Substitute ‘officials’ with ‘authorities’, replace ‘modernize’ with ‘update’, and ‘capabilities’ with ‘skills’. Rearrange ‘Top officials from several private sector firms that are helping the Federal government modernize its technology and cybersecurity capabilities told MeriTalk that last week’s FITARA Scorecard gradings for the largest Federal agencies in several IT-driven categories are shining a necessary light on government’s need to make more progress in implementing longstanding cloud policy directives’
On the 17th edition of the FITARA Scorecard, overall grades for 11 agencies declined, with only one agency improving its grade, and the remaining 12 agencies maintaining the same grade as the September 2023 scorecard.
The downward trend can largely be attributed to changes in grading categories, particularly the addition of a new category assessing agency advancements in cloud computing. Among the 24 graded agencies, only the Defense Department scored an “A” in this category, six agencies earned “D” grades, and 16 agencies received failing grades.
Grades for cloud computing are based on how agencies meet five requirements of the Office of Management and Budget’s Federal Cloud Computing Strategy, which was issued in 2019 to accelerate agency cloud adoption. Interestingly, these requirements do not seem to directly correspond with the actual usage of cloud services by agencies.
According to the scorecard, “The five requirements focus on ensuring that the CIO oversees modernization, agency cloud-related policies and guidance are iteratively improved, service level agreements are in place, service level agreement contracts are standardized, and visibility in high value asset contracts is continuously ensured.”
Field CTO Gary Barlet of Illumio commented, “With the FITARA 17.0 Scorecard including cloud computing as a new scoring category this year, I’m unsurprised that we saw an overall decline in scores. It’s no secret that cloud security – especially across the federal government – isn’t where it needs to be.”
“These results only highlight the need for agencies to prioritize improving their cloud security posture, particularly as more critical assets and workloads move to hybrid cloud environments and foreign adversaries increasingly target vulnerabilities across cloud infrastructure,” Barlet said.
Chief Technology Officer Gary Hix of Hitachi Vantara Federal stated that “the recent FITARA assessment highlights the ongoing delay in cloud adoption and emphasizes the critical need to redirect our focus toward investing in technologies that bolster robust cybersecurity and national security postures for Federal agencies.”
“In light of the latest FITARA scores, which includes the new Cloud Computing category, it’s evident that Federal agencies still need to prioritize and improve their cloud adoption strategies beyond email, large scale SaaS and public facing websites,” mentioned Global Chief Compliance Officer Stephen Kovac of Zscaler.
He also said, “With increasing investment in cloud technology within the government and the modernization of the FedRAMP program to accelerate cloud adoption, it is essential for agencies to consider beginning to move more critical business application to the cloud while aligning with best practices outlined in the Federal Cloud Computing Strategy, known as CloudSmart.”
Kovac mentioned, “Agencies need to show marked improvement from these initial FITARA Cloud Computing scores. To achieve this, they need to lean into programs like the Technology Modernization Fund and other funding sources, look at moving to more cloud services such as SASE and EDM, as we as a nation progress into a new and safer CloudSecure era.”
Hix remarked that, “despite this challenge, we already have guiding frameworks in progress, like the CloudSmart policy, other executive orders and standards that enhance the overall implementation of cloud security measures, so I think it’s time to lean into those initiatives as part of agencies’ pursuit towards hybrid cloud.”
“This will require a ‘heads down’ approach in our efforts to catch up and I’m confident we’ll get there, but it will take a village,” he said. “Just as we continue to witness the collaborative efforts driving safe, secure and trustworthy AI adoption, it’s evident that cross-sector unity is essential in navigating these critical strategies to achieve resilient cybersecurity and adapt to evolving threats.”
Barlet from Illumio added, “I’m hopeful that agencies will reflect on the latest scores and prioritize implementing effective cloud security strategies in the year ahead. Starting with the basics – prioritizing increased end to end visibility, continuous monitoring across workloads, adopting an ‘assume breach’ mindset, and embracing containment strategies to proactively limit the impact of inevitable breaches.
“But we need to start seeing improvements when it comes to cloud security, and we need to see them sooner rather than later,” he said.