On May 17, 2021, President Joe Biden published Executive Order 14028, “Improving the Nation’s Cybersecurity.” The order addresses “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector” and calls on both the public and private sectors to up their respective games.
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
In conjunction with Executive Order (EO) 14028, and the recent announcement of the Kahua platform gaining FedRAMP Authorized status and now available on Federal Risk Authorization Management Program (FedRAMP) Marketplace, we had the opportunity to sit down with Kahua Chief Technology Officer Colin Whitlatch. We spoke about the impact of this executive order on the industry, especially those involved in public projects, be they federal, state or local government or P3 projects and how Kahua is part of the solution.
Q: Colin, what is your understanding of EO 14028, Improving the Nation’s Cybersecurity, and how will it change requirements for capital planning technology, like project management information systems (PMIS) and other technology vendors who work within the government space?
A: For cloud computing technologies like Kahua, the EO will use the Federal Risk and Authorization Program (FedRAMP) to develop further cloud security strategies. Currently we are 100% compliant with the requirements, holding the FedRAMP Authorization status. In fact, Kahua is the first company to deliver a PMIS to the industry with this status.
Q: Can you briefly explain what FedRAMP is and the process required to become FedRAMP certified?
A: FedRAMP is a federal government program put in place to deliver consistent, best-practice security protocols implemented by cloud service providers (CSP) providing services to the federal government. It is broken down into different levels based upon the sensitivity of the data handled by the CSP. Kahua has pursued a FedRAMP-Moderate designation, which requires 327 controls be implemented within the platform to meet FedRAMP-compliant levels. Achieving FedRAMP-Moderate Authorization has required Kahua to undergo an advisement period on implementing the controls, an assessment of those controls once implemented, and now a continuous monitoring phase where we continually monitor and enhance our platform as we provide service to the federal government.
Q: How long does this process take? What kind of resources need to be invested?
A: We began the FedRAMP process in May 2018 and became authorized in January 2022. There were milestones along the way, as it is an iterative process. Kahua achieved this authorization with no unusual delays. I point that out to say that the process is painstaking and lengthy for anyone. We spent several thousand manhours achieving this goal. That said, much of the investment has had a positive effect on everything else we do. This process allowed us to put controls in place to deliver a more secure platform for all our clients, not just our FedRAMP clients.
Q: What must other vendors who currently serve federal agencies do to comply with this EO?
A: Software solutions from vendors that are NOT FedRAMP Authorized that are still utilized by agencies will be required to meet the executive order. We expect that very soon PMIS vendors who do not hold this authorization will not be allowed to host project data for federal agencies. In short, they will need to go through the long process we just described and become FedRAMP Authorized also.
In addition to these requirements being placed on federal programs, state and local agencies are also beginning to seek out FedRAMP Authorized solutions; for many it is a requirement. For example, the State of Texas has created TX-RAMP, based on FedRAMP. State Senate Bill 475, passed in the spring of 2021, will require the Texas Department of Information Resources to certify vendors through TX-RAMP, with a fast track for vendors certified by FedRAMP.
Matt Goodrich was the GSA’s FedRAMP Director who launched the program. Prior to leaving the GSA in 2019, he predicted a wider adoption, stating, “FedRAMP sets the bar for how to protect federal data when it resides in the cloud environment, and GSA [General Services Administration] believes that state and local government can leverage this security standard for compliance needs at the local level.”
What then is the answer to the first question: What effect will EO 14028 have on the construction industry? We’ll have to wait and see. EO 14028 is a living document in that it calls for recommendations that will lead to further actions. These recommendations are still coming. They will no doubt mean changes to the way technology vendors can operate.