Do agencies know where they're going in the cloud?

As cloud computing steadily gains ground in the federal government, a new survey suggests that many agencies lack proper planning to successfully execute a migration.

The Federal Information Security Initiatives Trend Study by nCircle, an information risk and security performance management solutions firm, surveyed the views of more than 100 federal IT security professionals on cloud and mobility. The study found that an overwhelming majority of agency respondents – 96 percent -- indicated one-third or less of their infrastructure has been outsourced to cloud vendors.

“This suggests we’re at an inflection point with the cloud,” Keren Cummins, nCircle's director of federal markets, told FCW. “There’s been a lot of talk and attention, and I think we’re going to see a lot more of this."

Respondents expressed increasing confidence in the technology and policies that can enable higher risk use of the cloud. More than 30 percent reported they are migrating moderate impact data to the cloud. This finding supports recent buzz that agencies’ cloud use is evolving and there’s a move beyond the low-hanging fruit such as email.

However, the actual cloud planning still lacks key components, Cummins noted.

“Looking at the numbers, it’s very interesting that agencies have cloud policies but when you dig a little deeper and ask about a migration strategy, there’s really isn’t one,” she said.

The survey found that just 13 percent of respondents recognized a role for Federal Risk and Authorization Management Program baseline security controls in driving their migration to the cloud. The program reached initial operating capability in June 2012, and is expected to move to a more sustainable operating level in fiscal year 2014.

More than half of the respondents also had yet to determine how FedRAMP would play a role in their move to the cloud. Cummins said the findings could indicate that agency leaders aren’t familiar enough with the benefits of FedRAMP’s security guidance.

A lack of details about the study methodology makes it difficult to conclude how broadly it pertains to the general population of IT professionals in government, said Julie Anderson, chief operating officer and managing director at Civitas Group. However, she said the information provided in the survey suggested three key points related to the current state of affairs in federal IT:

For one, federal policy and regulation continues to lag behind industry and technology innovations and adoptions of next-generation IT such as cloud computing.  "We continue to see multiple examples of this in many departments since the release of the cloud-first policy by OMB," said Anderson, who formerly served as acting assistant secretary for policy and planning for Veteran Affairs Department.

The study provides additional rationale for the Office of Management and Budget to simplify and streamline its policy directives and regulations around cloud so a comprehensive and approach will come to govern agencies investments and practices.  "For example, OMB could integrate provisions of cloud first, Cloud Strategy of 2011, and 25 Point IT Implementation Plan to help clarify the environment in which departments must comply with requirements," Anderson said.

It also provides further support for the need to invest in skills development among federal IT professionals so they can perform to the best of their abilities as the policies and regulations evolve to keep up with cloud adoption.  "In particular, enhancing knowledge and skills about best practices in IT security, understanding purposes and approaches of federal policies in cloud, identifying patterns in threats and advanced persistent threats, and mitigating security vulnerabilities," Anderson explained.