A journalist recently asked me for my top three pressing concerns related to Federal cloud security. Here are a few points I had to offer up.
Procurement - The government procurement process is not prepared to deal with the dynamic aspects of cloud pricing. Most government contracts are fixed fee for a set amount of services. Unfortunately, the services change so rapidly that it is difficult to forecast what the needs and costs could be down the road. For example, Google announced significant price drops of up to 80 percent in some cases for their storage, and Amazon similarly announced another drop, which makes it their 42nd drop since the service was established. The procurement process is not aligned to deal with rapid changes in pricing and services.
Knowing What to Ask For - All clouds are different, and the government issues RFP’s based on their needs, but far too often they are defining the solution that they want, which makes the process less competitive. Cloud providers are not standardized services that can be swapped out. Instead, they are integrated into other services. It’s like saying a Toyota is the same as a Lamborghini because they are both cars. Cloud Services, like Infrastructure as a Service, are very different from cloud provider to cloud provider. In many cases, the government doesn’t know how to structure their proposals to get the right responses from eligible service providers.
Security, Compliance, and Risk Management - Just as in the civilian work, security, compliance, and risk management continues to be a challenge. With a variety of requirements from the Risk Management Framework (RMF) which is used by the DoD, Federal, and Intelligence Community, to FedRAMP, FISMA, HSPDs, FIPS, and Agency specific requirements, managing risk, compliance, and security.
As the Federal government moves further into using cloud-based services, the need for compliance and greater security will increase right along with it.