Weekly Update

Cloud’s non-impact on the U.S. Government

Amazon Web Services (AWS) finally received certification under the Federal Risk and Authorization Management Program (FedRAMP). AWS believes this will lower the cost of implementing its cloud services among government organizations and agencies in the U.S.. As my colleague Barb Darrow noted, “AWS now has both a FISMA (Federal Information Security Management Act) Moderate and a FedRAMP Moderate ranking. The latter designation means that ‘sensitive data’ can be stored and managed on AWS infrastructure.”

The FedRAMP program is a government-wide initiative that standardizes security assessment, authorization, and monitoring for cloud products and services. AWS has been granted two Agency Authorities to Operate (ATOs) by the U.S. Department of Health and Human Services. In other words, the company has been blessed and should find it easier to enter into deals with the U.S. Government, though it should be noted that they are already doing business there.

One ATO covers the GovCloud “region” of AWS infrastructure, as well as the other regions in the U.S. Using these regions, agencies can leverage Amazon’s EC2 compute cloud, Simple Storage Service (S3), and Elastic Block Store (EBS). Additionally, they may also use its Virtual Private Cloud (VPC), which allows agencies to create an isolated section of Amazon’s cloud where they can launch resources in a virtual network defined by them.

Despite the activity since 2008, and even a 2012 Office of Management and Budget’s (OMB’s) “cloud-first” mandate, the U.S. government has been slow on the uptake to cloud computing, all things considered. The massive numbers of systems operated by the government has led the way to a data center construction boom over the last 20 years. Both a new consolidation policy and recent cloud computing mandates were designed to push the government in more efficient directions. However, for the most part, the same behaviors of build, deploy, and operate locally still persist within government agencies.

In 2012, the agencies made some progress toward complying with the policy, which is one part of OMB’s 25-point IT management reform plan. Under this policy, seven agencies had a deadline of moving three IT services or applications to the cloud. Five agencies met the deadline.

However, of 20 migration plans provided to the OMB, only one was complete in 2012. More disturbing, 11 plans did not include performance objectives, and cost estimates were left out of seven of them.

There are several reasons why the government is not moving to the cloud at a pace most would like to see:

Funding issues. There is little allocation of dollars to hire the right talent to make the larger migrations to the cloud. Most agency CIOs have a huge number of systems in production, and the cost and the disruption of migrating to the cloud is prohibitive.

Dealing with legacy systems.  There is no clear guidance around how to retire legacy platforms. Clearly, plans should exist around migration, testing, cutover, and, ultimately, retiring legacy platforms. Among 14 such projects, none specified how legacy systems would be retired, and that means “The End” is missing from the migration plan to cloud-based platforms.

Lack of clarity around security and private issues. While there is the FedRAMP program, which provides a stamp of approval on public clouds for government, many federal CIOs find the policies and regulations around security in the public clouds confusing. Missing is a clearly defined set of standards that can be universally applied, along with experts to assist in implementation. FISMA provides some guidance, but many assumptions are being made that are either too restrictive, or not restrictive enough.

Those who run IT within government agencies understand that they exist within an overly complex and inefficient IT architecture, and know they should be planning for the use of cloud-based resources. The U.S. Government will only get better at leveraging cloud-based resources when they have mandates with clear paths to funding and guidance.

Much like the establishment of FedRAMP, that provides validation, the government needs a centralized organization that will provide guidance, assistance, and planning services around the use of cloud computing in the government. This will provide much more of a benefit than the cost to the taxpayers, and should push the agencies in the right direction with the assistance that they require.

Overall, the U.S. Government gets a D+ in the movement to the cloud. However, with just a bit of additional work and strategic thinking, they could easily improve that grade.