The Top 3 Security Issues in Federal Cloud Computing

Rob Barnes, Director, Federal Practice

A journalist recently asked me for my top three pressing concerns related to Federal cloud security. Here are a few points I had to offer up.

Procurement - The government procurement process is not prepared to deal with the dynamic aspects of cloud pricing.  Most government contracts are fixed fee for a set amount of services.  Unfortunately, the services change so rapidly that it is difficult to forecast what the needs and costs could be down the road.  For example, Google announced significant price drops of up to 80 percent in some cases for their storage, and Amazon similarly announced another drop, which makes it their 42nd drop since the service was established.  The procurement process is not aligned to deal with rapid changes in pricing and services. 

Knowing What to Ask For - All clouds are different, and the government issues RFP’s based on their needs, but far too often they are defining the solution that they want, which makes the process less competitive.  Cloud providers are not standardized services that can be swapped out. Instead, they are integrated into other services.  It’s like saying a Toyota is the same as a Lamborghini because they are both cars.  Cloud Services, like Infrastructure as a Service, are very different from cloud provider to cloud provider.  In many cases, the government doesn’t know how to structure their proposals to get the right responses from eligible service providers.

Security, Compliance, and Risk Management - Just as in the civilian work, security, compliance, and risk management continues to be a challenge.  With a variety of requirements from the Risk Management Framework (RMF) which is used by the DoD, Federal, and Intelligence Community, to FedRAMP, FISMA, HSPDs, FIPS, and Agency specific requirements, managing risk, compliance, and security. 

As the Federal government moves further into using cloud-based services, the need for compliance and greater security will increase right along with it. 

Rob Barnes


Rob Barnes — Director, Federal Practice

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS