Canadian FedRAMP for Canadian Government
We need to talk about your Government’s computing problem. I read the newspapers this morning and it seems you have a problem with this whole Shared Services deal your predecessor setup and the mess you’ve inherited as a result. Seems some are now talking about The Public Cloud as being the silver bullet to address this mess. They’re right.
There’s different service models you can leverage, ranging from your own systems being built a run in a datacentre run by Microsoft or Amazon (This is called Infrastructure as a Service) all the way up to a full application running in the cloud (called Software as a Service). The key takeaway is that adopting a public cloud offering will save Canadians millions of dollars a year and it can be done safely.
Justin, this may not come as a surprise to you, but your Government has been “leveraging” the United States security standards (NIST 800-53) for a long time now; We just have a few extra controls in places, make a French translation and call it ITSG-33. Even though you’re leveraging their security standards, you have yet to embrace their process for use of cloud services and this is a shame. You should really check out this thing called FedRAMP. They’ve been using it for a while now and it’s very mature. Between you and me, it blows away our archaic approach to procurement. We need a Canadian FedRAMP process.
The whole process is pretty simple. When a department wants a particular solution, they check to see if that provider has this thing called an Authority To Operate (ATO). If a provider has undergone this in the past with department x, then department y can use that solution. If not, a department can request one be done by a 3rd party assessor. How simple! The great news? They even have standardized contract clauses, Justin. You’ve got the basics in place with Shared Services today and ATO’s are nothing new to anyone in the Government. The bad news? Your people are screwing it up. Let me explain…
The problem is that you have some weird quasi ownership thing going on between SSC and the departments. The current system has a department hand over control of a system and SSC then manages it? Multiple groups are now responsible for changes and finger pointing is the new standard. This is broken and it needs to change. You need to pivot to a place where departments choose their services and the SSC acts as the cloud broker. They deal with the contract management, risk management, control requirements – basically all the cloud security and governance aspects. SSC would also be responsible for maintaining a list of all approved services and work with departments to onboard new applications as required. Once approved, the department implements it and that’s that. Simple and no need to over complicate things the way many seem prone to do.
How to get started? Well, that’s easy too. You can literally hit the ground running with dozens of vetted providers at launch. As I mentioned before, you’re already using the security standards that our American friends use. Is it really such a stretch to say that if the Americans have approved a system based off the same controls we use that it can be deemed safe to use from a security control perspective? Devil is in the details here as some providers have special “FedRAMP” offerings, but since they know how to implement a Government friendly environment, you’d figure they could duplicate it for Canadian purposes?
To be honest Justin, a change in the risk management process can result in the savings that were sought by your predecessor. In fact, if you follow this advice, the real problem is going to be one of finding providers who offer software services in both official languages. And that my friend is a battle that I will let others fight.