Federal government’s ‘Cloud First’- FedRAMP brings security to the cloud
According to IDC, the federal government will spend $118.3 million on public cloud solutions in FY14, and more than $1.7 billion on private cloud solutions. The private cloud expenditure is slightly lower than it was in FY13, while the public cloud figure reflects an increase of about 33 percent. Looking ahead a few years, however, private cloud expenditures are expected to grow dramatically, reaching $7.7 billion by FY17.
The increase in cloud usage is prompted in large part by a policy change that began in the federal government several years ago. At the end of 2010, the Office of Management and Budget established the “Cloud First” policy as part of an IT reform plan unveiled by then federal government CIO Vivek Kundra.
The plan was designed to modernize federal IT systems on a number of fronts, including reducing the number of data centers and fixing or eliminating unsuccessful IT projects. As with the use of cloud technology in the private sector, the goal of transitioning to the cloud was to reduce costs and increase efficiency, agility and innovation.
Each agency was required to identify, within three months, three services that could be moved to the cloud, to move one of them to the cloud within a year and to move the other two within 18 months. Given the technological and administrative challenges involved, it is not surprising that many agencies fell short.
In a well-publicized report issued by the Government Business Council and Accenture in December 2013, only 30 percent of the federal executives surveyed indicated that they had cloud plans underway. A much smaller percent of respondents had actually transitioned any of their applications to the cloud.
Other milestones, including the June 5, 2014, deadline for agencies to certify their cloud systems with the Federal Risk and Authorization Management Program (FedRAMP) also proved difficult to meet. Yet some agencies were successful, and those agencies that were able to launch cloud services are being rewarded with lower costs and new capabilities.
Numerous agencies—including the departments of Agriculture, Health and Human Services, Homeland Security, State and Treasury, as well as the General Services Administration—successfully met the initial requirement for identifying and deploying three cloud services. Among the other organizations reaping benefits from the use of cloud services are the following:
- In 2011, the National Oceanic and Atmospheric Administration (NOAA) consolidated 19 different e-mail systems to Google Apps, a public cloud service. The new service provides a global directory and collaboration tools such as instant messaging, video chat and document sharing. NOAA reports saving $11.5 million in one-time replacement costs and $500,000 per year in operations costs.
- In 2013, the Environmental Protection Agency (EPA) migrated to Microsoft Office 365, the cloud version of Microsoft’s productivity suite. In addition to fostering collaboration, the shift to the cloud is expected to save the agency $12 million over four years.
- In September 2013, the first Secretary of the Navy (SECNAV) portal hosted in a commercial cloud environment was launched. Amazon Web Services (AWS) hosts the site, which is part of the SECNAV Public Portal Initiative to establish a unified Web presence.
“Many instances of the use of cloud services can be found throughout the federal government,” says Maria Roat, director of FedRAMP at the GSA. “However, the transition requires a culture shift in both operations and in the consumption model.”
FedRAMP defines and implements the process for transitioning to the cloud. “FedRAMP creates a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services,” Roat explains
Two types of FedRAMP approval are available. One is through the Joint Authorization Board (JAB), which is the primary governance and decision-making body for the FedRAMP program. JAB provides Provisional Authorization to Operate (P-ATO) for cloud solutions, and approves accreditation criteria for third-party assessment organizations (3PAOs). JAB approvals can be used throughout the federal government. Companies can also seek agency-sponsored FedRAMP approvals, which are only valid for that agency.
The role of the 3PAOs is to verify that the cloud service meets the management controls and security standards required by federal agencies. Those organizations must themselves be approved by the federal government to conduct assessments. JAB or agency representatives review the cloud service provider’s authorization package after verification by the 3PAO, and then make a decision about whether the cloud system meets federal government requirements. Whether the vendor has worked through JAB or the agency, the authorizing official in the agency makes the final decision about granting the cloud provider authority to operate (ATO).
A visit to the FedRAMP site shows that a total of 14 cloud service providers have obtained JAB P-ATOs, including Akamai, CGI Federal and Hewlett-Packard. Eight are offering infrastructure as a service (IaaS) products, two are offering software as a service (SaaS) and two are offering platform as a service (PaaS) cloud projects. Five have received agency FedRAMP authorizations, including Amazon Web Services and Salesforce.com; three have IaaS offerings; one has a SaaS offering; and one offers both SaaS and PaaS services. Another 15 vendors are seeking JAB approval, and more than a dozen are seeking agency approval.
Obstacles to transition
In the Government Business Council/Accenture report, the largest single concern expressed by respondents related to security. As compliance with FedRAMP continues to take root, that unease may diminish, but it remains a concern in the government sector as it does in the private sector.
Another challenge is staffing. Only a third of the executives felt certain that their agency had the staff necessary to execute a transition to the cloud. Half were not sure if the length of the procurement process was having an impact on cloud adoption, but the majority of those who did know felt that it was having an adverse effect.