For half a decade, the federal government has operated under a policy to prioritize cloud computing as agency CIOs embark on new technology initiatives, but in such a vast and varied IT environment, it's not been a quick transition.\n[ Related: Government cloud adoption efforts lag as security concerns persist ]\nFive years into the so-called cloud-first policy, federal CIOs say they continue to struggle with procurement and management challenges, while security concerns about the safeguards around sensitive data still linger.\nMarlon Andrews, deputy CIO at the National Archives and Records Administration, described some of those obstacles during a recent panel discussion hosted by Federal News Radio.\n"The greatest challenge is not getting a contract in place, but what you find out is where those boundaries cross of who's now responsible because you're in a different infrastructure set-up, and what the cloud provider's going to do versus the contract staff, versus the application support staff versus the infrastructure staff," Andrews says. "So, that's the greatest challenge we're having now is defining roles and responsibilities and who's going to do what because the world has changed as we've known it, and we've been client-server for so many years that this is truly a different environment for us."\nAndrews recalls a recent meeting concerning the role of a cloud vendor and a somewhat tense discussion about "what does the word 'manage' mean in a cloud environment," and who has ownership over the systems and who bears responsibility for resolving the inevitable problems when they arise.\n[ Related: U.S. CIO tells IT leaders to trust the cloud ]\n"Those are our challenges -- not so much writing a contract, but once a contract's in place, how do we move forward in a support model that satisfies the requirements," he explains. "It is laid out in service-level agreements, but then when something goes wrong or you need something done, that's when the finger-pointing takes place."\nThe devil is in the details when it comes to cloud contracts\nFor cloud service providers, getting those issues hammered out from the beginning -- and coming to a mutual understanding with the customer -- is just good business, according to Rob Davies, executive vice president of operations at ViON Corporation, a cloud vendor that serves clients in the federal government.\n[ Related: Federal CIOs want SLA assurances from cloud vendors ]\n"I think you have to specify those in your contract from the outset," Davies says. "The devil is in those details. And I think when you're in negotiating the contract and those SLAs it's important to define what your expectations are -- for both parties."\nOf course, part of any sensible cloud strategy for a government agency involves an understanding that not every application might be a good fit for a cloud environment.\nMark Schwartz, CIO at the U.S. Citizenship and Immigration Services, says that his agency is pursuing what might be thought of as a cloud-native approach in determining which applications belong in the cloud and how to handle the transition.\n[ Related: Cloud will make U.S. immigration agency more agile ]\n"We are aggressively trying to move as much as we can to the cloud, with a caveat, which is that we don't want to move things to the cloud unless we can engineer them for the cloud," Schwartz says. "We don't want to just lift and shift what we have. There are ways of designing software for the cloud that really take advantage of what the cloud offers and make things perform well."\nAt the Food and Drug Administration, CIO Todd Simpson has helped set up a "cloud advisory board" that helps determine which applications belong in the cloud and aids in managing that transition.\nSecurity concerns persist\nSimpson points out that security considerations remain a top concern for IT decision-makers in the government, in part because the consequences of a data breach can be severe. "Security is probably the one thing that could get me fired," he says, only half joking.\nHowever, Simpson touts the standardized FedRAMP review process as an effective mechanism for evaluating the security posture of the applications and services that cloud vendors are pedaling to the government. FedRAMP isn't the last word on security, he acknowledges, but the vetting process is sufficiently rigorous that agency leaders can look to the vendors that have won the so-called authorization to operate with a fair degree of confidence.\n"There's always going to be a security discussion," Simpson says. "I believe the cloud vendors are good at security, and I believe that when they pass the FedRAMP authorization gauntlet, that they've proven themselves and that there's a good pathway for CIOs to evaluate them as alternatives for doing business with."