Feds and Cloud Computing Does not Compute

In 2010, the Office of Management and Budget (OMB) issued the “Cloud First” policy. This policy required federal agencies to use cloud services whenever a secure, reliable, and cost effective option for cloud usage existed. How has the “Cloud First” policy fared since then?

Cloud Market Maturity

According to an article published by www.networkworld.com, part of the problem lies with the inability of cloud providers to meet agency requirements in the areas of policy, legal authority, oversight and security. This is crucial in the area of National Security/Emergency Preparedness, or NS/EP.

The benefits of cloud computing are evident. Use of the cloud can lead to a reduction in IT capital expenses and the ability to scale up to the demands of an increased workload. But when it comes to certain areas, the cloud currently fails. Of primary concern to federal officials is the need for improved mission performance. Agencies need to be assured that resources are available in case of a national emergency and in support of NS/EP functions. There also needs to be a high level of both system and content integrity and confidentiality.

The steps necessary to make the “Cloud First” policy a reality have been clearly outlined. Cloud providers need to develop a way to continuously monitor their cloud infrastructure, have third-party audits, ensure data encryption, and become certified and accredited. Furthermore, accreditation requirements need continuous evolution based upon criteria from the Federal Risk and Authorization Management Program, or FedRAMP.

Is the Cloud First Policy a Pipedream?

In the end, the absence of any kind of standards in the cloud computing industry prohibits the implementation of the “Cloud First” policy. Of primary concern is the availability of the cloud when needed. One way of making this a reality: Spread the workload across several of the available providers. But, currently, a lack of standards keeps this from happening.

The Challenges Ahead

According to the www.networkworld.com article, many challenges remain, including:

  1. Cloud providers must monitor their system in real time.
  2. Current federal guidance remains insufficient, especially in the areas of purchasing commodity IT and evaluating Federal Information Security Management Act security levels.
  3. Agency training is not currently at levels needed to implement cloud solutions.
  4. The ability for certifying and accrediting cloud vendors needs to be established.
  5. Data needs to be transferable across cloud vendors.
  6. The federal agency culture of fear surrounding leaking sensitive information must be overcome.
  7. Budgeting of cloud services is difficult due to fluctuating costs associated with scalable and incremental cloud service procurements.

For more information about Cloud First, visit: http://www.networkworld.com/news/2012/071212-feds-cloud-260847.html?page=1
and
http://www.networkworld.com/news/2012/071112-cloud-computing-challenges-260829.html