Embracing change and innovation in cloud systems with system thinking 

Why don’t people want to try something new? Change can be scary, overwhelming, and intimidating. Complacency often feels comfortable for many. However, are we truly progressing, creating efficiencies, and discovering better ways to accomplish our tasks? I don't think so. 

We need to experiment more and have less rigid plans. Start with system thinking, break the problem into bite-size chunks and stop trying to eat the whole thing all in one bite. 

The cloud makes it very easy to build, manage, and defend secure infrastructures and practices, and tear it right back down to test your ideas faster. This learning cycle ultimately creates efficiency and breaks the pattern of entrenched bureaucracy and unnecessary overhead, helping to build very lean systems. 

One of my core beliefs is that we learn the most through the struggle of solving our customers’ toughest challenges. Being mission-obsessed, core learning can be accomplished while developing systems to solve these challenges. We need to embrace experimentation to find more efficient and lean systems. With this core learning cycle, we can find ways to streamline these challenges faster than ever before. In my opinion it all starts with systems thinking, the art of focusing on the entire system while building one component at a time. 

Challenges in Government Acquisition Processes 

One example of a huge challenge that government agencies are facing today is the current government acquisition processes that favor incumbents, large companies, and small businesses, simply because they have the right contract vehicles and checkboxes. We need more transparent acquisition processes to encourage experimentation. Failing fast to move on to the next idea quickly, and in my opinion, adding more competitive bake-offs on smaller system components will greatly enhance the acquisition process. Focus on delivering smaller systems faster, to see what sticks and what fails.

Harnessing the Power of the Cloud 

To truly harness the power of the cloud and build more secure systems, it's essential to go beyond simply lifting and shifting your current setup from the data center. This approach often leads to more issues rather than solving them. Instead, focus on modernizing your systems by breaking them down into small, manageable microservices driven by APIs.

Consider how AWS developed its Infrastructure-as-a-Service (IaaS). They started with a single service, which has now evolved into the building blocks of the internet. Today, AWS offers over 240 services, all driven by APIs. The key to their success? Each service was built and managed by small, agile teams, each tackling one challenge at a time. This approach not only fosters innovation but also ensures that each service is robust and secure. By adopting a similar strategy, you can create a more secure, scalable, and efficient cloud environment. Modernize your systems, embrace microservices, and leverage the power of APIs to drive your cloud transformation and acquisition strategy to encourage smaller-scale efforts. 

AWS and Government Collaboration While not all AWS services are currently available for government agencies, AWS is actively collaborating with the Federal Risk and Authorization Management Program (FedRAMP) PMO to continuously audit and review these services. This ongoing effort aims to bring greater efficiencies and leaner infrastructures to government agencies, enabling them to build secure systems using AWS as their foundation. 

At the same time, the AWS Partner Network (APN) is incredibly robust, featuring lean and efficient partners who can accelerate your journey to the cloud. These partners bring specialized expertise and innovative systems, helping government agencies modernize their infrastructure and achieve their mission objectives more effectively, while streamlining their acquisition process by leveraging AWS Marketplace. 

By leveraging AWS's secure and scalable services, the expertise of APN partners, and AWS Marketplace, government agencies can confidently and rapidly move towards a more efficient and secure cloud environment. This can speed up the acquisition process tremendously and remove unnecessary overhead and delay. 

Improving the FedRAMP Process 

To further enhance the efficiency and effectiveness of the acquisition process, the FedRAMP Program should consider several additional key improvements to streamline processes and eliminate entrenched practices. Making FedRAMP more modular and less all-or-nothing can help overcome major roadblocks to achieving a FedRAMP Marketplace listing. 

1. Government-Wide Authorization Mechanism: Establish a government-wide authorization mechanism for cloud service providers struggling to navigate the complex government bureaucracy. Adopting a model similar to GovRAMP, possibly through an external commercial or non-profit entity, could provide a more accessible pathway. 
2. Continuous Authorization to Operate (cATO): Transitioning to a cATO model is crucial. Embedding true technical reviewers in the process and building a team of government-wide technical security cloud experts will ensure continuous monitoring and assessment, enhancing security and efficiency. 
3. Enhance the ConMon Process: The ConMon process involves monthly validations to ensure that your cloud service offering (CSO) remains FedRAMP compliant. Streamlining the significant change request process (SCR) should be a major focus and process improvement. 
4. Flexibility in Meeting Standards: Allowing more flexibility in meeting standards is essential. Some standards can be very costly or inefficient due to government agency review timelines or lack of commercial support. Providing alternative pathways to compliance can reduce these burdens and encourage innovation. 
5. Rely on 3PAOs: Rely more on the expertise of FedRAMP Third Party Assessment Organizations (3PAOs) and agency reviews, intervening only when there are genuine security findings. 
6. Efficiency with Less Delay: CSPs already invest heavily in preparing for operations and audits for FedRAMP, so let's make the process more efficient with less delay. 

By implementing these changes, we can create a more agile, efficient, and secure FedRAMP process, ultimately benefiting both CSPs and government agencies. This will allow government agencies to access more CSOs faster with more confidence in their acquisition strategy. If the CSP leverages AWS Marketplace, this will get the CSO into the hands of the end users faster. 

Yes, the current FedRAMP intake process has become a rite of passage, not a beacon for efficiency; however, we have recently seen a measurable uptick in throughput at the FedRAMP PMO. 

Conclusion 

Something I learned many years ago was to find a way to say "Yes, But." Let’s work together to find a path to secure data that is not overly burdensome, inefficient, or costly. The mission will find a way with or without you. We must work to improve the acquisition and FedRAMP process and timelines while keeping our focus on continuous delivery of secure and compliant systems. Automate everything, remove manual and inefficient processes, one process at a time. Securely codify everything. 

We have been building, managing, and defending cloud systems for FedRAMP since the beginning, but the upfront costs and timelines are excessively burdensome, often burning out companies and individuals with unnecessary overhead and processes. We have built systems and frameworks to remove many of the challenges to accelerate the process that the CSPs control: 

• Building your secure cloud systems: 
  • XccelerATOr: AWS Cloud Native Secure Cloud Infrastructure-as-Code (IAC) framework that can rapidly deploy a FedRAMP HIGH IL5 platform that can support Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) systems. 
  • XBU40: Managed AWS GovCloud multitenant PaaS solution that is audited to the FedRAMP Moderate IL4 level. The CSO is designed to protect your CSO and meet FedRAMP, DoD, CMMC, and DFARS Requirements. 
• Managing your cloud systems: 
  • Command Center: Automate your FedRAMP Vulnerability Management and GRC with a single pane of glass. 
  • ConMon-as-a-Service: Delivers U.S. Citizen on U.S. Soil Continuous Monitoring and Vulnerability Management experts that successfully maintain your authorizations through proactive system maintenance and management. 
• Defending your cloud systems: 
  • VNSOC360°: Delivers US Persons on US Soil with 24x7x365 Security Operations. 
  • AuditShield: Shields you during your audit with our deep FedRAMP knowledge. 

All of our services are currently listed in the AWS Marketplaces along with our AWS partnership overview. Focus on systems thinking to see the whole picture so the interrelationships of components can assist you in discovering the patterns for change rather than static snapshots. Start where you are with one bite at a time and chew, chew, chew… That’s how efficiencies are found. 

References

The FedRAMP Program Management Office is apparently riding the efficiency wave 

InfusionPoints Solutions on AWS Marketplace

The Seismic Shift in Government: Is Cloud the Answer 

Enabling Government Efficiency with AWS 

Public Sector Software in AWS Marketplace 

#CloudTransformation #FedRAMP #Innovation #SecureSystems #AWS #APN #GovernmentEfficiency #ContinuousImprovement #Microservices #APIDriven #LeanEnterprises #AcquisitionStrategy #Experimentation #MissionFocused #Automation #SecureInfrastructure