A positive outlook is enveloping cloud computing. Not only has GSA awarded 11 contracts for infrastructure as a service (IaaS), but other companies are jumping in with cloud services of their own. For the GSA offering, the real strength lies in the fact that GSA will complete certification and accreditation (C&A) under Federal Information Security Management Act guidelines on each vendor. Note that the C&A will be at the “moderate impact data” level, meaning these services are not suitable for classified or secret information. But once the C&A is completed for a given vendor, all agencies will be free to use its services.
In theory, at least. In reality, CIOs run into opposition from contracting officers and general counsels, who often insist on that agency doing its own C&A. Or CIOs themselves find that the costs of keeping things in-house are lower than the cost of the cloud services. So many variables affect IT costs that it’s impossible to predict which will be the most efficient vehicle for a given application.
Still, the GSA offerings, which will be at its apps.gov site, include some heavy hitters, albeit some through small prime contractors. Apptis, for example, is leading for Amazon Web Services. Microsoft also has a small business partner, Savvis. On the other hand, Verizon Federal is coming in on its own with managed hosting services. Verizon has been pushing the idea that with mobile devices, storage in the cloud is more secure than on the device.
Now IBM has launched the Federal Community Cloud, which the company says is currently obtaining FedRAMP certification under the Office of Management and Budget’s plan to pre-certify clouds for use governmentwide. (With its C&A process, GSA is like a FedRAMP contractor to OMB.) IBM U.S. Federal’s chief technology officer, David McQueeney, told me the Federal Community Cloud already has two undisclosed federal customers, and that the facilities are built and ready to go pending the certification. Like the GSA offerings, the Federal Community Cloud will be accredited to the medium level. McQueeney also said IBM has an agreement with the Air Force to develop a cloud that is trustworthy enough for sensitive data.
For FISMA and NIST certification, not any old cloud will do. Federal cloud facilities must be physically isolated — under lock and key — from commercial ones and have separate network connections. Commercial and federal can live in the same building, though. IBM’s data centers for government are located in Boulder, Colo.; Raleigh, N.C., and Rocket Center, W. Va., according to McQueeney.
Some cloud efforts are taking a little longer. For example, GSA has delayed awarding a contract for e-mail cloud services, which would be its first software as a service (SaaS) offering.
As these services come onto the market, there is no shortage of guidance. Two worthwhile items:
The National Archives and Records Administration back in September issued a bulletin for cloud-based records management. It discusses issues such as whether cloud environments can implement records disposition schedules.
And a recent report from the Brookings Institution’s Technology Innovation center delves into the privacy and security implications of cloud computing. Among the findings are what the authors Allan A. Friedman and Darrell M. West call the principal agent problem — basically, can you fully trust the provider to act in your best interest at all times. In acknowledging the distributed nature of data centers, the report calls “useful fiction that data’s location is irrelevant to the platform” when legal jurisdictional questions arise.
All in all, worthwhile reading before heading into the cloud.
Leave a Reply
You must be logged in to post a comment.