SBMCC Submits Comment in Response to Draft FedRAMP Memo

Director Young:

The Small Business Multi-Cloud Coalition (SBMCC) appreciates the opportunity to comment on the draft version of the memo “Modernizing the Federal Risk Authorization Management Program (FedRAMP).” As small businesses that have invested in supporting the public sector, we believe “[o]rganizations need to move beyond the limitations of encasing interactions within a protected perimeter and adopt the innovative features and security available in leading commercial clouds.” To achieve that goal, our mission encompasses three key pillars: Battling Vendor Lock, Incentivized Multi-Cloud, and FedRAMP Modernization. We believe this memo and our mission combined will promote the types of decisions that are best for the government, the constituents who depend on public services, and the contractor community that proudly supports both groups.

This draft memo is a great step forward towards securely achieving the promise of modern and emerging technology. We commend and applaud the Administration and the Office of Management and Budget (OMB) in taking such a bold and modern approach that has been proven right time and time again by leading private sector organizations. Ultimately, we are pleased to see that OMB has seen the need to promote commercial solutions that also promote competition. The path outlined by this memo will allow businesses of all sizes to partner with the government and address the challenges of today and tomorrow. To do so successfully, government teams should be able to use the best solution using the best technology available to them. We are dedicated to advocating for ways that will ensure our customers have the ability to choose the most innovative and secure IT products and services, switching between vendors seamlessly and as they see fit.

Because of our unique perspective, working with partners of all sizes with different solutions to serve customers of all sizes with different missions, we know that a mono-cloud solution limits the ability to imagine those bold and innovative approaches that result in the most ambitious results. This isn’t true just for our customers, it is also true for small businesses that are as nimble and agile as we are. A true multi-cloud environment that is the result of the intentional integration of services from multiple cloud service providers (CSPs) will improve innovation, provide important resiliency, enhance security, and give users the choice to make the decision that is best for them.

With that in mind, we’d like to emphasize five key areas that we believe will be critical to the success of the final draft of this memo: (1) a strong push to adopt commercial cloud for increased security and feature parity; (2) the benefits of shared infrastructure to improve satisfaction, service delivery, and cost management; (3) the effective resourcing of teams responsible to implement the newly proposed pathways; (4) the commitment to the statutory presumption of adequacy; and (5) doing what is possible to incentivize the adoption of and compliance with a swift implementation timeline.

1. It will be important to maintain a strong push to adopt commercial cloud for increased security and feature parity.

Moving to commercial cloud will improve service delivery for the US government, improving security, performance, and mission-related metrics. As the memo itself recognizes, “The Federal Government benefits most from the investment, security, maintenance, and rapid feature development that commercial cloud providers must give to their core products to succeed in the marketplace.” This commercial cloud focused approach will not only allow agencies to leverage economies of scale, innovation, and best practices incorporated in the commercial cloud environments that GovClouds tend to lag behind, it will also be in line with current and long-standing trends in acquisition law. Achieving greater parity between what is available to the public versus the private sectors will be critical in creating more secure, reliable, resilient, feature-right, vendor-agnostic, and cost-effective tools and capabilities.

1. It will be important to take advantage of the benefits of shared infrastructure to improve satisfaction, service delivery, and cost management.

Using commercial clouds rather than GovClouds will provide economic benefits of shared infrastructure that will drive innovation and optimize resource allocation for individual agencies and the US government as a whole. While it is understandable that many agencies will have to run a hybrid cloud environment, one that couples their legacy on-prem and GovCloud-based infrastructure with commercial cloud environments, increasing the use of shared, commercial infrastructure will, over time, result in lower cloud computing costs while providing a modern, secured, and feature-rich infrastructure. It will also provide a greater opportunity for small and new businesses to support the federal government and local governments and businesses where companies like ours are based.

1. It will be important to provide for the effective resourcing of teams responsible to implement the newly proposed pathways.

The new pathways for authorization, while in need of some additional clarity around transition between the current and proposed approach, signify recognition of agency-specific and cross-cutting US government needs. It also shows recognition of the fact there is a commercial market for SaaS solutions that can be critical to satisfying an agency’s mission, oftentimes designed specifically for that agency or a vertical it operates in, providing the best solution for the individuals responsible for executing. In order to allow for quicker and more effective adoption and usage of these pathways, OMB should develop mechanisms to allow for continued learning about new offerings that could use those pathways to become part of the options or choices agencies can make to integrate into their infrastructure and for their staff or constituents to use. These pathways should also incentivize the use of interoperable infrastructure and applications so that an agency component can choose the solution that best suits their needs, allowing other components within the same agency to make different choices without worrying about the underlying vendor getting in the way of that choice. While there may be a need for increased investment, future budgets and OMB input should ensure those investments provide the type of return they should and have proven to return in key agencies, departments, and corporations that have already made the move.

1. It will be important to explicitly make the commitment to the statutory presumption of adequacy.

The statutory presumption of adequacy will be critical for agencies and the US government as a whole to fulfill the FedRAMP program’s purpose of “certify once, and reuse many times.” Emphasizing the importance of relying on existing authorizations will ensure agencies themselves will be able to more quickly adopt commercial cloud, allowing the US government to achieve the promise of AI/ML today along with quantum and everything else that will be top of mind tomorrow. It will also allow small and new entrants in the contractor ecosystem to benefit from the improved security requirements required by current and upcoming procurement rules.

1. It will be important to incentivize the adoption of and compliance with a swift implementation timeline.

Though additional details and clarity around implementation will be helpful, OMB should stick as closely to the outlined timeline as possible, as when it comes to strengthening and securing the US federal IT infrastructure, time is of the essence. Ensuring FedRAMP can evolve to meet the push off of legacy on-prem infrastructure and GovClouds in order to meet the moment, FedRAMP itself must be ready and capable of evolving just as fast. This will ensure the US government – and the public that depends on it – have access to the latest security, technology, and features. As the memo points out, staying ahead of our adversaries will mean the US government has to become an early adopter of technology and ensuring timelines are met will serve as a critical forcing function to ensure the necessary capabilities are developed and resources provided to meet that threat.

Conclusion

We know that a mono-cloud solution limits the ability to imagine those bold and innovative approaches that result in the most ambitious results. This isn’t just true for our customers, it is also true for small businesses that are as nimble and agile as we are – battling vendor lock while incentivizing the adoption of interoperability among cloud environments is critical to our success as solution providers. A true multi-cloud environment that is the result of the intentional integration of services from multiple cloud service providers (CSPs) will improve innovation, provide important resiliency, enhance security, and give users the choice to make the decision that is best for them.

This draft memo takes a big step forward towards that future and we are happy to help OMB and the Administration do whatever is needed to stick to the timelines outlined in the draft Memo and transition the public sector away from the use of antiquated government-specific cloud infrastructure. SBMCC hopes you find these comments helpful and we look forward to providing input as this plan is implemented going forward.