recommended reading

Security remains the biggest hurdle for agencies moving operations to the cloud, federal IT officials say

The greatest hurdle to moving vital government data and programs into the cloud is federal executives' confidence in outside security systems, a panel of federal information technology leaders said Wednesday.

One big component of producing that confidence level is getting the Federal Risk and Authorization Management Program, or FedRAMP, up and running, they said.

Agency technology executives spoke at a conference sponsored by TechAmerica, an industry group.

FedRAMP is aimed at creating a standardized governmentwide review of private sector information technology so individual companies' offerings won't have to be reviewed and approved by dozens of different departments and agencies.

The program was unveiled in November, but immediately ran into trouble when technology companies complained the one-size-fits-all requirements didn't jibe with the diversity of programs in the federal government.

The Obama administration has said it will consider relaxing the requirements and expects to get the program up and running this summer.

"If you want to get it right, FedRAMP matters," said Mark Day, chief technology officer at the Housing and Urban Development Department. "We're looking to [the General Services Administration, which oversees FedRAMP] to give us a lot of help in this area."

Even with the FedRAMP process in place, the panelists said, there's a natural aversion to handing over sensitive data to an outside agency whose security you can never guarantee as well as your own.

"The same things we're doing for ourselves, that's what we'd want as we look at opportunities to move more than our public facing [services, such as Web pages]," State Department Chief Information Officer Susan Swart said. "We're just taking a very conservative look. Until we feel comfortable that we can get that level of security, [perhaps] by adding on to what FedRAMP provides, we won't be moving."

The panelists agreed, saying they'd prefer to move most services to a federal-only cloud for security reasons, but even that requires a change of culture.

"There's a comfort zone issue we have to address," Day said. "Private and public might better be viewed as ours and shared. If you want to talk about the culture issue, no matter where you sit, if I share with someone else who's bigger than me, there's a discomfort there, because I've lost some control."

The Obama administration's 25-point plan to reform federal IT management, published in December 2010, calls on departments and agencies to make the cloud their first storage option for new programs and to identify several programs currently stored in data centers for transition to the cloud.

Federal CIO Vivek Kundra has said transitioning large amounts of federal data to the cloud could save the government millions of dollars. Computing clouds are essentially large networks of servers. Users can take as much space from them as they need and pay only for what they use, which may vary from month to month.

The conference panelists also praised TechStat, a series of face-to-face question-and-answer sessions Kundra launched in early 2010, during which IT project and program managers must either justify cost overruns and missed deadlines or their projects will be canceled or redesigned.

As a result of the rigors imposed by the TechStat process, HUD's IT leaders have pared down the number of major projects they attempt at one time from more than 30 to around seven, Day said.

Most agencies also have launched internal versions of the TechStat process and the rigors of knowing they'll have to justify their programs to senior management has imposed more discipline on project managers, the panelists said.

One audience member, who said she was with the contractor MSB Associates, asked whether the government would make TechStat transcripts and other information available to industry so the private sector could learn from government mistakes.

Agriculture Department CIO Chris Smith said some of that information is available through the federal Chief Information Officers Council's best practices information page. But that page, so far, includes only a handful of project summaries, typically fewer than 10 pages in length.

This story has been updated to correct the name of the Agriculture Department's chief information officer.

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.