Nov 04 2011
Data Center

Agencies Must Analyze Their Cloud Computing Mission to Meet Fed Requirements

Cloud computing can help agencies achieve their missions, but both government and industry must collaborate to meet federal privacy and security needs.
by

Vance Hitch, who retired as the Justice Department CIO in July, helped establish and co-chaired the CIO Council's Information Security and Identity Management Committee.

Each agency will apply cloud computing a little differently because of varying mission requirements and changes over time. But that doesn't mean there aren't best practices that can be applied even while cloud services are in their infancy at many agencies.

Cloud computing has the potential to provide reliable, secure and cost-effective IT services, giving CIOs additional options to employ technology to support their agencies' missions.

There are challenges. Among the biggest in the next five years will be refreshing outdated computer infrastructures in many agencies. Budgets are stressed like never before. That should give agencies further incentive to take advantage of the economies of scale that cloud serv­ice models provide.

Cloud computing can help by reducing the technical risk of implementing new infrastructure and providing a fast and agile solution to agencies' IT service needs. The cloud is also a natural partner to mobile computing, which continues to play a growing role in our private lives, in industry and in government.

Analyze the Mission: Requirements and Challenges

CIOs must understand their agencies' missions and how cloud computing can help support those missions. To fully realize the ultimate goal of providing better service at a lower cost, agencies need to transition from their role as direct providers to managers of services through judicious use of contractor-provided cloud services.

Agencies will implement different service models (software as a service, platform as a service and infrastructure as a service) and deployment models (private cloud, community cloud, public cloud and hybrid cloud) to meet their individual requirements, including their differing tolerances for risk.

Federal requirements when migrating systems and services to the cloud are different from those of industry. The government has to meet personnel security, legal and privacy requirements that industry isn't bound by. It has needs beyond the commercial market because of the trust the American people put in the government and the government's obligations to the public to protect their information and ensure the continued operation of its systems.

Cloud represents a shift from physical to logical control of data. But the physical location of data dictates its sovereignty — whose laws and policies apply to that data, to the data owner and to the vendor operating the system. Data sovereignty issues present a number of unknowns that will have to be addressed (see sidebar).

Share the Load: A Contract Game Plan

Cloud providers must address the concerns of the federal community. They need to understand the high service-level requirements and the relatively low risk tolerance for many programs. Agencies' IT teams will need to spell out these requirements in contract deliverables. Contracts and service-level agreements should have detailed performance levels and penalties for not meeting those levels. Agencies should request that providers prove that they can meet those requirements.

Not all government requirements are unique. Many are similar enough to industry standards that agencies and cloud providers can flesh out "commodity" items that the government can use without modification. Federal organizations with unique requirements should be addressed separately. Commodity-based services will drive down costs, reduce risk and speed delivery of services.

Rely on Available Help: FedRAMP and Other Guidance

CIOs and chief information security officers have resources to help them maintain security as they move to cloud computing. The Federal Risk and Authorization Management Program, initiated by former federal CIO Vivek Kundra and launching now or in the near future, is an innovative program to develop trust relationships between agencies and cloud providers.


Illustration: Elizabeth Hinshaw
"Use pilots to help evaluate design. …
Prove it, then improve it."

— Vance Hitch

FedRAMP will establish standard security and privacy requirements for cloud services. It provides for independent, third-party assessments of controls that a joint authorization board will use to provide an initial authorization. The goal is to create an "approve once and use often" system that agencies and vendors can use to avoid duplication of effort, thereby lowering costs and saving time.

In addition, the CIO Council's Information Security and Identity Management Committee developed "Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies." This document helps program managers create a strong, secure business case for embracing the cloud computing capability that coincides with their level of acceptable risk.

Additionally, the National Institute of Standards and Technology has crafted its Cloud Computing Standards Roadmap, which includes several practical tips and other guidance for agencies. NIST also is posting business cases that agencies can use to help fine-tune their own plans. There's no need to start from scratch; agencies and bureaus should simply borrow what works for their requirements.

Get Buy-In: The Awareness Campaign

One of the lessons learned from working on big projects at the Justice Department was the importance of getting sponsorship from the stakeholders. CIOs must ensure that stakeholders and senior management understand the benefits to both end users and the mission. Agencies need to set standards, establish priorities and provide strong project management to successfully develop cloud projects.

For more information, please see the CDW•G Cloud Computing Reference Guide at cdwg.com/cloudguide.

An incremental approach to rolling systems to the cloud is critical too. With IT, a CIO won't really know for sure if a system works until it's operational. If you don't have operational successes early, users won't understand and won't support what you are trying to accomplish.

To that end, use pilots to help evaluate design. It is difficult for most people to understand what IT capabilities exist and how they can be used to support the agency mission until they sit down and use an actual live system. Their understanding of requirements also changes as they use a system. Prove it, then improve it.

The cloud can offer the early deliverables needed to do this. The system development approach identified by Kundra that breaks large, multiyear software development projects into six-month delivery cycles can help agencies focus their efforts.

A Cloudy View:

Federal Data Sovereignty Issues that Must Be Resolved for Cloud Applications

  • Compliance with local laws, including privacy laws, that may differ from U.S. laws
  • Enforceability of U.S. laws
  • Ability to conduct continuous monitoring
  • Implementing effective incident detection, response and recovery activities
  • Conducting independent audits of systems, as required under the Federal Information Security Management Act
  • Ability to determine whether individuals occupying positions of responsibility are trustworthy, as required by FISMA
  • Creation, protection and access to system audit logs needed to enable security monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate IT system activity
<p>Photo: Erik Von Weber/Getty Images</p>

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now