Cloud adoption has been an ongoing initiative across the federal government as a whole, but the question of how to vet new solutions and continuously authorize existing cloud capabilities remains for many agencies.
Federal IT officials during Wednesday’s GovernmentCIO Media & Research Infrastructure Security event provided a look at how iterative, automated and resuable approaches to modernization and authorities to operate (ATOs) are answering that question.
Centers for Medicare and Medicaid Services CISO Rob Wood said that amid ATO automation attempts, iteratively automating parts of the authorization and security pipeline is a productive step to improving the compliance process.
“Embrace the fact that automation can be as simple as taking care of the repetitive five-minute annoying things that fill up your day on a regular basis or going back and forth and trying to schedule things or soliciting feedback or agenda items before a meeting or whatever it happens to be,” Wood said. “If you can pile up and stack up a number of those small wins, then your team as a whole can be much more effective with their time.”
The Department of Veterans Affairs, which has a goal of an 80% utilization rate for cloud services, has also been using automation and an iterative process to its capability adoption through DevSecOps strategies.
“We continue to look at various ways of how we can automate across the board,” said VA Enterprise Cybersecurity Architect Royce Allen. “We had a meeting with FedRAMP about automation. They’re moving information from OMB MAX to our system of record for how we capture our authorizations, so that we can move away from doing some things manually.”
U.S. Citizenship and Immigration Services CTO Rob Brown added that using basic automation tools can help agencies like his keep up with continuous demand across the IT pipeline. USCIS, which is about 90% migrated to the cloud, is finding reusability in some of its cloud capabilities.
“If you want to do some leapfrogging, really focus on past usage,” Brown said. “IT’s great to spin up virtual machines; [I] highly recommend just bypassing a lot of that sort of lift and shift from a data center of a VM to a VM in the cloud and look across the portfolio of services that exist and embrace … a lot of these past services [that] typically are FedRAMP and/or have an HMO that you could potentially leverage from another agency.”
With reusable solutions, which have pipelines of their own already built out, can also help with DevSecOps processes.
“Having frameworks that have logic built in … one group we worked with was impacting their backlog and essentially creating encryption at rest for payloads,” Brown said. “You start to build that in and work with those groups, then it just eliminates the need for all of these other engineering teams to have to deal with that themselves.”
Wood is also embracing a similar approach, making it easier for developers to build products quicker and to get value faster.
“Everything that we are doing along the lines of DevSecOps kind of keeps that metric in mind, is how frictionless, can you get to a production deploy … how can we streamline that, and so we are also putting in place an enterprise Kubernetes build out,” Wood said. “The idea being that you are building on a platform and inferring all of these things, and if the environment or the sandbox that you’re building is safe, then you know you can make a lot more."