This post is part of GovLoop’s ongoing blog series around one of our latest resources, Navigating the Digital Government Roadmap. In the guide, the most pressing technology trends are identified. The guide is intended to provide a broad spectrum of government technology. Our blog series will dive deeper into each section, so be sure to jump in with your experiences, and take a look at the guide. Also, be sure to check out our infographic: The Digital Government Strategy Timeline.
Cloud computing continues to be one of the key trends in government. Since 2009, President Obama’s Administration has been encouraging federal agencies to adopt cloud technologies through the Federal Government’s Cloud Computing Initiative. With this initiative, the Obama Administration hopes that by leveraging cloud computing, agencies can work to reduce waste, increase efficiency, and cut costs for the federal government. With the adoption of cloud computing, government at all levels has found new efficiencies.
Ajay Budhraja, CTO at a US Government Agency, recently wrote on GovLoop:
Cloud has dramatically changed how we think about and utilize services. Cloud facilitates rapid deployments due to quick availability of scalable services. It provides the high service velocity to manage changes incrementally and less time for provisioning storage and applications. Cloud can enhance productivity by providing the infrastructure or application platforms and related tools to respond to customer needs faster, giving organizations an edge over others that have not assessed such mechanisms. In addition, the on-demand capabilities can lead to efficient utilization of resources. I have seen applications that traditionally would take months to deploy, being rolled out in several weeks due to the Cloud and new environments being set up very quickly , the key is to carefully assess existing capabilities and focus on service and process integration.
The first step to broader cloud adoption is a general awareness of what kind of service model to select, and what fits your needs as an agency. With cloud computing, there are three different kinds of service models. Infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and Software-as-a-service (SaaS). The GAO report provides a nice, quick and easy description of the different service models, which was provided to the GAO by NIST:
- Infrastructure as a service—the service provider delivers and manages the basic computing infrastructure of servers, software, storage, and network equipment upon which a platform (i.e., operating system and programming tools and services) to develop and execute applications can be developed by the consumer.
- Platform as a service—the service provider delivers and manages the underlying infrastructure (i.e., servers, software, storage, and network equipment), as well as the platform (i.e., operating system, and programming tools and services) upon which the consumer can create applications using programming tools supported by the service provider or other sources.
- Software as a service—the service provider delivers one or more applications and the computational resources and underlying infrastructure to run them for use on demand as a turnkey service.
The report by GAO provides a great summary of the background of cloud computing in government and the current challegnes faced by agencies. The report also identifies the progress of seven agencies compliance with the “Cloud First” strategy. The report states the following seven challenges and also provides the chart below showing progress by agencies:
- Meeting Federal Security Requirements
- Obtaining guidance
- Acquiring knowledge and expertise
- Certifying and accrediting vendors
- Ensuring data portability and interoperability
- Overcoming cultural barriers
- Procuring services on a consumption (on-demand) basis
With the implementation of the Federal Risk and Authorization Management Program (FedRAMP), cloud adoption will hopefully continue to be embraced by government, and work to remove some of the common challenges faced by government employees while adopting cloud technology. FedRAMP is a governmentwide program that helps government agencies implement cloud based technology. At the core of FedRAMP is providing government officials with a standardized approach to security, authorization and monitoring of cloud-based services.
With the implementation of FedRAMP, governmentwide acquisition of cloud technology is expected to increase. With FedRAMP, cloud service providers will have to use a third party to verify the company meets basic security requirements. FedRAMP is an extension of the Obama Administration’s “Cloud First” strategy, detailed by the memorandum released on December 8th, 2011.
FedRAMP.gov states the following program goals:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval in or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
FedRAMP.gov states the following program benefits:
- Increases re-use of existing security assessments across agencies
- Saves significant cost, time and resources – “do once, use many times”
- Improves real-time security visibility
- Provides a uniform approach to risk-based management
- Enhances transparency between government and cloud service providers (CSPs)
- Improves the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
Cloud computing, in tandem with other technologies like mobile devices, is a game-changer for government. The promise of cutting cost and working through fiscal austerity is appealing to all in government. The cloud is part of the solution, leveraging cloud technology can help agencies cut cost, increase productivity and assist in cross-agency collaboration. With positive findings from the GAO report, and case studies throughout government, so far cloud technology is living up to the promises and still holds a lot of potential for government agencies.
Please view Navigating the Digital Government Roadmap Guide below, or click here to download. Be sure to also visit the guides homepage for more blog posts and tech related resources. With questions about the guide, please feel free to email me at [email protected]. Thanks!
This page is brought to you by the GovLoop Technology Solutions Council. The mission of this council is to provide you with information and resources to help improve government. Visit the GovLoop Technology Solutions Council to learn more.
Can FedRAMP be used to certify software solutions that are implemented on-premise? I really hope that FedRAMP gains traction. Do we know how well it’s doing?
Hello,
Although I am confident that NIST provided to GAO the full definition of the final standardized model for Cloud Computing, I thought it might be useful for GovLoop readers and contributors to notice the real full definition and content of the NIST cloud computing model. Knowing them very well provides the reader with a good theoretical baseline for understanding, first of all, the GAO report.
1).-The NIST Special Publication SP 800-145 – “The NIST Definition of Cloud Computing”, Final Version-September 2011 (7 pages) clearly states on page 2, the NIST definition of cloud computing: “This cloud model is composed of five essential characteristics, three service models, and four deployment models“. So, for a real holistic vision of the NIST cloud computing model it is necessary to provide also, apart the three short-mentioned service models (SaaS, PaaS, IaaS), the five essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service) and the four deployment models (Private cloud, Community cloud, Public cloud, Hybrid cloud).
When we speak about possible Federal Government/Agencies deployment models combined with the three service models and the five essential characteristics, we should very carefully take into account the possible combinations of these vectors, knowing which the real targets/goals are.
Actually, it is about applying one or more of the deployment models for Government/Agencies wide deployment purposes on medium-to-long term, or as a federal strategic planning initiative for cloud computing.
2).-Details for the cloud computing initiatives and implementation purposes are provided in the related standard document NIST SP 800-146 – “Cloud Computing Synopsis and Recommendations”, Final Version May 2012 (81 pages).
As a practical example, for the Government consumer it might be useful to consult also the document “Cloud SLA Considerations for the Government Consumer” issued by MITRE Corp. in 2010 (http://www.mitre.org/work/tech_papers/2010/10_2902/ ).
I recommend to read the mentioned report by GAO and the Federal Risk and Authorization Management Program (FedRAMP), in the light of the two mentioned NIST standards and the “Federal Cloud Computing Strategy”-February 2011, downloadable from:
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=911075
http://www.cio.gov/documents/federal-cloud-computing-strategy.pdf
Sincerely,
Mihail
Hi Mihail – thanks so much for sharing all the valuable information on cloud computing and NIST, great content for the GovLoop community to take a look at. Thanks again!
Hey Chris – I’ll see if I can track down some of those questions for you, maybe someone else in the community knows as well, would be interesting to find out.
Hello,
I am trying to give some directions on Chris question. I hope to be useful for understanding the FedRAMP certification processes.
I).-NIST SP 800-145 states on page 3, related to deployment models, that: Private cloud may exist on or off premises; Community cloud may exist on or off premises; Public cloud exists on the premises of the cloud provider; the Hybrid cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability.
In this way the certification process for SW solutions implemented on premise should be performed taking into account the standardized components of the NIST cloud model, including apart the kind of premise (on/off)-for our case being “on”, the following attributes: the deployment model used (one of the four mentioned above by NIST), the service model implemented (SaaS, PaaS, IaaS) and the essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service).
Cloud Service Providers (CSP) for SW solutions, both commercial and government, on or off premises, should take into account the FedRAMP Requirements for such certification processes. In this way, follows three main considerations, mentioned below.
1.-As it is stated on its site (http://www.gsa.gov/portal/category/102995 ), FedRAMP is a government-wide, standardized approach to security assessments and ongoing assessments and authorizations (continuous monitoring). Under the Federal Information Security Management Act (FISMA), Federal agencies must authorize IT service at the agency level. Through OMB policy, Federal agencies must use FedRAMP when authorizing cloud services. FedRAMP has three process areas that allow agencies to authorize cloud services for use:
SECURITY ASSESSMENT. The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
LEVERAGING AN AUTHORIZATION. Federal agencies can view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
ONGOING ASSESSMENT & AUTHORIZATION. Once an authorization is granted, ongoing assessment and authorization activities must be completed in order to maintain the security authorization.
2.-The Cloud Service Providers (CSP), both commercial and government, may apply directly for FedRAMP authorizations. (http://www.gsa.gov/portal/category/102383 ). FedRAMP will review authorizations (both from CSPs and agencies) in accordance with a priority queue determined by the FedRAMP Joint Authorization Board (JAB). Cloud Service Providers wishing to provide cloud services to Federal agencies must (http://www.gsa.gov/portal/content/133503 ):
3.-How the FedRAMP operations mentioned above are performed is described in detail in the document “Concept of Operations (CONOPS)”, Version 1.1, June 04,2012 (http://www.gsa.gov/graphics/staffoffices/CONOPS_V1.1_07162012_508.pdf ). Among others, it mentions that: “FISMA requires Federal agencies to accept the risk and authorize cloud systems at the agency level. Accordingly, the FedRAMP Policy Memo requires Federal agencies to use FedRAMP when assessing, authorizing, and continuously monitoring cloud services in order to aid agencies in this process as well as save government resources and eliminate duplicative efforts. FedRAMP is implemented in a phased approach starting with an initial operating capability, growing into sustaining operations” (pages 14-15).
II).-Three of the most recent papers published on the Web related to the ways in which FedRAMP started for certifications purposes, are:
a).- http://gcn.com/articles/2012/06/05/fedramp-goes-operational.aspx (however, this mention of June 2012 says that: ” As federal agencies started to implement cloud technology, officials discovered that agency requirements and approaches to certification were inconsistent, …, D.C. FedRAMP will not only bring consistency to the process but give cloud vendors a standard way of providing services to the government…”)
b).- https://cloudcomputing.sys-con.com/node/2291073
c).- http://www.nextgov.com/cloud-computing/2012/03/cloud-computings-success-hinges-on-rapid-certification/50743/
III).-A great CSP deeply implied in the cloud computing processes, technologies, and SW applications which is Oracle, presents in its white paper ” Oracle’s Cloud Solutions for Public Sector”, March 2012, (http://www.oracle.com/us/industries/public-sector/cloud-solutions-public-sector-wp-323002.pdf ) how they use the NIST cloud model for different on-premise deployment models (document pages 7, 11, 13-14, and 28).
IV).-A wonderful and very interesting presentation of some of the above document Oracle concepts was done during the Webinar “Your Data Center Blueprint” held by GovLoop on August 23, 2012 (Steve Ressler).
V).-The last revision (# 4) of the above mentioned NIST SP 800-53 “INFORMATION SECURITY” is downloadable from: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
While revision 3 is final, the new revision 4 of SP 800-53, dated 2012 is still a draft.
Sincerely,
Mihail