How Agencies Are Becoming Their Own Cloud Providers

Move over, Amazon Web Services, Lockheed Martin and other commercial cloud service providers. The Agriculture Department's National IT Center (NITC) wants a piece of the federal cloud business too. Last summer, NITC became the first federal cloud provider to be certified by the Federal Risk and Authorization Management Program (FedRAMP) to provide cloud services to other federal agencies. And it won't be the last.

In fact, several federal agencies have developed private cloud-based services and begun offering them to government customers. Many federal agencies prefer a private cloud model for the security, privacy and control advantages it offers. But rather than build their own or rely on a commercial provider to host their private cloud, some are choosing a third option: use another agency's private cloud, such as NITC's.

"The cost factor is very compelling. With the pressure on our ever-reduced budgets, we as a government have to look at options like sharing cloud services," says James Steven, NITC's director and acting associate CIO of data center operations.

Shared cloud services address two prominent federal government initiatives: Cloud First, which requires agencies to prioritize cloud services, and the Federal IT Shared Services Strategy, which aims to reduce duplication and waste and save money by encouraging agencies to share IT services.

"This is an area where we are seeing some overlap," says Deltek senior analyst Kyra Fussell, who focuses on the federal government. "There is a lot of motivation to use shared services wherever possible and provide standardized or common IT solutions for business systems to lower costs."

Learning How to Share

The federal government makes shared services available in two ways: An agency either builds enterprise services for its internal organizations or offers them to outside agencies. The USDA's NITC does both.

Launched in 1962, NITC initially provided data center services to only USDA agencies. But in 1988, it began offering managed hosting services to other federal customers. In 2009, NITC launched privately hosted Infrastructure as a Service (IaaS), such as virtual servers, storage and data backup and archiving; and Platform as a Service, including web content management and application and portal server platforms. NITC standardizes on VMware virtualization software and provides virtual servers running Linux, Windows, Solaris and AIX operating systems.

For the USDA, shared cloud services means shared savings. NITC doesn't receive any funds from Congress; its operating budget comes from its customers. And as its customer base grows, it creates operational efficiencies and lowers costs, which it passes on to its clients, Steven says.

"We want to attract additional business because it drives economies of scale and lowers our rates across the board for our customers," says Steven, who also plans to market NITC's cloud services to state and local governments. "In the end, USDA agencies all benefit by us growing our business."

Since 2009, for example, customer growth has allowed NITC to lower the price of virtual servers by 30 percent and cloud storage by 35 percent.

Today, NITC's cloud customers include nearly every USDA agency and office, plus a growing list of federal agencies, including the Homeland Security and Labor departments, as well as the Federal Aviation Administration. The Defense Department has used the NITC cloud for several one-off applications, Steven says.

The NITC pursued FedRAMP certification — proving that it meets baseline cloud security requirements — so it could market its wares to other federal agencies. The government is requiring that all cloud services used by agencies meet FedRAMP requirements by June 2014. Steven doesn't consider commercial cloud providers to be direct competitors because of NITC's niche client base.Nevertheless, he believes he provides competitive offerings at competitive prices. He also believes NITC has a competitive edge because it's a federal agency.

"We provide a level of comfort because we're also federal. There's that level of trust," he says. Not only does NITC understand intimately the needs of other federal agencies, but it's easier to purchase NITC's services because the contracting process is more streamlined than going through a commercial provider, Steven says.

NITC's cloud is also unique because it's gone beyond the FedRAMP moderate security control baseline and implemented the Federal Information Security Management Act (FISMA) high security controls for its IaaS offerings. Several agencies use applications that require the higher security level.

In general, for shared cloud services to work, agencies must sign not only contracts that detail financial terms, but also service-level agreements (SLAs) spelling out everything from security policies to communication protocols, should any problems arise. NITC's cloud works the same way. NITC signs an Interagency Memorandum of Understanding with each client, which details service targets. It promises 99.99 percent availability and provides customers with a 24/7 service desk. Contracts are for one year and require a 60-day notice to terminate services.

To ensure good customer service, each customer is assigned an account manager, whose primary role is to negotiate agreements, discuss clients' future requirements and help troubleshoot when necessary, Steven says. It's also important for IT security personnel from both agencies to hash out policies. The USDA Risk Management Framework is based on the FISMA requirements of the National Institute of Standards and Technology (NIST). But every agency operates differently, so it's important to work through those issues, Steven says.

Widening Adoption

At the Defense Information Systems Agency (DISA), providing cloud email services got off to a rocky start. The agency began rolling out its cloud-based Microsoft Exchange email system to the Army in early 2011. The project endured delays and user complaints, but DISA completed its deployment to 1.62 million Army users in August 2013. The rollout has been so successful that Defense Department CIO Teri Takai has mandated its use by all military services and agencies.

In December, DISA migrated the Pentagon and Air Force headquarters and will be transitioning the rest of the Air Force to its email cloud soon. Others, including the Navy and Marine Corps, must migrate by 2015.

The Army estimates it saved $76 million in the first year by moving its email system to DISA's cloud, and expects a total savings of $380 million over five years. "It allows organizations to move capabilities to a shared-service provider and reallocate their internal resources to their mission," says John Hale, DISA's chief of enterprise applications.

The solution is cost-effective, in part because of the standardized way DISA deployed the email system, which it calls Department of Defense Enterprise Email. It's a private cloud, built with commercial, commodity-based equipment, Hale says.

DISA uses a preconfigured set of servers, storage hardware, databases and load balancers that fit in two or three racks and provide email services for 125,000 users. The agency refers to these preconfigured systems as "pods" and has installed 14 worldwide for unclassified email and nine for classified email.

Getting started in sharing private-cloud services isn't always easy, DISA's John Hale says, but the rewards are worth it.
Photo by Brad Howell

For its part, DISA doesn't own the equipment but relies on third-partycontractors who are responsible for servers, storage and the networking equipment. DISA, however, configures and manages the email system, Hale says.

"We don't deploy individual servers and storage. If we reach a point where we need to support more users and add more capacity, we will drop in another pod," Hale says. "Our cookie-cutter approach allows us to keep costs down. Every pod looks the same as every other pod."

Standardization makes it easy for administrators to manage the email system. DISA employs only 15 email administrators per eight-hour shift, Hale says.

DISA and its military customers sign SLAs, which detail the services DISA will provide and the metrics it is obligated to meet, such as 99.9 percent availability and no email outage that lasts longer than seven minutes, Hale says. "Since going live, we've maintained 99.997 percent uptime. We've been exceeding expectations from day one," he says.

DISA has been approached by non-DOD agencies about using its cloud email service, but no decisions have been made. That said, DISA has shared with agencies how it built its email cloud so they can duplicate its efforts, Hale says.

Central Credentials

The U.S. Postal Service (USPS) will soon pilot a cloud-based federal identity management system. Called the Federal Cloud Credential Exchange (FCCX), the system would create one central ID management system that agencies could use to authenticate users from trusted third-party credential providers. Citizens benefit because they can access online services from multiple agencies, without multiple usernames and passwords. Agencies benefit because they don't have to build their own separate ID management systems, which saves money.

"It was daunting for individual agencies to handle, so we came up with the idea of creating a shared service — or broker — to do this," says Naomi Lefkovitz, a NIST senior privacy policy adviser, who helped lead the FCCX effort.

The USPS will serve as the broker, sitting between different credential providers and federal agencies. "In essence, what the broker does is pretty much what a mail carrier does," Lefkovitz says. "They transfer a message from the credential service provider to the agency that these people are who they say they are."

One of the advantages of creating FCCX as a shared cloud service is scalability, Lefkovitz says. "If there's a surge in demand, such as tax time for the IRS, you can expand and contract resources as needed."

The pilot, which will run for a year, will engage a small population of citizens and include three to six agencies, including the Veterans Affairs Department. The pilot will not only serve to test system security, but will also gauge whether citizens and agencies find it useful, Lefkovitz says.

Chances are, they will. DISA's Hale says that overall, sharing private-cloud services is a good solution for the federal government.

"For agencies, the hardest part is taking the first step. They are giving up control to get better functionality and cost-effectiveness," he says. "But once organizations go down that road, the benefits they garner are huge."