Agencies today have 117 choices when it comes to buying secure cloud capabilities.
The Federal Risk Authorization and Management Program (FedRAMP) says another 66 cloud services are in the process of receiving authorization, while 18 others are in the cue waiting to get approval.
Additionally, more than two dozen agencies have used more than 10 cloud services, meaning their assessments are available for others to take advantage of.
All of this further demonstrates the continued thirst for cloud services.
And the confidence in the security means agencies are spending more in the cloud. Bloomberg Government recently estimated agencies will $6.5 billion on cloud services in fiscal 2018, which is a 32 percent increase over the $4.9 billion spent in 2017.
These figures will only increase over the next few years.
Bob Osborn, the chief technology officer of federal for ServiceNow, said agencies can take advantage of cloud in a secure way and reduce the time it takes to deliver mission critical services by accepting and using a hybrid, multi-cloud approach.
“As chief information officers and chief information security officers (CISOs) become more comfortable with the service delivery model that vendors are providing in FedRAMP certified environments, now they are seeing the value of increasing the workload in that type of environment. It ends up being much lower cost and provides a greater speed to deliver new processes and new capabilities in the cloud,” Osborn said on the Innovation in Government show. “There’s still differentiation and a caution area that many CIOs and CISOs are wrestling with still. There’s multi-tenant architectures and multi-instance architectures, which allow different capabilities, visibilities and control.”
He said a multi-instance architecture lets CIOs and CISOs have more control and visibility, and extend their cyber controls into the vendor’s cloud instance.
These are among the reasons why agencies are looking for more cloud services that meet the high standard under the Federal Information Security Modernization Act and National Institute of Standards and Technology requirements.
In fact, the popularity for FISMA high cloud services is out-pacing vendors’ ability to get approved by FedRAMP or through the agency process.
“That is something increasingly a requirement that used to be something that was viewed as a nice-to-have capability for certain types of data,” Osborn said. “Now many agencies are making it a baseline for FedRAMP and FISMA high controls to be on all data that is being put into the commercial infrastructure. Previously it was personal information and mission type of data…that was really important to have additional controls on. But now because of recently cybersecurity concerns, almost every agency is viewing government data, as well as the other highly regulated markets whether that be healthcare, financials or banking, as needing these same types of controls.”
Osborn added that the controls under FedRAMP are considered by many a differentiating factor among cloud providers.
“We see a greater moving of mission data to the cloud. Previously it was all business system data,” he said. “Whether it falls into IT operations, business management, HR, security or developing custom applications, agencies are looking for a wrapper of a FedRAMP high certification on that data so they feel comfortable putting actual mission critical workload into the commercial services arena.”
At the same time, Osborn said agencies remain reluctant to accept another’s security assessment of a cloud service.
He said reciprocity is getting better, where once agencies accepted no more than about 10 percent of another’s analysis and relooked at 90 percent of the controls, that ratio is closer to 30-70.
Osborn said as agencies move out more quickly with emerging technologies such as artificial intelligence or machine learning, the barriers to cloud and reciprocity will diminish.
“It’s peanut butter and chocolate, they really go well together,” he said. “It’s really a paradigm shift for federal agencies to look at how they forklift or move workloads into the cloud when they start to consider being able to take advantage of newer, emerging technologies like AI and machine learning. In order for those technologies to work well, data has to be aggregated somewhere so you can run the scripts on that data and get the outcomes you are looking for.”
But at the same time, agencies are having challenges in aggregating their data because, in part, the need to have higher levels of security.
If agencies can bring the data together with the right security controls, Osborn said they can move from a reactive to a more proactive management effort where AI and machine learning can signal real or potential problems.
“We see this in our commercial market significantly, particularly in the commercial retail sector…to predict where different commodities may be consumed based on seasonality and holidays and where workers should for various influx of additional workloads,” he said. “One of the major sports leagues actually uses our platform to plan and assign referees for various sporting events around the country.”