Do agencies know where they're going in the cloud?

As cloud computing steadily gains ground in the federal government, a new survey suggests that many agencies lack proper planning to successfully execute a migration.

The Federal Information Security Initiatives Trend Study by nCircle, an information risk and security performance management solutions firm, surveyed the views of more than 100 federal IT security professionals on cloud and mobility. The study found that an overwhelming majority of agency respondents – 96 percent -- indicated one-third or less of their infrastructure has been outsourced to cloud vendors.

“This suggests we’re at an inflection point with the cloud,” Keren Cummins, nCircle's director of federal markets, told FCW. “There’s been a lot of talk and attention, and I think we’re going to see a lot more of this."

Respondents expressed increasing confidence in the technology and policies that can enable higher risk use of the cloud. More than 30 percent reported they are migrating moderate impact data to the cloud. This finding supports recent buzz that agencies’ cloud use is evolving and there’s a move beyond the low-hanging fruit such as email.

However, the actual cloud planning still lacks key components, Cummins noted.

“Looking at the numbers, it’s very interesting that agencies have cloud policies but when you dig a little deeper and ask about a migration strategy, there’s really isn’t one,” she said.

The survey found that just 13 percent of respondents recognized a role for Federal Risk and Authorization Management Program baseline security controls in driving their migration to the cloud. The program reached initial operating capability in June 2012, and is expected to move to a more sustainable operating level in fiscal year 2014.

More than half of the respondents also had yet to determine how FedRAMP would play a role in their move to the cloud. Cummins said the findings could indicate that agency leaders aren’t familiar enough with the benefits of FedRAMP’s security guidance.

A lack of details about the study methodology makes it difficult to conclude how broadly it pertains to the general population of IT professionals in government, said Julie Anderson, chief operating officer and managing director at Civitas Group. However, she said the information provided in the survey suggested three key points related to the current state of affairs in federal IT:

For one, federal policy and regulation continues to lag behind industry and technology innovations and adoptions of next-generation IT such as cloud computing.  "We continue to see multiple examples of this in many departments since the release of the cloud-first policy by OMB," said Anderson, who formerly served as acting assistant secretary for policy and planning for Veteran Affairs Department.

The study provides additional rationale for the Office of Management and Budget to simplify and streamline its policy directives and regulations around cloud so a comprehensive and approach will come to govern agencies investments and practices.  "For example, OMB could integrate provisions of cloud first, Cloud Strategy of 2011, and 25 Point IT Implementation Plan to help clarify the environment in which departments must comply with requirements," Anderson said.

It also provides further support for the need to invest in skills development among federal IT professionals so they can perform to the best of their abilities as the policies and regulations evolve to keep up with cloud adoption.  "In particular, enhancing knowledge and skills about best practices in IT security, understanding purposes and approaches of federal policies in cloud, identifying patterns in threats and advanced persistent threats, and mitigating security vulnerabilities," Anderson explained.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Mon, Sep 10, 2012 OccupyIT

Let's face it, if GSA was offering compelling shared services then 'Cloud-First' would be seen for the fiasco it is - a policy wonk asserting a technology instead of a solution focused on mission execution. Besides the obvious commodity IT services, like email, there is no plan because cloud is an implementation and marketing/packaging detail. Agencies claim 'cloud' because they buy from a proprietary vendor that utilizes 'cloud' technology for their SaaS product. Seriously, who cares what technology they use if they are delivering a solution our agency needs at a cost that is reasonable? 'Cloud-First' is an epic distraction for limited mind-space that should be focused on mission. On the other hand, jumping through hoops for senior management has amused and entertained bureaucrats for eons - its the new Enterprise Architecture, or Data Warehouse, or Client-Server, or blah, blah, blah. Probably needs more senior level consulting from ex-CIOs. Good luck!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group