Ashley Mahan became an agency evangelist for the Federal Risk and Authorization Management Program (FedRAMP) in November, taking the lead spreading the good word of cloud security throughout the federal government. Five months in, Mahan sat down with Federal Times Senior Reporter Aaron Boyd to discuss what she's learned so far, where she's going next and why other agencies might consider hiring an evangelist of their own.
What is an agency evangelist and why does FedRAMP need one?
As an agency evangelist, one of my main missions here at FedRAMP is to facilitate agencies moving to the cloud and ensure that they use FedRAMP compliant cloud services in doing so.
We have gotten a lot of questions recently on why is there FedRAMP agency evangelist: What is your role, was there a need, how did this role come about? Last summer, the summer of 2015, [Director] Matt [Goodrich] and the FedRAMP team did some extensive outreach efforts. We talked to about 80-plus groups out there, from agencies to cloud service providers to 3PAOs [third-party assessment organziations] asking them what do they want in FedRAMP and how can FedRAMP better serve them.
One of those things, and something also that the team, FedRAMP, realized going in was that they were looking for someone to be the touch point between FedRAMP and agencies. And not just agencies were asking that. Cloud service providers were also asking that question — or requesting that as well. Primarily because cloud service providers work with agencies to get an agency-sponsored authority to operate [ATO].
They wanted an advocate that could work with them and agencies in that process.
What is it about FedRAMP specifically that requires agencies to be directly involved?
Agencies are directly involved with FedRAMP because we really view them as a partner. Agencies, cloud service providers, third-party assessors — we view it as a partnership. FedRAMP is needed to help agencies to move to the cloud faster and one of those big hang ups historically — and also from a cost-effective standpoint — was that it would be very timely and expensive for each agency to authorize a particular IT product.
The great thing about the cloud is that you can create an environment in a matter of minutes. You can spin up a virtual machine, but it also could be reused and cloned so the same technical solution could apply to multiple agencies. The beauty about FedRAMP is that we work with agencies to create an original authorization, or with the Joint Authorization Board, to create a JAB P-ATO [provisional authorization] that then agencies can go in, review that documentation and review the risk posture — because at the end of the day it is all about risks — to the cloud and to these systems where the government is putting their federal data, and conclude a risk-based decision and issue an ATO based upon a series of documentation that was done once and not many times.
Which agencies have you visited so far?
These past couple months I have been really busy. I have met probably with at least 15 to 20 agencies and continuing to meet with many more. Very excited. My goal is to meet with as many agencies as I possibly can.
We have a very open-door policy. We are continuing to build our relationships with different agencies and enhance our relationships with agencies that we have existing relationships with. I have definitely had my work cut out for me but I love helping. I love helping everybody out.
How do you decide which agencies to visit?
There are a couple of different approaches. But we have an open-door policy so anyone can contact me through our agency at info@FedRAMP.gov email address. Also, we have a Twitter handle, a couple of them. I have my own, @FedRAMPAshley. Also we have @FedRamp and they can request to talk and to have a chat about whatever IT cloud needs that they have with FedRAMP.
Other ways, we have some FedRAMP initiatives, like the high baseline for instance or we had Rev3 to Rev4, which was a big transition that we underwent. Those are the type of things I am trying to reach agencies that I know would have interest in, let us say, in a high baseline and trying to meet with their different CIOs.
And it is not just CIOs with our agency road show. I am meeting with everyone from agency CIOs to engineers to program managers, project managers, acquisition folks. So, meeting with everyone just to spread FedRAMP awareness and make sure that that information flow is pushed out to as many people as I can talk to.
What are you hearing from agencies? The good, the bad, the ugly? What are they telling you when you meet with them?
There are primarily three things that I am hearing. The first is they want to know about FedRAMP. They want to know how they can get in compliance. They want to know how to navigate through the FedRAMP process. It is very FedRAMP process/program specific.
The other one is they are very interested in the FedRAMP-compliant cloud services and also the cloud services that are in process and what those particular cloud service offerings are. So we look at their mission needs and we have very candid conversations where they say they have certain priorities, mission needs.
Then they have the question of which cloud service providers that are currently FedRAMP compliant; which ones are in process could meet my needs?
I try to act as a bridge to connect those discussions between the agencies and cloud service providers, so the agencies can make a more informed decision later down the road. The last part is a little bit of a mixed bag, I like to say. Very complex agency-specific problems or issues or concerns regarding cloud. Sometimes it can be very technical security in nature. As I was an [information system security officer] ISSO previously, reviewing the documentation and all the different controls and things like that. Sometimes they really just have questions on their customer responsibilities and when a cloud service provider says that an agency or a customer has this responsibility, how does that translate to the agency? What are some things that they need to be thinking of?
That last part is just a very unique agency-specific, complex kind of problem.
In general, are agencies more interested in hearing about companies and services that have already gone through the process or are they more interested in hearing about how they can authorize vendors who they want to be handling their systems?
It is definitely a mixed bag. There were some incredibly innovative cloud technologies that are out there that the government is just dying to use. It is going to reduce their cost. They are fast. It is really going to help their mission and take it to a new level.
They want to use these products and services and so what we can do is help make that bridge between the agency and the cloud service provider to say, "Hey look, this is what FedRAMP is. This is the requirements for doing business with the federal government from a cloud standpoint." Kind of broker those conversations.
What is the message that you are trying to get out as you go to agencies? What is the thing that you try to hammer home that might not be obvious?
My message to agencies is I am here to help. Based on our outreach efforts back from this summer talking to 80-plus groups, stakeholders out there. We really found that agencies and cloud service providers want a touch point on the FedRAMP program. They have a lot of questions, and great questions, and I want to be able to provide an answer to their questions so they can make their business decisions.
I am really here to say, "We are here to help," and it is not just me, it is also the entire FedRAMP program. We are really here to promote collaboration and working with all the fantastic partners.
Have you seen any shifts in the last five months? Have your efforts made any clear headway in changing the way people think about FedRAMP or interact with the program that you have seen in a tangible way?
There is a need out there from all the different agencies. They are dying to collaborate with one another. So, one of the things that I like to bring to the table is connecting those dots between one agency and another. It was very interesting.
I was working with one agency on a FedRAMP over-arching policy and then based on another conversation I had with another agency, they were in the beginning stages of creating something. Linking those two agencies together — why do we have to recreate the wheel, right? So it is really promoting collaboration and those conversations between each agency. That is one of the things I love doing in this position.
The other thing is I am a numbers kind of person and since I have been here, we have had about a 53 percent increase in agency ATOs. I wish I could take credit for all of it. I know I can't. But I am hoping at least through the conversations that I am having with agencies, they are becoming more informed about FedRAMP and I am assisting them in navigating through the process to create informed authority, risk acceptance decisions in using these particular cloud services.
The agency evangelist position is not something we have really seen before in government. How might other agencies consider doing something similar in creating a similar position? How it can be useful, what it can be used for?
The reason why the agency evangelism position is so valuable is that I think a lot of different agencies focus on their agency and their specific issues and they have got a lot going on. To be able to have an evangelist, it really helps the facilitation of information and promote collaboration across the entire government. I am a big promoter of sharing information to help create a more flexible and effective government that shares information.
Who are you going to see in the next couple of months and what are you going to do as you finish out the year?
My goal is to hit all agencies. I want to see all agencies. I want to talk to as many different agency partners as I can, as well as cloud service providers. So, again, in line with the open door policy, as many people as I can reach out to that are in need of our assistance, I am there.
Can you share with us any specifics on who you are going to talk to or interesting examples of how you were able to help an agency?
I have been doing a lot of work with Department of Commerce and Health and Human Services and Housing and Urban Development.
I am really excited about HUD. I am participating in one of their ISSO consortiums later on this month to talk to different ISSOs on how FedRAMP applies to them and things that they might need to be cognizant of. We are very, very excited about all the great outreach events, as well.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.