WASHINGTON -- Amid mounting budget pressures and a maturing set of technologies, the federal government is poised for the rapid adoption of cloud computing services over the next several years, according to one of the senior agency leaders helping craft a government-wide cloud strategy.
While federal tech chiefs have long envisioned an environment in which agency storage and applications are hosted and shared throughout the government, the policy reforms required for such a shift, though still very much a work in progress, have recently come into focus and figure to precipitate a major migration to the cloud over the next several years, said David McClure, the associate administrator of the General Services Administration's Office Citizen Services and Innovative Technologies.
Perfect Storm Clouds
"We've been trying with this on and off for the last couple decades," McClure said in remarks here at the Software and Information Industry Association's annual Cloud/Gov conference.
"I think we now have a perfect storm. We have a budget crisis, a new wave of technology that's actually entered in [to the government]. We have a new generation of CIO and IT leadership in the federal government that I think is very open to this kind of environment," he said.
McClure is one of the driving forces behind FedRAMP, the federal government's program to develop a uniform framework for federal cloud solutions, spanning the security, assessment, privacy and procurement considerations of the new deployments. FedRAMP, with its "do once, use many times" mantra, is currently in the prelaunch phase, with the initial, "phased rollout" scheduled to begin in June.
"We have to do it in stages and we have to test this as we go," he said. "We will use some of the initial time to kick the tires."
Several government bodies in addition to GSA are collaborating to develop the FedRAMP program, including the Departments of Defense and Homeland Security, the CIO Council and the National Institute of Standards and Technologies (NIST).
McClure explained that developing a common set of controls for cloud services across the departments and agencies is FedRAMP's most immediate priority, though the leaders of the initiative are not seeking to rewrite the security standards stipulated by NIST and the Federal Information Security Management Act (FISMA). Instead, the FedRAMP program aims to rectify the current situation McClure described that has seen each agency contort those standards to suit its own ends, achieving compliance while falling short of the spirit of the common IT security framework that NIST and FISMA attempted to create.
The FedRAMP initiative follows the Obama administration's "cloud first" edict that directed federal IT purchases to prioritize cloud services as they entered new procurement cycles. The push to migrate to the cloud comes in concert with an ambitious effort to consolidate federal data centers, shrinking the government's IT capital and operating expenses while at the same time seeking to make the technology apparatus more environmentally friendly.
Controls Under the Watchful Eye of Homeland Security
Beyond a uniform set of controls, the FedRAMP program will also seek to establish a select group of third-party assessment organizations that, with federal government accreditation in hand, will be the designated evaluators of cloud solutions slated for government deployment. Once in place, the cloud systems deployed under the FedRAMP blueprint will be subject to continuous monitoring by the Department of Homeland Security.
McClure acknowledged that federal CIOs face numerous obstacles in implementing cloud services, many of which are common to the private sector, including the legal, compliance and privacy concerns that have attended (and sometimes slowed) the adoption of the new technologies.
But many observers have noted that too often government agencies are pervaded by an IT culture that seems allergic to risk, a recipe for preserving the status quo. Count McClure among those observers.
"Whenever you do something that is against the current strain of thinking or against the current way of doing business, you're automatically swimming up stream. Does it mean that we shouldn't do it? Absolutely not," he said. "There are significant challenges that CIOs, IT professionals, even businesses executives have to make ... when it comes to cloud services."
A shift to cloud computing throughout the federal government necessarily entails collaboration with the private sector. McClure acknowledged that federal clients have unique and typically more rigid criteria that they require private sector cloud providers to meet. Infrastructure providers seeking to do business with the government will typically be expected to include disaster recovery and continuous operating assurances, and to submit to testing to prove the reliability of those systems. As a result of those agreements, McClure said, federal agencies typically experience only minimal disruption when a high-profile cloud vendor such as Amazon suffers a period of sustained downtime.
"If you compare government requirement to commercial requirements, you'll find the government requirements not only different, but very challenging," he said.
At the same time, he acknowledged that the government's embrace of cloud services is situational, and will vary widely from one agency to the next. Many have already embraced cloud-based email systems, including GSA, which is implementing Google's Gmail. Other common cloud applications already in place include Web hosting, public-facing websites, and collaboration and development functions. But within the government's sprawling IT apparatus, the most likely homes for cloud solutions will be what McClure called "low and moderate risk scenarios."
On the private sector side, SIIA, the host of Thursday's conference, took the occasion to launch a new forum for IT providers looking to do business with the government, the so-called Public Sector Innovation Group.
"There's a lot of interaction that needs to happen," said SIIA President Ken Wasch, adding that the new forum will be "focused solely on the issue of government procurement."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.