White House set to complete security standards for cloud computing services next year

The Obama administration expects to finalize a one-size-fits-all set of security standards for cloud computing services within six months, after wrapping up talks with industry in mid-January 2011, federal Chief Information Officer Vivek Kundra said on Thursday.

Cloud computing is the practice of subscribing, as-needed, for hardware and software from companies that host the equipment online, instead of buying and maintaining information technology in-house. The administration wants to transition most departmental IT to the cloud during the next decade to save money, reduce the number of energy-consuming federal data centers, and gain pricing and operational flexibility.

But the biggest hang-up is security. To minimize the risk of data loss and hacking in the shared, online cloud, the General Services Administration on Nov. 2 proposed standard security protocols that vendors would have to follow. This assessment process, known as FedRAMP, is designed to speed deployments governmentwide by allowing departments to skip redundant security approvals for products other agencies already use.

"I've actually extended the time for industry to comment to Jan. 17 [from Dec. 3]," Kundra said at a Thursday breakfast thatNextgov's sister publication Government Executive hosted. The reason is that this is so important. . . . It's our opportunity to get this right once and for all when it comes to cybersecurity."

GSA on Wednesday became the first agency to ship its e-mail to the cloud, under a $6.7 million task order with Google, in partnership with Unisys, Tempus Nova and Acumen Solutions, that is estimated to cut costs in half during the next five years. Within 18 months, Kundra said he intends to challenge companies to offer cloud-based financial management systems and other back-office support services.

"It's much better to provision IT, where you're turning on services" than it is to undertake multiyear IT development projects, he said. In April, the Health and Human Services Department turned to the cloud for help in rolling out digital health records at providers' offices. HHS is trying to reduce overhead on customer relationship maintenance and on health IT project management, with online software hosted by Salesforce.com. "The mission of NIH is not to be an IT department," Kundra noted.

The federal government also is exploring other cloud models, such as government-owned and operated environments similar to Nebula, a system NASA built to more easily exchange massive data files with research partners and the public. Kundra said another long-term plan is to foster regional clouds for state and local services so that the federal government is not funding 50 different state Medicare IT systems and 50 transportation systems.

Defaulting to Web-based IT for new procurements is one of several IT contracting reforms that the administration announced Nov. 19 and will detail further on Dec. 9. The new strategy to simplify the way the government buys $80 billion worth of IT annually focuses on, among other things, cloud computing, the creation of a team of professional program managers, a shorter IT budget cycle and seeking help from vendors before the bidding process.

IT development at agencies often is plagued by million dollar cost overruns, multiyear delays and performance failures. "A big part of the reason that we haven't seen great execution when it comes to these projects is that there are structural barriers," Kundra said. "It doesn't make sense when you have a budgeting procurement cycle that takes two years just to get a project started."

The Office of Management and Budget wants to synchronize system rollouts with the congressional budget cycle by asking lawmakers for general-purpose IT funding. The idea is, with lump-sum appropriations for IT chief information officers could pursue smaller projects without committing to particular complex, multiyear modernizations that often fall short of expectations.

"I've been spending a lot of time on the Hill," Kundra said. "Ideally we would want to be able to do it horizontally across the government, but given how appropriations work, we'll have to work committee by committee" to appeal to appropriators that oversee individual agency purse strings.

Progress on the program management front could take less time. "Within the first six months, we actually want to set up this career path," by cooperating closely with the Office of Personnel Management, he said.

In addition, Kundra and other administration leaders are ramping up a campaign to dispel the myth that agency decision-makers and contract contenders are prohibited from communicating until awards are announced. "Unfortunately, the notion that's been propagated is you can't talk to industry, or you'll go to jail," he said, whereas the reality is that collaborating prior to a request for proposals can generate more practical project designs. For the stimulus-tracking website Recovery.gov, "we created a national dialogue and said, 'This is a national problem we're trying to solve: What are the best ideas out there?' . . . They ended up creating a much better RFP," he added.