Security remains the biggest hurdle for agencies moving operations to the cloud, federal IT officials say

The greatest hurdle to moving vital government data and programs into the cloud is federal executives' confidence in outside security systems, a panel of federal information technology leaders said Wednesday.

One big component of producing that confidence level is getting the Federal Risk and Authorization Management Program, or FedRAMP, up and running, they said.

Agency technology executives spoke at a conference sponsored by TechAmerica, an industry group.

FedRAMP is aimed at creating a standardized governmentwide review of private sector information technology so individual companies' offerings won't have to be reviewed and approved by dozens of different departments and agencies.

The program was unveiled in November, but immediately ran into trouble when technology companies complained the one-size-fits-all requirements didn't jibe with the diversity of programs in the federal government.

The Obama administration has said it will consider relaxing the requirements and expects to get the program up and running this summer.

"If you want to get it right, FedRAMP matters," said Mark Day, chief technology officer at the Housing and Urban Development Department. "We're looking to [the General Services Administration, which oversees FedRAMP] to give us a lot of help in this area."

Even with the FedRAMP process in place, the panelists said, there's a natural aversion to handing over sensitive data to an outside agency whose security you can never guarantee as well as your own.

"The same things we're doing for ourselves, that's what we'd want as we look at opportunities to move more than our public facing [services, such as Web pages]," State Department Chief Information Officer Susan Swart said. "We're just taking a very conservative look. Until we feel comfortable that we can get that level of security, [perhaps] by adding on to what FedRAMP provides, we won't be moving."

The panelists agreed, saying they'd prefer to move most services to a federal-only cloud for security reasons, but even that requires a change of culture.

"There's a comfort zone issue we have to address," Day said. "Private and public might better be viewed as ours and shared. If you want to talk about the culture issue, no matter where you sit, if I share with someone else who's bigger than me, there's a discomfort there, because I've lost some control."

The Obama administration's 25-point plan to reform federal IT management, published in December 2010, calls on departments and agencies to make the cloud their first storage option for new programs and to identify several programs currently stored in data centers for transition to the cloud.

Federal CIO Vivek Kundra has said transitioning large amounts of federal data to the cloud could save the government millions of dollars. Computing clouds are essentially large networks of servers. Users can take as much space from them as they need and pay only for what they use, which may vary from month to month.

The conference panelists also praised TechStat, a series of face-to-face question-and-answer sessions Kundra launched in early 2010, during which IT project and program managers must either justify cost overruns and missed deadlines or their projects will be canceled or redesigned.

As a result of the rigors imposed by the TechStat process, HUD's IT leaders have pared down the number of major projects they attempt at one time from more than 30 to around seven, Day said.

Most agencies also have launched internal versions of the TechStat process and the rigors of knowing they'll have to justify their programs to senior management has imposed more discipline on project managers, the panelists said.

One audience member, who said she was with the contractor MSB Associates, asked whether the government would make TechStat transcripts and other information available to industry so the private sector could learn from government mistakes.

Agriculture Department CIO Chris Smith said some of that information is available through the federal Chief Information Officers Council's best practices information page. But that page, so far, includes only a handful of project summaries, typically fewer than 10 pages in length.

This story has been updated to correct the name of the Agriculture Department's chief information officer.