The drumbeat around focusing on services and not infrastructure has been getting louder across the agencies, but the big question is around the government's ability to adopt common policies around cloud computing that allow it to take advantage of the platform.
While some technical challenges exist, like the scale of identity and key management and access to broadband connections, especially in rural areas, most of the issues surround common acceptance of security and policies in the cloud.
The workshop focused on two distinct efforts to try and alleviate these challenges. FedRAMP, spearheaded by the federal CIO Council, is a unified government-wide risk management program focused on developing accepted cloud computing environments. Although the goal of FedRAMP is to provide security authorizations and continuous monitoring of shared systems (clouds initially), individual agencies will still be have the authority and responsibility to use systems that meet their specific security needs. So while agencies will be able to save significant time and money by leveraging the FedRAMP authorizations, it will not be a requirement.
FedRAMP will work with a vendor (currently Microsoft and Google are in pilot mode) to evaluate their overall security environment and publish a list of security controls. FedRAMP will likely not meet the goals of all agencies, so moving to cloud will still require some security work. While FedRAMP will be based on the new NIST security framework that included DoD - there still will be some gaps between civilian, DoD and Intel agencies that will not make FedRAMP certification a slam-dunk for vendors. All of the implementation details on how this is funded, who monitors the systems after certification and who executes and enforces FedRAMP are also all TBD.
The other initiative, Acceleration to Jumpstart the Adoption of Cloud Computing SAJACC (pronounced Say - Jack) sponsored by NIST will be examining use cases, specifications and pointers to systems to help promote cloud solutions. The current focus is on IaaS since there are more standards around how to use foundational infrastructure like servers and storage. The big focus for SAJACC is portability, interoperability and security in the cloud. NIST is creating a portal where folks can see how government is using the cloud and work to connect them to solutions. Like FedRAMP, the details still need to be ironed out in terms of commercial software licensing and the process for vendor evaluation; however, they already identified nine systems that will be included in the portal.
The move to cloud will not be easy and it will not be fast for the government. The real test will be if agency leadership can come together and agree on standards. The value of the cloud is the economy of scale and there is no bigger IT consumer than the U.S. federal government. However, to achieve the benefits of cloud computing it requires that the federal government behaves like a unified enterprise, not a collection of departments and agencies with their own policies and procedures - and that is a tall order. While the carrot of cost savings and use cases may be compelling for some, we will likely need a little stick to break down some of the barriers to adoption and realize all of the potential benefits of cloud computing.The Cloud Computing Forum & Workshop works to bring the government closer to adopting common standards