Federal government’s ‘Cloud First’- FedRAMP brings security to the cloud

Contracting procedures are also in a state of flux. Agencies are accustomed to paying a specified dollar amount for a specified service, and “pay as you go” is not part of that model. “Even though cloud services offer benefits in terms of not having to over-provision, a lot of procurement divisions are still working through it,” says Scott Gaydos, chief technologist for federal healthcare at HP Enterprise Services, U.S. Public Sector.

Selecting a cloud service provider is not a simple process for agencies. “An agency cannot just pick a cloud provider off a list,” Gaydos explains. “The agency must evaluate the options carefully to select the specific service it needs. For example, if an agency is about to stand up a large infrastructure, then IaaS would be a good match. If they are doing application development and testing, they could use PaaS. And if they just need a specific application, SaaS would be a good match. But not every vendor offers every option.”

Finally, even with FedRAMP compliance in place, agencies still must look at their unique needs. FedRAMP requirements are consistent with Federal Information Security Management Act (FISMA) provisions, but the FedRAMP security baseline is set for the FISMA low to moderate levels, and some agencies or applications may require higher levels.

As cloud technology evolves, the standards also change. In June 2014, the FedRAMP Program Management Office published new security control baselines in response to revision 4 of National Institutes of Standards and Technology (NIST) SP 800-53 published in April 2013. The NIST publication provides updated security and privacy controls for federal information systems. Agencies and the cloud service providers that are supporting them will need to keep up to date as requirements evolve.

Cloud First got off to a somewhat uncertain start, but agencies and providers are both making strides in resolving the technical and administrative issues that have arisen. Persistence will pay off in this evolving and expanding market.

Streamlining Microsoft content migration

Moving on-premise information to the cloud is a major production. Metalogix provides a set of tools focused on migrating Microsoft content. “Many agencies start with e-mail or SharePoint content,” says Pat Park, regional VP of Metalogix’s public sector unit. “Metalogix can move SharePoint and Exchange files from on-premise to online for any cloud service provider that has achieved FedRAMP compliance, including Azure, Amazon Web Services, Rackspace and others.”

During the migration, Metalogix can put policies in place and enforce them, making migration faster and more secure. “It’s critical for agencies to be able to collaborate without causing issues down the road on security or having data leave the environment.” Metalogix can move content from SharePoint 2003 through 2013 to Office 365, the cloud version of Microsoft Office. In addition, it can move files from Box, Dropbox and Google drive to Office 365.

Monitoring administrators as well as users is becoming increasingly important. “Just a few administrators are responsible in SharePoint for managing information for thousands of users,” Park explains. “This places a great deal of power in the hands of people who have access to an enormous amount of information, so being able to provide ongoing monitoring and to send alerts if anything suspicious occurs is essential.”