Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
As agencies come to terms with cloud security, another barrier emerges
Thursday - 3/7/2013, 5:24am EST
But as initiatives such as the Federal Risk Authorization Management Program (FedRAMP) reduce the anxiety over how to secure cloud services, a new, and much bigger, barrier is starting to emerge: culture.
Richard Spires, the Homeland Security Department's chief information officer and vice chairman of the CIO Council, said cloud is changing the way IT, acquisition and program management employees do their jobs, and that makes them uncomfortable.
"People get [cloud computing] intellectually, but because they are used to what they are doing, it's a really big shift to work in this different model, especially for people in the IT department," Spires said recently at a Homeland Security and Defense Business Council event on cloud computing. "We are shifting out the whole infrastructure, their old style and way of working with the infrastructure provider. That's hard, and we recognize it's hard. So it's about bringing people a long and showing successes and building on that."
Budget pressures culture change
Spires said agencies are making some progress in changing the culture, but he worries whether it is at a quick enough pace.
Richard Spires, chief information officer, DHS
Those declining budgets also may act as just the forcing factor to change the culture.
Spires and Kevin Deeley, the deputy CIO at the Justice Department, also pointed to the cost savings and efficiency possibilities of cloud that could help make the culture change easier.
DHS stood up 11 different cloud based services, and lowered the cost of an email box per user by half. Spires said DHS is taking the money it's saving and reinvesting it into new mission critical technologies.
Spires said cloud brings standardization and scale to the commodity side of the infrastructure and that will free up money for other things, which becomes especially important during these times of budget decreases.
Deeley said at Justice, the culture change is just beginning with the more than 40 different components, all with their own IT shops which manage their infrastructure.
"To bring them along and moving to more commodity based services and gaining those efficiencies, it would be helpful if cloud providers looked at different ways of pricing and challenges associated with buying it by the drink, eventually, and getting the economy of scale across the agency," he said. "Today, to work through those policy issues, those culture boundaries, those security challenges that we all suffer from, moving through that has to be a learning curve on both sides."
Creating trust happening slowly
FedRAMP is supposed to be one main way to lower the boundaries, create efficiencies and trust in cloud services.
The General Services Administration, the Defense Department and DHS run the Joint Authorization Board (JAB), which provides initial approval to companies for meeting the FedRAMP cybersecurity standards for low and moderate systems under the Federal Information Security Management Act (FISMA).
So far, the JAB has approved two cloud service providers and more than 70 are in the queue.
But even with this industry acceptance, agencies have a long way to go to use FedRAMP.
Mark Ryland, chief solutions architect, Amazon Web Services' World Wide Public Team
Amazon Web Services was one of 12 vendors to have gone through the pre-FedRAMP certification under the infrastructure-as-a-service blanket purchase agreement GSA awarded in 2010.
Ryland said Amazon understands the complexities and rigorous standards required under FedRAMP. For instance, he said Amazon had to add two-factor authentication to its routers. He said no one had to do that before, but because FedRAMP required it, now they did.
But a third party certification and approval from the JAB may not be enough to get agencies to change their culture and trust the FedRAMP process.
Spires said he recognizes why some agencies are hesitant, but strongly encourages CIOs, chief information security officers and others to get past it.
"I understand there may be some things around the edges they want to tweak and maybe that's fair. But for the most part, they have to accept for the FISMA low and the FISMA moderate what has been done by the cloud service providers to meet that mark and then move on," he said. "If they do that, we will have a very successful model. I think that will happen, but it's a very big change management process for the whole CISO and information security community to go through."
Integration into a broader set of cyber initiatives
GSA recently announced it would stop accepting applications for vendors to become third party assessment organizations as of March 25. The agency also issued a request for information in February to update the requirements for third party assessment organizations.
GSA also plans on holding a FedRAMP workshop for agencies on March 18 in Washington to address the benefits of the cloud security program and what agencies need to know to use it.
Along with FedRAMP, the CIO Council and DHS are trying to help move agencies beyond those security concerns.
DHS' National Protections and Programs Directorate (NPPD) is figuring out how cloud fits in with other security initiatives.
"There is a mechanism here at work that is maturing, but still has a ways to go particularly as we move into a continuous monitoring world," Spires said. "Under the federal CIO Council, there is a continuous monitoring working group that is working hard right now with NPPD, and the Cybersecurity and Communications office in particular, regarding continuous monitoring and concept of operations, and how that is really going to work and mature. We still are at the early stages of true continuous monitoring, but many of us certainly feel that is where we need to go."
The White House recently updated its cross agency cybersecurity goals and added cloud to the mix, especially around the Trusted Internet Connections initiative. That should add another step toward acceptance of cloud and its security rules across government.