say will drive “major decisions” in shaping the program going forward.
FedRAMP – which is administered by GSA – aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
GSA published the proposed metrics a few weeks ago, but Eric Mill, the executive director for cloud security at GSA, said that the FedRAMP team is extending the comment period for another week – giving stakeholders until Sept. 5 to submit comments.
“This is maybe one of the least flashy parts of the work that’s going on here, but we take it really seriously, the fact that we have an opportunity to reshape how FedRAMP measures itself and what it considers success to be,” Mill said during an Aug. 22 event organized by the Alliance for Digital Innovation (ADI).
Mill explained that in the past, FedRAMP would measure things “just within its own control” and would not always measure things such as the customer experience going through the FedRAMP authorization process. Mill said the proposed metrics now offer “granular ways” to measure the program’s time, cost, and security.
“There’s still plenty of room for more comments in there, and I really encourage folks to take this opportunity, because it’s not just from the government and bureaucratic standpoint,” Mill said. “If nothing else, it’s going to be a long time until the hood gets opened up that widely again for a metrics overhaul, so really take the time to look into it.”
Drew Myklegard, the deputy Federal Chief Information Officer (CIO) at OMB, added that when FedRAMP first started in 2011, GSA had the right metrics to measure its success. But as the program has evolved, he said it’s time for an update.
“As we pivot towards SaaS, the metrics don’t measure the same and getting feedback from you all would really be helpful, because we have to have a partnership here,” Myklegard said. “We’re not building software anymore. We are procuring it, securing it, and using change management to implement it.”
“Understand that those metrics will drive major decisions, and also budget leadership decisions and how we measure success,” Myklegard said, adding, “So, you can’t come in later after we’ve made these type of commitments. Our budgets take years to bake in, we’re looking ahead multiple years right now. Once those get set and moving, this is your chance to really design where we want to be in the next three to five years.”
The deputy Federal CIO added that OMB and GSA want FedRAMP “to be a success,” and the metrics will be the “key provider” of that.
“There’s going to always be anecdotal feedback, there will always be those type things, but these metrics are what we’re really going to judge whether the policies and everything that we put in place is successful down the road,” he said.
FedRAMP is looking for feedback from all stakeholders, including cloud service providers, Federal agencies, third party assessment organizations, and the general public. Mill encouraged folks that if and when they engage with the metrics to “think about in terms of the incentives that it places on the program.”
“The art of good metrics is the art of getting the most positive, constructive incentives with the fewest perverse incentives,” Mill said. “So, that’s how we’re going to be thinking about it when we look at this to make sure we’re lining up the behavior that it incentivizes after everybody on this table is out of government, and it’s continuing to work.”
Those interested in checking out the proposed metrics can do so here and submit comments here.
