State Department’s Holistic Approach to Cloud Security

This blog post is an excerpt from GovLoop’s recent guide, Mapping Government’s Journey to the Cloud: 8 Success Stories. The guide includes interviews with federal, state and local officials who have overcome common barriers to cloud adoption, including procurement and security. Download the full guide here to get their insights and tips for success. 

It’s well known that becoming a Foreign Service officer for the State Department can take a person on the journey of a lifetime. From serving in Nigeria to Thailand to Colombia and beyond, Foreign Service officers work to promote peace, support prosperity and protect American citizens while advancing U.S. interests abroad.

But there’s a different kind of journey that the State Department has been on, and it’s equally important — the journey of successfully adopting and deploying cloud computing technology departmentwide, and doing so securely.

Cloud computing plays a major role at the State Department when it comes to enabling and empowering frontline diplomats to carry out their roles and responsibilities.

Minh-Hai Tran-Lam, Acting Deputy CIO for Business Management and Planning, at the department, knows this well. She recently helped update State’s cloud computing policy and stand up a Cloud Computing Governance Board.

The goal of the board is to streamline cloud adoption across the department by instituting a single authority for evaluating cloud services.

Putting together a board and a guidance policy on cloud computing for the department that provides transparent communication, methodologies and assistance on how to adopt cloud and meet all of the federal cloud requirements, in addition to addressing what the users need on the front end, hasn’t been an easy journey. But it’s been an important one.
State tips

“Our goal is to actually provide a one-stop shop to give guidance for anyone in the department who’s interested in using the cloud,” Tran-Lam said. “We want to help them go through the process, so that they’re not being left alone when they say, ‘Hey I want to go to the cloud. What do I do?’ It’s all set up from a procurement standpoint, from a user-friendly security standpoint and a business requirement standpoint.”

The Cloud Computing Governance Board was created toward the end of 2015, and the department is now working on putting the right people in place to run it — and making sure they’re not just folks from the IT department.

“We’re making sure to have a mix of people on the board,” Tran-Lam said. “We’ve got the business partners we have in the department, our cybersecurity partners, our procurement partners, our secretary’s office. There are also our public diplomacy counterparts and the regional bureaus. We’re looking at cloud use in the State Department from a holistic standpoint, not just an IT perspective.”

That said, Tran-Lam said the board often gets questions about security and the cloud.

“The requests may differ between a very simple request just asking about the process, or it may be a more robust one where the person in question doesn’t really know what the security requirements are. And so the requests actually span from the most simple request to the most complex request about security,” she said.

Another common question for the board comes around FedRAMP — the governmentwide program that provides a standardized approach to security assessment and authorization for cloud products.

“We often get asked about FedRAMP,” Tran-Lam said. “This is a shared responsibility between the cloud service provider and the customer. Just because a service is FedRAMP-certified, that does not mean the entire security responsibility resides with the service provider.”

There is a collaborative parternship among the Information Assurance Directorate, Bureau of Diplomatic Security and Privacy Office to help customers facilitate the process.

Tran-Lam admits that although worthwhile, supporting and running the Cloud Computing Governance Board can be difficult.

“You’re going to get all sorts of different questions,” she said. “But we do have the IT expertise, and the understanding of all different aspects of cloud, from a security standpoint to a technological standpoint. We have to share the knowledge.

“If you’re committed and you over-communicate and you help the customer get what they need, I think everyone will be more likely to adopt cloud computing services,” Tran-Lam said.

All photos licensed for use under Creative Commons 2.0.
Photo credit: U.S. Department of State

Leave a Comment

Leave a comment

Leave a Reply