Clearing FISMA's C&A is a good start for Google, but individual agencies have their own C&A processes. FISMA certification may shorten the time to move a cloud service into production, but it doesn't eliminate the red tape of separate C&A audits. FISMA C&A is a step in the right direction, but we're unlikely to see a flood of agencies sign-up for Google's services based merely on GSA's stamp of approval. Instead of public cloud services, agencies are turning to data center consolidation, in the form of the private cloud projects and working to adopt elements of the public cloud models that help reduce costs and increase the overall efficiency of their IT systems. In the same survey, when respondents were asked which characteristics of a private cloud are most important, 78% pointed to "highly secure." Control was also an underlying theme, as we found agencies unwilling to relinquish the control they have within their own data centers. With such a focus on security, it was interesting to see thousands of sensitive documents pertaining to the war in Afghanistan released on Wikileaks.org. This security breech wasn't the result of someone hacking into a cloud server, but of one person providing them to another. It underscores the point that human error, misconduct, and cyber attacks sometimes occur and can cause damage to our ability to contain information. So cloud security isn't just a function of technology, and fears over cloud security shouldn't be overblown.
While many agencies are at the beginning stages of creating cloud environments in their data centers, they need to get serious about reducing costs and achieving efficiencies. Those efforts will free resources to focus on other challenges, including security and innovative options to deal with threats.
FISMA C&A is a step in the right direction for Google, but we're unlikely to see a flood of agencies sign-up for Google's services based merely on GSA's stamp of approval. The challenge for many agencies is how to get started in building private clouds. InformationWeek Analytics' four-part series of reports on private clouds in government was designed to help with that. In the last report in our series, "Cloud Implementer's Checklist," we provide a "to do" list to help with the move from planning private clouds to actual deployment. We explore hardware and software requirements, as well as the policy and security issues that must be taken into account in the move to created shared IT services environments using the cloud model.
You can download our reports (registration required) here:
Once your agency has completed the business case for deploying a private cloud, how do you actually move ahead with your data center transformation? In this InformationWeek Government Webcast, we'll explore steps to get you there. It happens Aug. 11. Register now.