Even as federal agencies have been warming to the opportunities that commercial cloud service providers can offer, the transition is gradual, as government IT officials continue to express concerns about service agreements and turning over sensitive applications to outside vendors.
Throughout the contracting process, officials stress the importance of developing trust between the agency and the service provider, urging contractors to tailor SLAs to address security concerns, worries about vendor lock-in and clearly defined roles and responsibilities.
"Transparency is key," Melinda Rogers, CISO at the Department of Justice, said recently at a panel discussion hosted by Federal News Radio. "Transparency on service, transparency on cost."
FedRAMP Certification is First Step in Government Cloud Conversation
The government's move to the cloud has been hastened to some degree by the implementation of the Federal Risk and Authorization Management Program (FedRAMP), a standardized, government-wide security review and authorization process for private-sector cloud offerings, one that federal officials say has become essential for vendors to win contracts.
"That's your baseline. That's kind of your price of entry," says Gary Barlet, CIO at the U.S. Postal Service's Office of Inspector General.
"The very first question you ask is ... [vendors] must be FedRAMP certified -- are you, yes or no? If the answer's no, you're done. It's one of those deals where if you don't pass a minimum price of entry, there's no reason to continue to have a conversation about it," Barlet says.
The idea of a common certification that is recognized across the government offers vendors a single development template -- albeit a rigorous one -- to replace the patchwork of department and agency standards that have bedeviled federal IT contractors for years.
Cloud vendors, however, have still been able to submit their products for an agency-specific review, or to go through the more exhaustive evaluation of the Joint Authorization Board, or JAB, which, if successful, confers a certification to operate across the government.
"It's a very taxing process," Mark Williams, CSO at Microsoft's federal division, says of the JAB review.
Not only do vendors have to pass their products through that stringent review process and furnish volumes of documentation, there is also something of a logjam in the review process, according to Williams. So Microsoft, like other cloud service providers, has been winning gradual approval for its offerings, but the FedRAMP review boards have unable to keep up with the volume of products vendors have been submitting for approval.
"Our services are slowly getting through, but not at the rate we need," he says.
But even once a commercial cloud product passes through that review process, vendors may still face skeptical government buyers. For all the inter-agency work in developing FedRAMP as a common security standard, many officials still remain on edge about the various cloud models, and insist that some sensitive applications will remain on-premises or hosted in a government cloud.
Sign up for CIO Asia eNewsletters.