In September, GovRAMP hosted the inaugural Learning Series: Preparing for the Cyber Summit — a three-day virtual program designed to bring governments, providers, and partners back to the fundamentals of cloud security.
At GovRAMP, we believe secure cloud adoption depends on collaboration. Standards alone aren’t enough; success depends on clarity, trust, and shared understanding between the public and private sectors. That’s why this first Learning Series centered on three essentials: shared responsibility, smarter procurement, and stronger partnerships.
Why Shared Responsibility Matters
If cloud security has a golden rule, it’s this: security is shared. No single side owns it all. Agencies and providers each hold responsibilities, and the risks are greatest when the lines blur.
That reminder set the tone for Day 1. GovRAMP Co-Founder Joe Bielawski opened with a message that struck home: “Reputation — not revenue — is what carries you through hard moments. Have a servant’s heart.”
Joe stressed that shared responsibility is more than a technical model — it’s a partnership model. And as panelist Torry Crass (Tanium) put it, “The biggest security gap isn’t a control — it’s a misunderstanding of who owns what.”
Speakers agreed: tools like the Customer Responsibility Matrix (CRM) [insert link] and Control Implementation Summary (CIS) [insert link] can close those gaps, but only if they’re treated as living documents — revisited and refined as partnerships evolve.
The Day 1 takeaway was clear: whether you’re defining roles in IaaS, PaaS, or SaaS, transparency builds trust faster than any contract clause.
Contracts as Security Tools
Day 2 shifted the focus to the procurement process — where shared responsibility must become enforceable.
Jessica Van Eerde, GovRAMP’s COO and General Counsel, made the case plainly: “Don’t leave shared responsibility until later. Build it into the contract.” Alongside Okta’s Travis Abatemarco, they showed how SLAs, accountability clauses, and clear documentation move responsibility from words to action. Travis reiterated that Service Level Agreements (SLAs), accountability clauses, and shared-responsibility provisions aren’t “legalese”—they are the backbone of security.
The follow-up panel pressed the point: reports like SOC 2 and frameworks like FedRAMP and GovRAMP provide scalable assurance, but the real differentiator is openness. As Trace Ridpath (Optiv) noted, “Trust is built when providers are transparent, not when they hide behind acronyms.”
The practical tip? Start with a RACI chart inside your own organization. When you know who’s Responsible, Accountable, Consulted, and Informed, the CRM conversation with partners becomes sharper, faster, and more productive.
Day 2’s message: procurement is not a transaction — it’s a partnership. Contracts aren’t just paperwork; they’re security frameworks in disguise.
Oversight and Partnerships That Last
The final day looked at oversight and partnership — the long game of cloud security.
Keynote speakers Pete Dudek (A-LIGN) and Alex Whitworth (Carahsoft) described how automation and AI are reshaping compliance. Instead of waiting for static reports, agencies are moving toward continuous validation, with frameworks harmonizing across jurisdictions. “Oversight only works if providers actually walk the talk — not just document it,” Dudek noted.
The closing panel reminded us that beyond tools and automation, security is still about people. “The ‘inefficient but highly effective’ conversations are how we move to a more secure future,” said Emily Larimer (State of Indiana). Dan Frei (Utah) added: “We need to invite providers to the table as partners, not adversaries.”
Their point: partnerships are strengthened when conversations are frequent, transparent, and human — even if they take time.
Looking Ahead
Across three days, the Learning Series traced the evolution of shared responsibility:
- Day 1: Shared responsibility clarifies roles.
- Day 2: Smarter procurement embeds accountability.
- Day 3: Oversight and partnerships strengthen resilience.
The common thread? Cloud security depends less on checklists and more on shared understanding, steady communication, and trusted partnerships.
But as GovRAMP Executive Director Leah McGrath reflected: “The Summit is where ideas turn into action. This series was just the beginning.”
We invite you to continue the conversation at the GovRAMP Cyber Summit, October 2–3, 2025 in Chicago, registration closes September 26, 2025.
Catch up on the full Learning Series recordings here and share them with your teams.