Even as federal agencies have been warming to the opportunities that commercial cloud service providers can offer, the transition is gradual, as government IT officials continue to express concerns about service agreements and turning over sensitive applications to outside vendors.
Throughout the contracting process, officials stress the importance of developing trust between the agency and the service provider, urging contractors to tailor SLAs to address security concerns, worries about vendor lock-in and clearly defined roles and responsibilities.
"Transparency is key," Melinda Rogers, CISO at the Department of Justice, said recently at a panel discussion hosted by Federal News Radio. "Transparency on service, transparency on cost."
FedRAMP Certification is First Step in Government Cloud Conversation
The government's move to the cloud has been hastened to some degree by the implementation of the Federal Risk and Authorization Management Program (FedRAMP), a standardized, government-wide security review and authorization process for private-sector cloud offerings, one that federal officials say has become essential for vendors to win contracts.
"That's your baseline. That's kind of your price of entry," says Gary Barlet, CIO at the U.S. Postal Service's Office of Inspector General.
"The very first question you ask is ... [vendors] must be FedRAMP certified -- are you, yes or no? If the answer's no, you're done. It's one of those deals where if you don't pass a minimum price of entry, there's no reason to continue to have a conversation about it," Barlet says.
The idea of a common certification that is recognized across the government offers vendors a single development template -- albeit a rigorous one -- to replace the patchwork of department and agency standards that have bedeviled federal IT contractors for years.
Cloud vendors, however, have still been able to submit their products for an agency-specific review, or to go through the more exhaustive evaluation of the Joint Authorization Board, or JAB, which, if successful, confers a certification to operate across the government.
"It's a very taxing process," Mark Williams, CSO at Microsoft's federal division, says of the JAB review.
Not only do vendors have to pass their products through that stringent review process and furnish volumes of documentation, there is also something of a logjam in the review process, according to Williams. So Microsoft, like other cloud service providers, has been winning gradual approval for its offerings, but the FedRAMP review boards have unable to keep up with the volume of products vendors have been submitting for approval.
"Our services are slowly getting through, but not at the rate we need," he says.
But even once a commercial cloud product passes through that review process, vendors may still face skeptical government buyers. For all the inter-agency work in developing FedRAMP as a common security standard, many officials still remain on edge about the various cloud models, and insist that some sensitive applications will remain on-premises or hosted in a government cloud.
At the Postal Service, for instance, Barlet's team was considering which applications would be good candidates for a cloud migration, and ended up transitioning some processes like the organization's project management software. But the agency's more complex case-management software, it was ultimately decided, was too elaborate and carried too many unique specifications to shift to a third-party provider.
"Because of all the extra requirements, it just seemed a little safer to keep that in-house," Barlet says.
Security Still Chief Impediment to Government Move to Cloud
Security has long been cited as a chief impediment to the government's move to the cloud and its partnership with commercial providers. Much of that comes down to an issue of trust, according to Steve Hernandez, CISO at the Department of Health and Human Services' Office of Inspector General, who urges vendors to be more forthcoming with information about their risks and vulnerabilities in their conversations with government buyers.
"We need to know beforehand what type of risk we're assuming, and to do that we need accurate vulnerability information from these cloud providers," Hernandez says. "What can happen is you can end up being collateral damage because another agency or commercial provider was hit."
Officials have also been slow to warm up to the cloud brokerage initiative that the General Services Administration has been developing, inviting cloud services firms to establish themselves as brokers who would help government agencies purchase and deploy cloud products from other vendors.
At the outset, some officials are wary of that model for introducing added layers of complexity, particularly when federal CIOs already worry about outsourcing critical applications to commercial vendors.
"Maybe at some point we'll get there," Barlet says. "But I don't know if it's going to come any time soon."