cFocus Software – Automating the Process of Securely Migrating U.S. Government Agencies to the Cloud
Now that U.S. government agencies are required to migrate to the cloud, they must assure their information remains secure. And with many agencies having dozens, if not hundreds, of systems and limited manpower, manually fulfilling security requirements and continuing to monitor them for compliance is nearly impossible. cFocus Software’s proprietary software ATO (Authority To Operate) as a Service™, automates cyber security compliance, helping to get government agencies on the cloud quickly, effectively and securely.
Tell me a little about your background in IT and cybersecurity.
I went to Dartmouth College, and graduated with a BA in Mathematics in 1998. Right after school, I went to DC and worked for Optimus Corporation, a small business federal government contractor. I started at the help desk and after a few years, moved to their software development department. In 2006, I founded cFocus Software. We did a lot SharePoint work, and also provided certification and accreditation services for multiple IT systems within the Department of Defense. Along the way I earned several cybersecurity & Microsoft certifications including: Microsoft Certified Solutions Developer (MCSD) Azure Solutions Architect, Microsoft Certified Solutions Expert (MCSE) Cloud Platform, Certified Information Systems Security Professional (CISSP), Certified Penetration Tester (CPT), and Certified Ethical Hacker (CEH). We launched ATO as a Service™ this year to automate FedRAMP compliance for federal government IT systems in Microsoft Azure and Office 365.
Before we talk specifically about ATO as a Service™, can you please explain FedRAMP?
Sure, FedRAMP is the Federal Risk and Authorization Management Program. Basically, it’s a framework for implementing cyber security for federal government IT systems in the cloud.
What are the steps a system must go through to meet FedRAMP compliance?
FedRAMP is based on the Risk Management Framework which has 6 steps:
- Categorize the system as a low, moderate, or high impact system.
- Select the appropriate security controls for the system. There are baseline controls for low, moderate, or high impact systems. The higher the impact of the system, the more security control that need to be fulfilled.
- Implement the security controls for the system. These first 3 steps result in a System Security Plan (SSP) document.
- Assess whether the system fulfills the security controls. This is done by a third-party company that tests the system’s compliance with every single security control.
- Authorize the system. The authorizing official, typically the CIO of the agency, evaluates the system assessment, and decides if the risk of a system is sufficiently mitigated. If so, he/she issues an Authorization to Operate (ATO) for that system.
- Monitor the system. Once the system is operating on the cloud, it is important to assure continued compliance with FedRAMP as the system and its data evolves and grows.
How does ATO as a Service™ help government agencies achieve FedRAMP compliance?
ATO as a Service™ is a Software as a Service that helps government agencies automate and expedite FedRAMP compliance. Specifically, ATO as a Service™ helps generate SSPs, and continuously monitors the systems in Microsoft Azure and Office 365.
Creating an SSP is a bear! Right now, it is a completely manual process. An agency would have to create a 900-1,000 page document – literally 1,000 pages! – for each system’s security plan. With ATO as a Service™, we automate and expedite the process of generating the SSP.
ATO as a Service™ also automates and expedites the system’s monitoring, so that agencies don’t have to figure out and orchestrate all the different tools and services needed to come up with a continuous monitoring solution. We take a portion of that away and manage it.
Now, we don’t automate the entire SSP generation or continuous monitoring processes, but we certainly make it much easier to complete these steps for your Microsoft Azure or Office 365 systems.
If ATO as a Service™ uncovers a vulnerability, does cFocus Software offer solutions to mitigate it?
ATO as a Service™ integrates with 3rd party vulnerability assessment tools that can identify and mitigate vulnerabilities. This is part of the continuous monitoring solution that we offer.
What are some of the biggest challenges government agencies face when migrating to the cloud?
There are two major challenges we find with government agencies moving to the cloud. The first is a lack of resources. The agencies not only lack the funding necessary to move to the cloud, they are also lacking the expertise of their staff to design a solution to migrate and then to run their system in the cloud. The second major challenge is change management. Change management is the area people don’t often think about when it comes to running their system on the cloud versus running on-premises. It is a completely different model that requires a completely different set of expertise and policies and procedures. Additionally, the way services in the cloud are purchased is very different from the way that government agencies typically buy services.
Why is Microsoft Azure your preferred cloud solution for government agencies?
We have been a Microsoft partner for 10+ years and have 2 Microsoft Gold certifications (Application Development, Collaboration and Content), so we have significant expertise when it comes to Microsoft services, and more recently the Microsoft cloud. Migration to Microsoft Azure is a natural progression for government agencies since many have already made a very heavy investment in Microsoft services prior to the cloud.
cFocus Software also creates government chatbots. How do you see chatbots evolving in the future?
Yeah, so in addition to offering ATO as a Service™, we also develop chatbots for government agencies. Chatbots are conversational apps that you interact with through text and talk.
I see chatbots and artificially intelligent personal assistants such as Alexa and Siri revolutionizing the industry at the same level as the point and click mouse did back in the 80s. In the future, you will no longer need to download or operate apps, you’ll just type or speak to your chatbot and it will follow your command.
Interviewer’s note: As if in agreement with Mr. Walker, despite thoroughly testing a recording app, my phone only recorded my side of our interview… Wouldn’t it have been great if I could have just said “record conversation”?!