Feds trace path to the cloud

The federal government's "cloud first" policy was articulated back in 2010, but adoption remains an ongoing process. Agencies have concerns about control, security and how interactions with commercial cloud providers will operate on a day-to-day basis. At the same time, they're facing deadlines to identify key technology functions to put in the cloud, and close data centers. Federal CIOs and private-sector cloud vendors shared their experiences at a Capitol Hill panel discussion July 10 held by the Information Technology and Innovation Foundation.

Navy CIO Terry Halvorsen cautioned against thinking of cloud as a single answer to the problem of lowering costs and improving mission. Halvorsen said the Navy has taken $1.4 billion out of its overall data center costs, and cloud has been a part of that savings. Navy officials put their public-facing data into an Amazon Web Services cloud, which saved 50 percent of initial costs.

But Halvorsen is not interested in blazing trails. "Where we want to be is taking advantage of where the commercial technology has proven to be effective to get the mission done at lowest cost," he said.

Halvorsen has no plans to put the Navy's high-security or classified information into a public cloud. There's also information that doesn't get accessed frequently enough, or by enough different users, to require a cloud solution. "It is going to be a blended environment, where we're using almost every blend you can think, so that we are spending less money and getting more value."

Frank Baitman, CIO of the Health and Human Services Department, sees cloud as a way to improve the fractured IT governance at some agencies, where money is appropriated to programs, and program managers go out and purchase IT to support that program, without regard for what other elements of an agency are doing.

"Cloud-based computing makes a compelling case for having an enterprise-wide view," he said. "It presents an opportunity for us to maintain control over the programs that are important, and get more for less money and put that money back into the mission, not into the technology." HHS also works with Amazon, but Baitman said he sees the opportunity to work with other cloud service providers as well, and create a more competitive environment.

Widespread competition will have to wait, however, for more cloud providers to be certified to supply the government with cloud infrastructure services. Currently, just four private firms and the Department of Agriculture are certified under FedRAMP, the critical security authorization for cloud providers.

The slow pace of FedRAMP clearances and of cloud adoption in general is disappointing to Rep. Gerry Connolly (D-Va.), an influential voice on government IT issues and co-sponsor of the Federal IT Procurement Reform Act that recently passed in the House of Representatives. Speaking at the event, Connolly noted that agencies were charged under the 25-point plan from former federal CIO Vivek Kundra with identifying three "must move" applications to migrate to the cloud.

"The federal government has failed to report on any of those agencies complying with that requirement," Connolly said.

Connolly was also pessimistic about the possibility of Congress coming up with new ways to appropriate money for IT across programs and accounts, to potentially reduce duplication and redundancy. But he did say that sequestration under the Budget Control Act, which he does not support, could provide some of the fiscal discipline required to get agencies to look to cloud computing services to save money.

Agencies resist cloud computing for a variety of reasons, according to Kyle Keller, cloud business director at EMC Federal. Their culture and purchasing cycles are geared more toward physical infrastructure and less toward services, and they may be getting mixed signals from Congress and the administration on the need to fulfill the cloud requirements in a timely fashion. Agencies that have not taken steps toward cloud adoption "don't know where to start, they don't have a framework, and their legacy infrastructures are very complex and stove-piped," he said. "Some have moved just because they were told to by order, and just picked an application off the tree" to move to the cloud.

Security also remains a concern for agencies. Baitman said his cloud services come with a real-time continuous monitoring feed going into a dashboard that IT specialists at HHS can see. "When we have suspicions of something going awry, we intervene very quickly," he said.

NOAA CIO Joseph Klimavicz said he would prefer real-time audit logs to security dashboards, to keep track of his systems. "Most companies won't provide that," he noted. And Halvorsen noted that he confined Navy's public cloud to information that was already public, so he wasn't as worried about security breaches. "I'm a little less concerned with public facing data getting out to the public," he said.