How a Government Agency Set an Example of Transformation
Part of our Series on our FedRAMP journey
It's become all too common (and usually justified) for private industry to believe that over time, Government programs grow in scope and budget, and not only fail to achieve their goals, but become a hindrance to their stated purpose.
If you scrutinized FedRAMP just a few years after its creation in 2011, you would have come to this same conclusion. Instead of helping Government agencies achieve IT modernization, factors had come together to make the FedRAMP process a bureaucratic morass that was difficult and costly to navigate toward authorization.
It was surprising then that in 2015, the directors of FedRAMP did something unfortunately rare in our industry: they reflected on their program and with brutal honesty admitted that it was failing. This was the first and most important step the in the process of rebuilding the program from the ground up.
It’s because of this bold action that FedRAMP is seeing more and more success in helping agencies move to the cloud and helps FedRAMP stands out as a program that is (if slowly) successfully moving closer to the goal it was created to achieve.
5 Major Lessons Agencies and Contractors alike can learn from FedRAMP
Recognize and Admit When Your Program Isn't Working
“We were ready to transform the program . . . because if we didn’t, we were at risk of alienating all of the stakeholders our program was designed to serve.” 1
When the authorization process ballooned from the ideal time of three to six months, to up to two years, FedRAMP's team knew something was wrong. FedRAMP had been created to not only create security parameters for cloud migration, but to educate and aid Government agencies in the process. Instead, FedRAMP had begun to create bottlenecks for agencies and cloud service providers (CSPs) alike, making the process slower and more difficult.
It's all too common for IT Projects to get stuck in processes that sounded good on paper but don’t work in reality. Instead, FedRAMP recognized that the program wasn't working, admitted it, and made the decision to do something about it.
“Many times within Government, we are afraid to change a process or how we do our job simply because it is the way things have always been done or because of the inevitable, sometimes unwelcoming, reaction to change. We rejected this line of thinking outright and pushed forward under the proposition that a program built from scratch could be rebuilt – only better.”
» Lesson #1: Evaluate your company’s work honestly, admit mistakes, and decide to change.
Embrace the Customer Journey
FedRAMP didn’t merely decide to redesign the program based on their own expertise and what they thought the stakeholders needed. They redesigned the program based on the stakeholder’s feedback – what they actually needed. FedRAMP’s team demonstrated humility and a deep understanding that, “...any change would not be the 'right' change unless we heard directly from our stakeholders . . .”
The first thing they did in the redesign process was to talk to each of the stakeholders involved: agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Even though the feedback they gathered was often hard to hear, they didn't push back. They rebuilt the program starting with the customer's journey - “instead of forcing industry to match how the Government was doing work.” Their goal was to solve the problems their stakeholders identified, not the problems FedRAMP believed needed to be solved.
It’s this, perhaps more than anything else, that could be the key to FedRAMP becoming a more and more successful program: a program (re)designed to solve the customer's actual problems.
» Lesson #2: Make sure your company’s goals start with what the customers tell you they need.
Rather than trying to manage every step in the accreditation process, FedRAMP saw a need and opportunity for a third party to step in and help. As a result, 3PAOs were authorized to audit a CSP seeking Authority to Operate (ATO).
It’s common for an agency to not delegate enough authority to other organizations because it desires to maintain control of a particular program. In doing so, the agency is forced to increase ancillary and supporting services for that program, growing the program to the point of becoming inefficient.
FedRAMP instead recognized where they could delegate and did so. In the process they lowered the program’s responsibilities, freed up bottlenecks, and maintained the same level (or higher) of security.
“With the help of agencies and industry, we created the FedRAMP readiness assessment. The FedRAMP readiness assessment would rely on the expertise of our FedRAMP-accredited 3PAOs and would operate more like a gap assessment that is performed by auditors in other industries.”
» Lesson #3: Sometimes it’s better to delegate and engage externally, instead of trying to build expertise internally.
Design Efficiency into the Program
How many Government programs exist that are anything but efficient? No matter the goal of the program, the mantra seems to be, “Do once, over and over again.”
In redesigning the process, FedRAMP’s goal was to enable a one-time authorization that could be used many times by new agencies, without all stakeholders having to go through the entire accreditation process again Their mantra: “Do once, use many times.”
This framework enables agencies to both move to the cloud much more quickly (one of FedRAMP’s goals), and saves 30%-40% of Government authorization costs.
» Lesson #4: If efficiency is one of your goals, build it into your project’s very foundation.
“FedRAMP was designed so that once a cloud service offering has been authorized once, agencies can review the existing authorization package and grant ATOs for their organizations to use the service. This prevents CSPs and agencies from duplicating work that has already been done as part of the initial authorization, saving time and money.” (from https://www.fedramp.gov/cloud-service-providers/ )
Use Experience to Teach & Help
It could be argued that the reason FedRAMP was created was to educate and guide agencies in following the huge directive to move to the cloud.
Nevertheless, instead of redesigning their program and hiding behind the fact that it had failed to meet expectations and goals during the first few years, FedRAMP aired its dirty laundry, using this failure as the best possible guide for future success.
Now, agencies, CSPs, and 3PAOs can access the story – the mistakes, lessons learned, and forward guidance right on the FedRAMP website.
» Lesson #5: Your past failures and how you came through them provide the most valuable experiences and lessons to teach others.
As of 2019, FedRAMP continues to work hard to improve its efficiency, lower the cost of authorization, and listen to stakeholders.
In September, the organization held a small business meeting to directly interact with stakeholders and create a forum for businesses to share with one another their experiences and best practices for successful certification.
» Lesson #6: By being open about your success and failures, you can create a community of stakeholders who can both show you how to continually improve and who can help one another, ultimately helping one another achieve success.
1All quotes, unless otherwise noted, are from the FedRAMP Agency Authorization Playbook: "which takes all of our lessons learned over the past 18 months and puts it into an actionable guide for agencies to complete authorizations in the same timeframes."