HHS manages risk in using cloud through federal program
The Department of Health and Human Services has embraced a government-wide program that provides a standardized approach to the cloud through security assessment, authorization and continuous monitoring.
HHS Chief Information Officer Jose Arrieta told a House subcommittee on Wednesday that the agency sees the Federal Risk and Authorization Management Program (FedRAMP) as a “strategic enabler” and the “fulcrum” for its IT modernization efforts, noting that more than 60 FedRAMP-certified cloud technologies and services are in use across the department.
According to Arrieta, leveraging cloud technology through the FedRAMP process has resulted in greater data sharing, enhanced data security and financial savings. He said HHS was the first agency in 2013 to sponsor a cloud service provider through FedRAMP and in the past five years has authorized 14 cloud service providers and currently maintains authorizations for nine unique cloud offerings.
“We support the standardization and reuse model,” Arrieta testified. “This ‘do once, use many’ model has saved the department and its customers countless hours of security assessment time by being able to review and utilize existing documents that have already been approved by other agencies.”
Security is a central concern for HHS, he told lawmakers, as the agency is responsible for safeguarding the data of one in three Americans—including personally identifiable information and protected health information.