U.S. government agencies have been busy exploring ways to meet the goals set out by the cloud-first initiative, which is designed to accelerate cloud adoption among government agencies. Although the General Services Administration was meant to act as a guide for these organizations, the GSA's sluggish response time has caused many agencies to turn elsewhere, according to Federal Times columnist Nicole Johnson.
Johnson referenced the Consumer Financial Protection Bureau, the Energy Department’s Lawrence Berkeley National Laboratory and the Departments of Agriculture and Interior specifically, as these agencies have all independently contracted with service providers. In addition to meeting cloud-first objectives, the agencies predict millions of dollars in yearly budget savings. However, the GSA's slowness has led to concerns regarding the effectiveness of its own cloud initiatives.
FedRAMP certification delays
The GSA has also been slow to certify third-party providers via FedRAMP, which is designed to streamline the contract process for government agencies. In theory, the initiative would allow vendors to apply for certification to work with agencies across the government. However, Johnson reported that only five of the 12 vendors under the GSA's Infrastructure-as-a-Service contract have been awarded Authority to Operate (ATO). This distinction certifies that a vendor's platform meets federal requirements regarding data security.
Johnson also highlighted issues with the GSA's general cloud contract. In addition to security concerns, the GSA's provisions may not allow organizations to achieve the best value for third-party services. For example, a GSA audit found a 55 percent price difference between two vendors that performed identical work.
Cloud security concerns
While the federal government has become more accepting of cloud initiatives, traditional barriers to adoption still exist. Challenges regarding cloud security were recently highlighted by Government Computer News columnist William Jackson. Referencing a report from the National Security Telecommunications Advisory Committee, Jackson said it is generally safe to migrate resources and operational process to the cloud, but there are some key factors to consider.
In addition to the cloud security guidelines mandated by FedRAMP, vendors must also comply with Federal Information Security Management Act (FISMA) regulations. The primary challenge, according to Jackson, is that the initiative is relatively new and exact expectations have yet to be defined. The need for vendors to meet strict cloud security guidelines makes solutions such as identity and access management even more important. And, although traditional login options aren't expected to vanish, two-factor authentication can provide an additional barrier between cybercriminals and highly sensitive government data.
Cloud Security News from SimplySecurity.com by Trend Micro