recommended reading

Agencies must set rules around cloud vendors' access to data, report says

The federal government is behind many states and businesses in its adoption of cloud computing, but it is on track to be one of the largest purchasers of cloud storage and could have an outsized effect on what commerce looks like in the still developing industry, a primer on best practices for government cloud contracts argues.

Contracting officers should insist, for example, that agreements with cloud providers include specific penalties such as a fine or service credit if any terms of the agreement aren't met, according to the document, "Creating Effective Cloud Computing Contracts for the Federal Government," which was released Friday.

Cloud contracts should be a collaborative project among acquisition officers, chief information officers and general counsels, the report said. They also should clearly define how much access cloud vendors will have to government data and the standards they will be expected to meet when dealing with that data, the report said.

The report was a joint project of the federal Chief Information Officers Council and the Chief Acquisition Officers Council.

Computer clouds essentially are large banks of ultramodern off-site servers that can pack information more efficiently than traditional in-house servers. Government customers can buy space in private sector computer clouds run by Microsoft, Amazon and other companies, much as they purchase other services or utilities -- paying only for the space they use. They also have begun storing data and programs in private government-only clouds, which can pack data more efficiently than traditional data centers.

The government initiated a cloud-first policy for new IT purchases in late 2010 and plans to move one-fourth of its $80 billion annual IT budget to the cloud by 2015, which officials say will save about $5 billion annually.

Officials have been slow to migrate sensitive government programs to the cloud, partly because of delays in implementing cloud security standards outlined in the Federal Risk and Authorization Management Program, or FedRAMP, which is slated to go live in June.

Agencies have moved several large programs, such as email, calendars and public-facing websites to the cloud.

They have been slower, though, to open up standard IT requests for proposals to cloud providers, Teresa Carlson, vice president of the global public sector at Amazon, a major public cloud provider, told Nextgov on Wednesday. Often, for instance, RFPs will require specific hardware, which typically puts cloud providers out of the running, she said.

As the cloud becomes more prevalent in government, Carlson said she expects RFPs will focus less on how new IT systems should look and more on what an agency expects it to accomplish.

"It's not that they're not making them cloud-friendly," she said. "It's just automatic. It's how they've always done things. Part of this really is educating the acquisition officials jointly with the people who have applications that run in the cloud."

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.