How secure is the cloud? Well, two of the federal agencies with the most sensitive information to store and protect think it’s secure enough for them.
The CIOs of the CIA and Department of Homeland Security have embraced cloud migrations at their agencies. Yet some in the government say moving to the cloud is still hindered by cultural resistance inside agencies, despite the General Services Administration’s Federal Risk and Authorization Management Program best efforts to speed up authorizations of cloud service providers.
Security Benefits of Cloud Migration
Thanks to the cloud, the CIA has been able to develop, test and share secure code more easily than in the past, CIO John Edwards said last month at the FedTalks 2016 conference, FedScoop reported. Edwards said that the CIA’s cloud partner meets the agency’s high bar for security.
Meanwhile, DHS CIO Luke McCormack, who also spoke at FedTalks 2016, said that it has now become “mission essential” to deploy scalable software amid an atmosphere of heightened cybersecurity threats and quickly evolving cyberattacks.
“We are building in a fraction of the time and a fraction of the cost with cloud computing,” he said. DHS plans to “aggressively” deploy hybrid cloud environments in the next year as the agency adopts new commercial cloud services approved by FedRAMP. In June, GSA released the high baseline requirements for FedRAMP, which added 100 security controls on top of the program’s moderate impact level and make it more likely that agencies will be able to use cloud services to handle more secure and sensitive information.
How Fast Can Agencies Move to the Cloud?
Although the government has embraced a cloud-first policy, many agencies still face technical and bureaucratic issues in adopting cloud services.
“You can't say ‘cloud-first’ with no way to procure it,” Tony Summerlin, senior strategic adviser to the CIO of the Federal Communications Commission, said at the ImmixGroup Government Sales Summit, according to FCW.
Summerlin argued that it is very difficult to buy Software as a Service cloud services through GSA. Agencies need to be able to quickly purchase secure and effective cloud technology if they want to migrate away from on-premises environments, he added. “Discipline and speed are key. You have to move rapidly or the goblins will eat you,” he added.
FedRAMP has taken steps to speed up the authorization process for cloud service providers. In September, the agency approved the first CSP as part of the FedRAMP Accelerated program. Microsoft Dynamics Customer Relationship Manager Online received approval to operate in the government in just under four months, compared with two years under the last authorization. Yet Summerlin said the process is still not fast enough.
Claudio Belloli, FedRAMP's program manager for cybersecurity at GSA's Technology Transformation Service, told FCW that the agency has made progress on streamlining the approval process. He also pointed to the increasing number of cloud providers and Authorities to Operate, as well as 2017 goals to grant provisional ATOs in an average of under six months.
As noted in a Nov. 7 blog post, FedRAMP Director Matt Goodrich laid out plans for “FedRAMP Tailored,” an effort to speed up approvals for low-impact SaaS offerings, instead of taking a one-size-fits-all approach.