HHS wants to expand its list of FedRAMP-approved providers
Connecting state and local government leaders
Health agency would move toward a cloud brokerage model and is working to grant Salesforce.com and Verizon Terremark authority to provide services.
The Health and Human Services Department is looking to expand its choices for cloud services providers, working with Salesforce.com and Verizon Terremark to ensure that the companies are accredited to offer services to HHS agencies under the government’s Federal Risk and Authorization Management Program, according to Frank Baitman, HHS CIO.
A large, complex agency with 12 operating environments such as HHS has divisions with different requirements, so it makes sense to certify different vendors that can address those diverse needs, Baitman said during a keynote speech Sept. 10 at the Amazon Public Sector Summit held in Washington, D.C. For example, the Food and Drug Administration might have more stringent security requirements than some areas of the National Institutes of Health, which shares its research.
In May, HHS granted Amazon Web Services’ GovCloud and US East/West offerings an agency Authority to Operate (ATO) after the cloud provider took its cloud services through the FedRAMP accreditation process. Several of HHS’s operating divisions had an ongoing relationship with AWS, which prompted the department to sponsor Amazon through the FedRAMP process.
“We needed an ATO, security and standards around that relationship,” Baitman said.
FedRAMP provides a standard approach for security assessment, authorization and continuous monitoring of cloud products and services. The program uses a “do once, use many times” framework that is expected to reduce the cost, time and staff required to conduct redundant agency security assessments of cloud solutions.
The goal is to simplify the accreditation process and the cloud vendors’ relationship with government, Baitman said. “When vendors work with [HHS], we are solving a lot of security problems they are certain to encounter when they go to other federal agencies,” he explained.
HHS is also working with the General Services Administration and the Homeland Security Department on a proof-of-concept model demonstrating how cloud brokerage services might be applied in the federal government. The cloud brokerage concept would allow agencies to connect a wide range of federal users and partner organizations to a federated marketplace of cloud service providers.
“A relationship where we get immediate provisioning [of cloud services] through a broker portal isn’t going to happen overnight,” Baitman said.
The proof of concept envisioned by federal agencies is one that includes a combination of vendor services and a digital catalog, he said. But this will happen, Baitman noted, only if vendors embrace standardization in all of the areas that agencies evaluate as they consider cloud options – such as security, pricing and service-level agreements.
Baitman acknowledged that the cloud is not the answer for everything. This is why HHS is taking an enterprise view of what applications make sense to move to the cloud. Healthdata.gov, the website dedicated to providing high-value health data to the public, and the Centers for Disease Control and Prevention’s BioSense public health surveillance system would not have been possible without the cloud, he said. Additionally, NIH’s high-performance computing can be done cheaper and faster in the cloud.
Granting cloud providers an authority to operate under FedRAMP gives HHS operating divisions the opportunity to move projects into the cloud on a case-by-case basis and determine if it makes sense for them to be in the cloud, Baitman noted.