Survey: What feds really think about cloud computing

29 percent of federal IT professionals are currently using cloud computing and another 29 percent plan to be using it within the next 12 months, according to the latest survey from InformationWeek Government and InformationWeek Analytics.

InformationWeek surveyed 137 federal IT pros for the survey.

Some of the other major findings in the survey:

• 21 percent say they are shifting to cloud services to comply with guidance from the Office of Management and Budget.
• 62 percent say they are taking the jump into the cloud to lower IT costs.
• 77 percent say security is a major concern in moving to the cloud.
• 46 percent say they are “already using or highly likely to use private clouds.”
• 11 percent say they are “highly likely to adopt commercial cloud services.”
• 22 percent say they are likely to use commercial clouds that have been adapted for government customers.
• 44 percent are unfamiliar with FedRAMP. (FedRAMP was established “to provide a standard approach to assessing and authorizing cloud computing services and products” across government, according to the CIO Council website.)
• 53 percent are unfamiliar with NIST’s new program, the Standards Acceleration to Jumpstart Adoption of Cloud Computing. (SAJACC helps develop cloud computing standards.)

Have ideas about cloud computing certification? Tell GSA

Think you can help the federal government speed up its certification and accreditation of cloud computing products and services? If the answer is yes, the General Services Administration wants to hear from you.

GSA recently released requirements for the Federal Risk and Authorization Management Program (FedRAMP), an interagency initiative that will provide the government-wide certification process.

GSA, along with the Federal CIO Council, want to hear from agencies, vendors and the public about process templates, guides, common security requirements and other program-related aspects.

People can submit comments on FedRAMP’s website until Thursday, Dec. 2 at 11:59 p.m. Eastern Time. There will be two information sessions – one for vendors and one for federal agencies – during the comment period, although the dates and times have not yet been established. GSA officials say more information will be posted on FedRAMP’s website as the weeks go on.

Meanwhile, Vivek Kundra, the Chief Information Officer, released the following statement about the requirements and public comment period: “By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government’s data center footprint.”

More cloud offerings coming from GSA

Anyone attending the recent ACT-IAC Executive Leadership Conference in Williamsburg, Va., can tell you there was some great information on the future of cloud computing in government being announced and discussed at the event.

This includes the news that the General Services Administration has issued a notice on FedBizOpps.gov for e-mail-as-a-service under the software-as-a-service platform.

An industry day will be held Monday, Nov. 1 where interested vendors can get more information. GSA has also released its SaaS Email Pre-Solicitation Briefing Requirement document. GSA said it expects to issue a request for proposals by March 2011.

Katie Lewin, director of GSA’s Cloud Computing Program, told those in attendance at the event the agency is also considering a platform-as-a-service offering. Lewin said the agency is working with the U.S. Geological Survey among others to create a geospatial information platform in the cloud.

“It is the natural candidate for cloud computing because you have massive amounts of geospatial data stored all over government,” Dave McClure told Federal News Radio’s Jason Miller. McClure is GSA’s associate administrator for Citizen Services and Innovative Technologies and will also be speaking at Monday’s industry day. “If we can create a platform that would allow it to be stored securely and for common use, and leverage that across the entire government, I think we could see some unbelievable cost savings in the geospatial areas.”

Lewin said a RFP for geospatial could come out later in 2011.

Federal Chief Information Officer Vivek Kundra also had news about the draft FedRAMP specifications and requirements. The requirements document will be out soon and can be found on both FedBizOpps.gov and the CIO Council website when it’s released.

FedRAMP is a voluntary government-wide approach for agencies to submit cloud-based services to get certified and accredited (C&A) for cybersecurity once and trusted and used many times.

This, of course, all comes on the heels of GSA awarding 11 vendors a spot on the infrastructure-as-a-Service government-wide blanket purchase agreement.

How quickly will agencies adopt and start using the cloud services once they are available? Only time will tell.

Read more from Federal News Radio’s Jason Miller or listen to his report on this issue by clicking the audio link above.

Why federal CIOs, CISOs still have concerns about the cloud

Has there been a break in the cloud?

Symantec recently released its 2010 Break in the Clouds Report, which shows that many CIOs and CISOs in the federal government still have real concerns about security.

Ned Miller, director of public sector strategy for Symantec’s public sector market, breaks it down for us today.

NM: The purpose, or intent, of the report was really simply to evaluate where agencies were, or currently are, in their overall cloud strategy, and then evaluate the ones that are early adopters, specifically with any challenges or barriers they’ve had with implementation, and really to focus on their key concerns. That will allow us to position how we can help our government clients going forward.

FCB: And what were some of your key findings?

NM: There were a number of themes that were pretty consistent in terms of the evidence that we collected.

The first area that we were very focused on was just how many agencies had actually implemented cloud, or cloud-based applications, or any platform or infrastructure. We accounted for about 23 percent of the agencies that participated in the survey have actually implemented cloud, and about 35 percent are planning to implement.

A couple other key areas that I think were interesting and noteworthy [are] — the emphasis on private clouds versus public clouds, and where agencies have already adopted some cloud strategies. About 58 percent of agencies are already using a private cloud, or in-house cloud, versus approximately 64 percent of those who are planning . . . to use private or in-house cloud versus using an outsourced cloud model.

FCB: We always, inevitably, come back to the security question. [Your survey] says 89 percent say data protection privacy is their top issue. Can you break down those numbers a little bit for us?

NM: Based, again, on the survey, about 80 percent of the participants came back and responded with that they believe that encryption in the cloud is a key area that needs to be addressed, and approximately 70 percent of them have come back and required data segmentation for the actual data in the cloud itself.

FCB: In terms of where agencies are now in terms of implementing cloud, you’ve got a slide [in the report] that says ‘proceeding with caution’. How does that tie into the security question?

NM: Well, in terms of ‘proceeding with caution’, a number of CIOs and CISOs that I’ve spoken to personally are still moving forward based on the mandates coming from OMB with their implementation of cloud strategies; however, the concerns are still centered mostly around security.

It still comes back to the data itself, protection of that data, and they’re fairly conservative in terms of the implementation approach to date, and therefore they’re really relying on building private clouds and building inside their own infrastructure. So, those are kind of still the key concerns — it really has to do with the data itself and where it resides.

FCB: So, a lot of agencies say they feel safer in these private clouds, rather than public clouds, but according to your survey, almost half who have implemented cloud don’t know if they’ve experienced a breach or an attempted breach. Is this cause for concern? Should we be really worried about this?

NM: We should, and, again, this speaks to the desired end state, which is a clear set of standards to address how to adopt and deploy and implement a secure cloud, which leads to FedRamp. . . . [It] is really designed to unify cloud computing security standards across the U.S. Government. Obviously, the initiative is managed by the folks up at NIST and Peter Mell, and he has a big task in front of him. We believe that, overall, this attempt to standardize a security model around cloud computing will take some time to evolve, and the biggest challenge we see with it, quite honestly, is not necessarily the adoption of the standards, but how quickly the industry — both the people, the process and the technology — are moving, versus how quickly standards can be adopted.

So, the biggest challenge to the standard, I believe, will be that we’re moving much faster than what standards typically have been able to get out.

FCB: What other barriers — perceived or real — are agencies facing at this point as they’re looking at cloud adoption.

NM: My sense is, at this point, that it’s going to come down to, specifically, expertise on the government agency side in terms of developing a technology strategy to deploy these private clouds.

So, we’re crossing into somewhat uncharted territory where agencies are building, with their own resources and infrastructure, these private clouds without necessarily a lot of strict guidance to any security standards, because they don’t quite exist yet.

So, in their rush to move towards the cloud, and derive the benefits that cloud provides in terms of efficiencies, economies of scale, etc., security often is still one of those scenarios that’s not baked in automatically.

FCB: And, finally, in terms of the ‘what’s next’ aspect of this, I believe you did talk to some agencies that are already implementing or starting to implement cloud computing. What did they tell you? What did you find out from them?

NM: It’s interesting in that, outside of the survey, I personally have been in contact, as I mentioned, with a number of CIOs and CISOs, and on the federal side, there’s a little over a dozen or so agencies that have fairly mature programs. They’ve actually stood up applications, some of which are service-to-citizen applications, the majority of which are still internal.

The notion of cloud computing is really catching on. We’re starting to see a number of agencies really jump towards that. I think in terms of what’s next is — they really need a cloud security strategy, instead of guidance from the authoritative sources, to help them ensure that, as they move forward with the guidelines that have been laid out by the federal budget planning process, [which says that] by September, 2011, any major IT investment acquisition has to provide an alternative analysis of a cloud strategy.

So, in terms of being able to support the mandates coming from OMB, I think the thing that we need the most is clear guidance around standards, and some assurance around the minimum security standards and criteria for both the industry partners [and] the government itself, specifically around data encryption, what the certification and accreditation process is really going to be like, what it means for one agency to approve a certain cloud provider [and] if another one can truly adopt that particular vendor, and then the notion of data segmentation for cloud solutions — whether it’s public or private.

Role of federal CIO, CTO influences agencies on cloud

As you probably know, the General Services Administration is planning to move the entire agency’s email system to the cloud.

Federal News Radio has been telling you that this is not the first agency to make the move; the Interior Department has already consolidated 12 different systems and moved 80,000 users to the cloud.

From this news, it seems like cloud is no longer just a buzzword — it’s becoming part of the new business of government.

David Link is President and CEO of ScienceLogic, which conducted a survey of federal IT managers and workers earlier this year at FOSE.

Link says one of the many trends the survey showed is that cloud computing seems like it’s here to stay because of the immense presences of federal CIO Vivek Kundra and federal CTO Aneesh Chopra.

“This year is the first time that we’ve had a federal CIO, a federal CTO over all of government IT. One of the questions we asked is — has this new role impacted your IT operations? Actually 56 percent of the people that responded said it absolutely had impacted, and over 30 percent said they were seeing a major impact. Only about 20 percent said it was business as usual, so I think what that means is that the mandates from the top down actually are active, they’re very visible, the word’s getting down to people and engineers and operators that are working in the trenches. That’s a great, positive movement. It’s a great story going forward — that a new role in the government can actually impact the people who [are] literally . . . Doing the job each and every day.”

He also notes that there is a direct connection between cloud and virtualization, which is helping agencies adopt cloud.

“What we saw early on with virtualization [in] the first year of the survey is that a few people had thought it was a key initiative and/or they had projects in place. This last year the adoption has moved up from major hype to adoption — 80 percent of the respondents this year said they had virtualization initiatives. Frankly, virtualization is at the heart of cloud, because it’s all about shared and pooled resources where you can leverage a resource pool really effectively and have the agility that cloud offers where you can stand up IT resources very quickly. Vitualization is really one of the heart and soul key components of cloud offerings.”

It is slow-going, however. The survey showed that adoption of cloud, however, is still relatively low. But interest is high. Link says, in his opinion, this isn’t a plateau or fad, and likens the government’s response to cloud as the same when it comes to IPv6.

“From the very top, Vivek Kundra’s really a thought leader on the cloud . . . with NASA’s initiatives and FedRamp setting standards on cloud initiatives, they’ve really got a lot of people focused on this. As the largest buyer of IT in the world, where the government goes, vendors are going to go. What I see is, they’re really being smart about the approach. They’re trying to figure out where outsourcing to the cloud makes sense — where is it smart? Where can you get the advantages that the nimbleness and scale of the cloud brings straight to government IT operations.”

But what about the money? Will agencies see future funding for cloud computing initiatives? Link says many agencies were helped in the past by the American Recovery and Reinvestment Act, and now agency heads and IT managers are looking at spending differently.

“Some of the huge projects that are multi-year, large awards may not be going as fast because they tend to take a long time, but I think what you’re seeing from a government IT perspective is more of a surgical approach to [solve problems]. There’s a huge initiative where Vivek Kundra has said, by the end of the year, he wants all agencies to put together and put forth their data center consolidation strategy and plan. Data center consolidation is really about figuring out how to collapse and provide more shared services, which is really going to drive adoption of the cloud and virtualization and these core technologies even faster because they’re a key linchpin to getting there.”

GSA’s McClure describes new cloud RFQ

As Federal News Radio told you on Friday, the General Services Administration released a request for quote (RFQ) in order to put together a contract for infrastructure-as-a-service.

Fed Cloud Blog sat down with GSA’s Associate Administrator
of Citizen Services and Communications, Dave McClure, who talked with members of industry about the RFQ and the new contract at an ACT/IAC event at the end of April.

“I personally feel like we have to make sure we do solid outreach with industry to make sure that our instruments that we’re putting out for cloud services are in line with the way that they think we should be offering them. That was the purpose of the dialogue with industry. We did talk a little bit about the reasons for canceling the prior infrastructure-as-a-service RFQ. I just wanted to emphasize with them that we felt like the market had changed quite a bit since the initial offering, which had started up almost 12 months ago. Vendor engagement, vendor market offerings and vendor understanding of cloud has certainly matured quite a bit in the last 12 months, and the same thing has occurred on the agency side.”

As you probably remember, GSA first issued an RFQ for IaaS in July 2009, but canceled in this past February.

“The infrastructure-as-a-service offering was put out previously [and] was done in very close approximation to the software-as-a-service announcement, and the whole launching of the Apps.gov website. We knew this after the launch, but a valuable lesson that we learned was that there was great confusion in industry about which announcement covered what. There was confusion as to what they needed to reply to to get on schedule for the infrastructure, what they needed to do to get on schedule and get up on the apps.gov storefront for software. We don’t have that problem [now]. The website is up, people understand the processes, so I think we’ve eliminated what was then a very confusing period for just announcing the storefront and announcing an infrastructure BPA all very, very much at the same time.”

This time around, McClure says several things will be different.

“We’re raising the security level to the moderate level. I think that’s where the public sector in general is headed — greater security in these cloud provisioning agreements. So, we’ve raised this up to the moderate level. I think that’s a significant improvement and difference from the prior RFQ. We also are making it much easier and clearer to map the industry offerings to the contract line items in this BPA instrument that we’re using. There was some confusion about whether specific services and prices for some of the industry offerings — how they’ve mapped to the contract line items in this BPA. We’ve gone back and actually cleaned that up and had conversations with industry on how that mapping process can work very effectively. So I think that will also create a much better instrument than what we had before. The third big difference is that things that are awarded off of this instrument will be candidates that will go into the FedRAMP centralized CNA approval process. I think that will make a difference, as well — knowing that your product or service will actually go through one CNA and then be usable across the entire government.”