This week’s latest cloud news

Two big stories Federal News Radio is following this week when it comes to cloud computing.

Industry leaders are calling on the federal government to revise its acquisition and budgeting practices, in hopes of accelerating the adoption of cloud services. The CLOUD² commission made recommendations to government earlier this week.

“Agencies should demonstrate flexibility in adapting current procurement models and existing contracts to take advantage of new cloud offerings,” according to the group.

Federal News Radio’s Ruben Gomez reports the CLOUD² report was requested by Federal Chief Information Officer Vivek Kundra.

The commission also recommended industry launch new transparency efforts to publicize information about operational aspects of cloud services, including portability, performance and reliability.

---

In other cloud news, the General Services Administration became the first agency to migrate its entire staff into a cloud email system. All 17,000 of its users are officially in the cloud as of this week.

“In GSA, we have a motto that we have broad shoulders,” said Dave McClure, GSA’s associate administrator for citizen services and innovative technologies. “We need to be actually doing what we’re recommending other agencies do.”

Federal News Radio’s Jared Serbu reports 15 other agencies have identified almost one million federal email accounts they want to move to the cloud.

This week in cloud computing

Kundra: Agencies on path for transition to cloud

Agencies are on track with their cloud computing strategies. Federal Chief Information Officer Vivek Kundra told those in attendance at the NIST Cloud Computing Forum and Workshop that all agencies have identified the three systems they will move to the cloud as part of the administration’s cloud-first policy. Kundra gave several examples of agencies that are moving full steam ahead. Read more and listen to Kundra’s speech by clicking the link above.

Six-month budget slashes e-gov fund by 76 percent

Among the cuts agreed to by lawmakers and President Obama in the 2011 budget compromise is a dramatic reduction in the administration’s E-Government fund, which pays for open government websites such as Data.gov, the IT Dashboard and USASpending.gov. Federal Chief Information Officer Vivek Kundra testified last week the government has saved $3 billion so far with the use of its 25-point IT restructuring plan. He said the process of adding transparency to IT programs was key to the cost savings the administration has achieved.

Also testifying at the hearing was Dave McClure, associate administrator in the Office of Citizen Services and Innovative Technologies at the General Services Administration. McClure said when GSA begins offering cloud email services under a blanket purchase agreement it estimates it will save agencies as much as 44 percent over their current email costs. Read the full story by clicking the link above.

GSA offers advice for cloud vendors

The General Services Administration offered advice to vendors trying to sell cloud services to the government.

Dave McClure, GSA’s Associate Administrator in the Office of Citizen Services and Innovative Technologies, told Federal News Radio vendors are definitely the innovators in the cloud space. But, he warns, vendors need to do more than repackage “their old solutions as cloud solutions. I think it’s doing a disservice. If that’s the pitch – ‘hey, we’re cloud’ – than all we’re doing is creating confusion.”

Mary Davie, Assistant Commissioner of GSA’s Office of Integrated Technology Services, joined McClure on In Depth with Francis Rose this week. Davie said despite the fact she’s not an IT person, she’s made it a point in her new job to learn about the cloud.

“It really made sense, from my perspective, to understand this, to understand how these things are defined, how agencies would want to buy the kinds of things they would want to move – or maybe not move – into the cloud.”

Davie recommends all agency managers that are interested in learning about the cloud should read the Federal Cloud Computing Strategy. Agency managers can also go to info.apps.gov for more information on the various cloud services GSA offers, cloud case studies, and general information on cloud computing.

As for the age-old question about security that always seems to come with the cloud, McClure sees the days ahead when this isn’t as much of an issue.

“I think, as we evolve, you’ll see even cloud service providers will be able to take financial data, human resources data which are sensitive, and as long as we have assurances and they are passing security control testing and continuous monitoring activities that show that data is secure, it’s the same as doing it yourself.”

Listen to the full interview with McClure and Davie.

GSA’s McClure describes new cloud RFQ

As Federal News Radio told you on Friday, the General Services Administration released a request for quote (RFQ) in order to put together a contract for infrastructure-as-a-service.

Fed Cloud Blog sat down with GSA’s Associate Administrator
of Citizen Services and Communications, Dave McClure, who talked with members of industry about the RFQ and the new contract at an ACT/IAC event at the end of April.

“I personally feel like we have to make sure we do solid outreach with industry to make sure that our instruments that we’re putting out for cloud services are in line with the way that they think we should be offering them. That was the purpose of the dialogue with industry. We did talk a little bit about the reasons for canceling the prior infrastructure-as-a-service RFQ. I just wanted to emphasize with them that we felt like the market had changed quite a bit since the initial offering, which had started up almost 12 months ago. Vendor engagement, vendor market offerings and vendor understanding of cloud has certainly matured quite a bit in the last 12 months, and the same thing has occurred on the agency side.”

As you probably remember, GSA first issued an RFQ for IaaS in July 2009, but canceled in this past February.

“The infrastructure-as-a-service offering was put out previously [and] was done in very close approximation to the software-as-a-service announcement, and the whole launching of the Apps.gov website. We knew this after the launch, but a valuable lesson that we learned was that there was great confusion in industry about which announcement covered what. There was confusion as to what they needed to reply to to get on schedule for the infrastructure, what they needed to do to get on schedule and get up on the apps.gov storefront for software. We don’t have that problem [now]. The website is up, people understand the processes, so I think we’ve eliminated what was then a very confusing period for just announcing the storefront and announcing an infrastructure BPA all very, very much at the same time.”

This time around, McClure says several things will be different.

“We’re raising the security level to the moderate level. I think that’s where the public sector in general is headed — greater security in these cloud provisioning agreements. So, we’ve raised this up to the moderate level. I think that’s a significant improvement and difference from the prior RFQ. We also are making it much easier and clearer to map the industry offerings to the contract line items in this BPA instrument that we’re using. There was some confusion about whether specific services and prices for some of the industry offerings — how they’ve mapped to the contract line items in this BPA. We’ve gone back and actually cleaned that up and had conversations with industry on how that mapping process can work very effectively. So I think that will also create a much better instrument than what we had before. The third big difference is that things that are awarded off of this instrument will be candidates that will go into the FedRAMP centralized CNA approval process. I think that will make a difference, as well — knowing that your product or service will actually go through one CNA and then be usable across the entire government.”

What, exactly, is the cloud? Depends on who you ask

Moving into the cloud is a fairly new concept for many federal agencies and, as always, pitfalls happen.

GSA’s Dave McClure gave FCB insight into why some challenges might occur when it comes to securing information in the cloud. He said it’s not necessarily about the technology itself, but sometimes has to do more with government processes and culture.

It’s a virtual, rather than physical, control with assurances — and, again, I think some of this has to be worked out with the CIO Council, with OMB on what constitutes a quality review process and certification process when you’re moving information around in very different ways than what we’ve traditionally done.

So, what are these processes that need to be followed? Are they any different than what would be in a normal computing arrangement where you actually touch, feel, inspect and can analyze data on machines right in front of you.

FCB took a look at what the private sector is doing, because security struggles are clearly not just a federal government issue.

One of the biggest issues when dealing with security in the cloud, it seems, is defining what, exactly, a secure cloud constitutes.

An article from CIO.com gets perspective from six IT security practitioners, and each has a unique perspective about what it means to secure your cloud.

Some interesting points:

• Matt Schneider, security consultant and senior Web design architect at Ford Motor Company, is quoted as wondering how concerned the average user is about cloud computing, “Look at Facebook and Twitter. There’s a couple of apps that have been hacked, yet that’s all you hear people talking about lately. If they really cared about security, I think they would just stop using those apps.”
• Terry Woloszyn, CEO/CTO at PerspecSys Inc., “{I}n trying to answer the question of what is and isn’t cloud security, you are trying to establish a taxonomy.”
• Michael Versace, partner, principal research contributor at The Wikibon Project, “Some are making cloud security more difficult to understand than it needs to be. Since security is a risk-based discipline, users need to understand the inherent risks in cloud services and implement the best set of organizational/management/business processes and technology controls to manage risks down to a profitable/acceptable level.”

Of course, these IT gurus are not working for our federal government, but their comments are valid and lead FCB to wonder . . . does operating in the cloud put more onus on the user in terms of security?

The Pew Internet & American Life Project released a survey last month that said about 69 percent of Americans who are online use cloud computing in some fashion or another.

51 percent who have done a cloud computing activity said, for the most part, they use cloud computing for its ease and convienence.

At the same time, however, 90 percent said they would be very concerned if the company that stored their data gave it to another company.

Which brings us back to yesterday’s post about Apps.gov. McClure told the FCB about some of the conditions surrounding apps offered on the site — one of them having to do with companies securing data.

The cloud is constantly evolving and, so too must security measures, it seems.

Something for agencies to keep in mind, we imagine.

What’s available on Apps.gov — and how you can use it at your agency

FCB has gained some insight into what, exactly, is on Apps.gov and how you might be able to use the tools at your agency.

Dave McClure, Associate Administrator for Citizen Services and Administration at the General Services Administration, gave us some tips — and a lot of explanation — about the site.

On why Apps.gov is important
I think Apps.gov represents the beginning of the federal strategy of moving into the cloud computing environment. It is a beginning step. It’s not the complete solution. The idea is to put largely already available cloud software services up in an organized way on a portal that agencies can get quick access to, and cut through a difficult — and, instead, go through an easy — procurement process to bring those kinds of capabilities on board.

So, it’s largely focused right now on simple applications and we do have our terms of service posted for our social media apps that have gone through some vetting with government requirements for social media tools. Those are shown on the Web site, as well. Those are absolutely free products, as long as the agencies have come to a terms of agreement with the provider.

On some of the barriers of cloud computing
Well, it’s a relatively new area for the government. It actually is for everyone — not just government. There’s still, of course, concerns about security and protection of information in a cloud environment. There are, certainly, concerns about reconstitution of data — if I want to pick it up and move it somewhere else. The biggest issues beyond those technical things are cultural. Letting go of control of equipment and resources, and, instead, buying IT capability as a service. That’s a big culture shift for government.

I think a lot of it’s just control revolving around uncertainty of how this actually operates. One of the biggest issues is, honestly, what is cloud computing? It’s almost like getting economists together and asking what’s the state of the economy? You’re going to get different answers because there are different models, there are different ways of approaching cloud just within government, a hybrid between government and private sector, or pure public clouds. So, some of it stems from the confusion of what this really means and what it is. The other is just fear of the unknown. We’ve never been in this environment — what does it really mean to operate data that I’m accountable for and results that I’m being monitored for in an environment that I don’t have day to day control over.

On who’s responsible for security in the cloud
The short answer is, the assurances are still lie with the purchaser — with the agency. They have to make sure that FISMA requirements are being met. That NIST requirements are being met. The same certification processes have been adhered to by their provider. So you’re not letting go of security, you’re turning it into an exercise where you’re sure your provider is providing that level of security that’s necessary for the type of data that you’re processing and disseminating.

So, the onus doesn’t go away for the agency, but what it does mean is — how do I look inside a visualized data center to make sure that it’s being done? Who audits — who controls whether that certification is real? I think that’s some of the issues that we’re dealing with — is making sure that the standards are being met and that there’s concrete evidence that the data’s actually being protected.

On how cloud computing can save money
I think that’s an area of great interest — is the infrastructure space. We know that the greatest percentage of IT money in the government is spent on operations and maintenance of applications, particularly the hardware in the telecom and infrastructure side.

So, if we’re going to save significantly, we’ve got to reduce costs in those areas. That’s an area where cloud computing has already demonstrated that it can make a difference. Here at GSA, for example, USA.gov is being operated in a cloud environment and has been since May of this year. Already, we can point to tremendous cost savings and much more efficiency in terms of updating the site, flexibility if we need more computing capacity from spikes in user demand — a much more simplified setup from an operational perspective.

We still have a role to play.

We do still monitor what happens with the information. We still do have control over the content management systems, per se, in the application space. Not everything’s been completely turned over to a cloud provider, but the fact that we’re not running servers, we’re not actually doing the operations and maintenance on hardware frees up our developer and engineering time for thinking about next generation applications that we need to be doing to make that site cutting edge.

On how Apps.gov works with vendors
Each of the media providers have what they normally would call terms of service agreements. It’s what you’re clicking on when you’re at home on your own computer and you pull up a nice piece of interesting software. You say, hey I’d like to run that! But before you’re allowed access to it, or if it’s being run off of their server, or, alternatively, if you even downloaded it, you notice you always get that agreement that comes up. You’re asked to say, I accept this.

That’s essentially what a term of service agreement is. You’re agreeing to the terms and conditions on the use and placement of that software in your computer. So, what we’ve done with the terms of service agreements with media providers is to say, there’s certain things that we want you to adhere to if these products are used in the government space.

One, we don’t want your site loading up with advertising.

Two, we don’t want you collecting cookies that devolves personal identification information to you so that you can track someone. We want any legal matters — if there’s ever a dispute involving this software — done in a federal court, not a state court or a court that you the provider chooses because this is a federal application.

So that’s what the terms of service have carefully done — is to negotiate with the new media providers and say these are the special conditions that we want the application to abide by if it’s going to be used in a government environment. It’s basically a minimal set of agreements. Now, each agency — we suggest they take that and implement it as is, or to add to that other conditions they want. That’s what’s up on the Web site.

There are approximately 26 social media tools that have gone through that vetting process that we and agencies have vetted that meet the conditions for government use. There’s another 20 or 30 or so in the queue that we’re going through now and doing the same thing.

On what the future holds
Well, hopefully, you will find very fast more applications loading up for the software-as-a-service area in the business apps, productivity apps side, where those icons are. You should see a growing list of social media tools as more of these agreements are negotiated. The more new and exciting thing that you’ll see coming in the future is, we’re moving into the infrastructure-as-a-service space, where servers, hosting services and even hardware — infrastructure for processing — can be bought as a service through the storefront. So, that’s where we’re moving. Into the infrastructure provisioning, and eventually into platform provisioning after that.

To learn more about this interview, click here.

---

Is your agency working in the cloud? Or are you still waiting to make the move? Either way, the Federal Cloud Blog wants to hear from you!
Email Dorothy Ramienski: dramienski@federalnewsradio.com.

Read the rest of this entry »

Cloud Conversations on ‘GITSS’

We call it ‘GITSS’, but the real name of the show is Government IT Solutions Spotlight.

Federal News Radio’s own Chris Dorobek is joined by WTOP’s Adam Tuss to talk about all sorts of issues surrounding IT every Tuesday at 10 a.m.

Which, of course, inevitably brings us to the cloud.

This week, Chris and Adam talk about Nebula with Chris Kemp, CIO at NASA’s Ames Research Center in Silicon Valley.

If you don’t know anything about Nebula — NASA’s cloud platform — I urge you to listen. This is a fascinating interview about how a federal agency is using open source to work in a 2.0 world.

Also, I wanted to highlight a story published on our site last week by Internet Editor Emily Jarvis.

The Daily Debrief talked a lot about the cloud last week, and Emily took two excellent interviews — one with GSA’s Casey Coleman and Dave McClure; and one with Alan Murphy of F5 Networks — to discuss the new site apps.gov, among other things.

To fully understand the changes that Apps.gov brings to cloud computing, it is first important to have the most up to date version of what the cloud is and what it is supposed to do.

NIST defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”

Apps.gov is just the most recent development to the cloud. The website is the federal government’s cloud computing storefront.

I urge you to read more here.

In the Cloud on the Daily Debrief

This afternoon on the Daily Debrief, hosts Chris Dorobek and Amy Morris talked a lot about the cloud.

In the 3 p.m. hour, they talked with Teresa Carlson of Microsoft Federal.

In the 5 p.m. hour GSA’s Dave McClure and Casey Coleman joined the Daily Debrief in studio!

You can read all about both interviews by going to the Daily Debrief blog page.