OCR of the Document

View the Document >>

Testimony For The Record Of Lynn Martin, Vice President, Government, Education And Healthcare, Vmware, Inc., Before The U.S. House Of Representatives Committee On Oversight And Reform Committee, Subcommittee On Government Operations Hearing “Federal Risk And Authorization Management Program (Fedramp).” July 17, 2019. Unclassified.

Testimony for the Record Lynn Martin Vice President Government Education and Healthcare VMware Inc Before the U S House of Representatives Committee on Oversight and Reform Committee Subcommittee on Government Operations “Federal Risk and Authorization Management Program FedRAMP July 17 2019 Chairman Connolly Ranking Member Meadows and Members of the Subcommittee thank you for the opportunity to testify today at this important hearing I am Lynn Martin Vice President of Government Education and Healthcare at VMware Inc I have nearly 30 years of experience in the Federal sector VMware is the world’s leading provider of infrastructure software and the fifth largest software company in the world We have revenues of over $10 billion and more than 24 000 employees We are headquartered in Silicon Valley California with 125 offices throughout the world serving more than 75 000 partners and 500 000 customers including 100 percent of the Fortune 500 Our software is present in 88% of the world data centers and was the enabler for data center consolidation worldwide savings organizations billions in hardware costs The U S government is a long-standing critical partner and customer of VMware and we remain committed to serving all sectors of the U S Government – including the Department of Defense civilian agencies and the Intelligence Community as well as state and local governments VMware is a part of the Dell Technologies family of companies We are committed to providing both government and commercial organizations with the ability to respond to their dynamic business needs whether they utilize on-premises datacenters to build a private cloud the public cloud or personal computers and mobile devices VMware is providing enhanced security to government and commercial customers globally through its pioneering role in redefining how we build and secure networks data centers computers and devices Thank you for holding this important hearing around the Federal Risk and Authorization Management Program FedRAMP I appreciate the opportunity to share VMware’s perspective on the important legislation introduced by Chairman Connolly and to relate our experience in taking our products and solutions through the FedRAMP process VMware has been at the center of the Federal Government’s cloud transformation journey since the early 2000s Our partnership pre-dates the Obama Administration’s “Cloud First” policy that was set forth by Mr Vivek Kundra when he was the Federal CIO VMware introduced innovative solutions that allowed the Government to make optimal decisions around how to best meet its mission The innovations we have brought to the market have saved the Federal Government billions in carbon footprint reduction and have enabled choice through decoupling hardware from software and allowing for choice in vendors Today we continue this innovation by enabling our customers to make choices about how to modernize their IT infrastructure in the multi-cloud world we live in FedRAMP is a key part of the government’s journey to the cloud I have significant personal experience with the FedRAMP process having taken three separate cloud services through the process end-to-end along with another cloud service in-process today My experience dates back to when FedRAMP was formed when I was the overall Federal leader with HewlettPackard HP Corporation At that time I took HP’s service through its Infrastructure-as-aService offering to achieve a FedRAMP Authority to Operate ATO I have since had the privilege of leading not just one but two additional services vCloud Government Service VMware AirWatch Workspace One at VMware through the FedRAMP process In addition VMware has another service that is in-process today VMware Cloud on AWS GovCloud These VMware services have been both classified as Software-as-a-Service and Infrastructureas-a-Service Based upon my experiences through the last eight plus years I can personally say the FedRAMP PMO has taken great strides to achieve higher capacity and a more streamlined process I would like to commend GSA for its efforts in making the improvements they have Our collaboration and partnership with GSA has improved through each of the authorizations I have personally been through For example over the past 18 months the PMO has gone above and beyond in coaching my team through the process and given us perspective that has been instrumental to ensure we understand how we can best optimize our submission I commend Chairman Connolly on his efforts to support GSA in its ongoing effort to improve the FedRAMP authorization process The bill that Chairman Connolly introduced enables an evolution that will be required as higher demand from VMware and other cloud software companies will draw upon the Program Let me take you through our perspective on the bill across the following areas 1 2 3 4 5 Funding Mechanism for the Program Management Office PMO Clarity on Roles and Responsibilities Use of Automation and Centralized Reporting Metrics and the Instantiation of the Federal Secure Cloud Advisory Committee One of the most important elements of the bill is that it formally provides a funding mechanism for the GSA FedRAMP Program Management Office The current organization has had strong leadership and led the way in driving standards despite juggling a tremendous workload Dedicated funding for this office will be a starting point to ensure that more FedRAMP Authority to Operate ATO packages are completed in an expediated manner We do recommend further analysis to confirm if the budgeted amount called out in the bill is sufficient to support industry trends given the assumed expanded adoption of hybrid multi-cloud-based services across the government The bill introduces much needed clarity around the roles and responsibilities for each organization that has a hand in executing FedRAMP Speaking from VMware’s first-hand experience in our recent interactions with the PMO we had to determine on our own which organization has ownership of what and interact with the office through organic understanding The clarity introduced in the bill will allow not just VMware but others to build a repeatable plan targeting the proper stakeholders on how best to navigate the FedRAMP process We thank you for laying out and defining these roles and responsibilities VMware commends the bill for driving the FedRAMP PMO towards the adoption of automation through the use of COTS software VMware’s perspective is that having the PMO embrace automation will allow for greater efficiencies in achieving ATOs for industry cloud-services through increasing the capacity of the PMO along with reducing costs through automating key tasks In addition automation can enable self-service centralized reporting for industry that will further reduce the burden on the PMO from agency and industry requests VMware firmly believes that the use of automation coupled with centralized reporting will drive towards a reciprocity model that is needed To ensure realization of the benefits of automation VMware does recommend that the bill be modified to require the use of automation versus assessing the use VMware also agrees with the call for adoption of consistent metrics surrounding cost quality and time The ability to drive measurement of the PMO will allow for not just accountability through the Office of Management and Budget OMB but also transparency into the capacity of the PMO’s ability to ATO public cloud services for the government to embrace VMware believes this is a strong element of the bill The final area that we would like to call attention to is how the bill introduces the Federal Secure Cloud Advisory Committee We believe that industry coordination with the FedRAMP office is a key component of success The inclusion of this committee will further bolster the effectiveness of the PMO This will allow industry to inject best practices and allow GSA to stay ahead of technology trends Additionally the Advisory Committee will allow for greater collaboration not just with industry but also across agencies as well FedRAMP has become synonymous with federal Cloud security However in order for supply to keep up with demand the FedRAMP PMO must be given adequate resources so that the government can move further and faster in its modernization efforts VMware is proud to be a partner with the government on its journey and we look forward to further collaboration as the Federal Government refines the FedRAMP process and we continue to bring to market innovative solutions Thank you for the opportunity to testify Mr Chairman Ranking Member Meadows and Members of the Subcommittee I am happy to answer any questions the Subcommittee might have