Over the last three years, agencies slowly have been moving to the cloud while holding security out as the biggest barrier.
But as initiatives such as the Federal Risk Authorization Management Program (FedRAMP) reduce the anxiety over how to secure cloud services, a new, and much bigger, barrier is starting to emerge: culture.
Richard Spires, the Homeland Security Department’s chief information officer and vice chairman of the CIO Council, said cloud is changing the way IT, acquisition and program management employees do their jobs, and that makes them uncomfortable.
“People get [cloud computing] intellectually, but because they are used to what they are doing, it’s a really big shift to work in this different model, especially for people in the IT department,” Spires said recently at a Homeland Security and Defense Business Council event on cloud computing. “We are shifting out the whole infrastructure, their old style and way of working with the infrastructure provider. That’s hard, and we recognize it’s hard. So it’s about bringing people a long and showing successes and building on that.”
Spires said agencies are making some progress in changing the culture, but he worries whether it is at a quick enough pace. “My big concern, and I don’t have a good answer for this one, my big challenge, maybe my biggest, is how do race, even with a change management mechanism, fast enough so we don’t get into a position where we actually have to lower our service quality because our budget is declining faster than we can keep up with that,” he said. “My biggest challenge is racing to try to make these changes, while bringing people along, while we look at these budgets that continue to decline.”
Those declining budgets also may act as just the forcing factor to change the culture.
Spires and Kevin Deeley, the deputy CIO at the Justice Department, also pointed to the cost savings and efficiency possibilities of cloud that could help make the culture change easier.
DHS stood up 11 different cloud based services, and lowered the cost of an email box per user by half. Spires said DHS is taking the money it’s saving and reinvesting it into new mission critical technologies.
Spires said cloud brings standardization and scale to the commodity side of the infrastructure and that will free up money for other things, which becomes especially important during these times of budget decreases.
Deeley said at Justice, the culture change is just beginning with the more than 40 different components, all with their own IT shops which manage their infrastructure.
“To bring them along and moving to more commodity based services and gaining those efficiencies, it would be helpful if cloud providers looked at different ways of pricing and challenges associated with buying it by the drink, eventually, and getting the economy of scale across the agency,” he said. “Today, to work through those policy issues, those culture boundaries, those security challenges that we all suffer from, moving through that has to be a learning curve on both sides.”
Creating trust happening slowly
FedRAMP is supposed to be one main way to lower the boundaries, create efficiencies and trust in cloud services.
The General Services Administration, the Defense Department and DHS run the Joint Authorization Board (JAB), which provides initial approval to companies for meeting the FedRAMP cybersecurity standards for low and moderate systems under the Federal Information Security Management Act (FISMA).
So far, the JAB has approved two cloud service providers and more than 70 are in the queue.
But even with this industry acceptance, agencies have a long way to go to use FedRAMP. “Despite FedRAMP, we still get a lot of agencies that look like they want to do the whole thing all over again,” said Mark Ryland, the chief solutions architect for Amazon Web Services’ World Wide Public Team. “That’s going to be a problem now, we cannot have 25 or 30 agencies going through what we are doing, what we are going through with our third party accreditation organization. It’s an intense process. We love it. We hate it. And in the end, we will all benefit from it. It will make the documentation better, systems more secure, but we can’t do it 25 times in a year. We have to get people to utilize those decisions made by FedRAMP.”
Amazon Web Services was one of 12 vendors to have gone through the pre-FedRAMP certification under the infrastructure-as-a-service blanket purchase agreement GSA awarded in 2010.
Ryland said Amazon understands the complexities and rigorous standards required under FedRAMP. For instance, he said Amazon had to add two-factor authentication to its routers. He said no one had to do that before, but because FedRAMP required it, now they did.
But a third party certification and approval from the JAB may not be enough to get agencies to change their culture and trust the FedRAMP process.
Spires said he recognizes why some agencies are hesitant, but strongly encourages CIOs, chief information security officers and others to get past it.
“I understand there may be some things around the edges they want to tweak and maybe that’s fair. But for the most part, they have to accept for the FISMA low and the FISMA moderate what has been done by the cloud service providers to meet that mark and then move on,” he said. “If they do that, we will have a very successful model. I think that will happen, but it’s a very big change management process for the whole CISO and information security community to go through.”
Integration into a broader set of cyber initiatives
GSA recently announced it would stop accepting applications for vendors to become third party assessment organizations as of March 25. The agency also issued a request for information in February to update the requirements for third party assessment organizations.
GSA also plans on holding a FedRAMP workshop for agencies on March 18 in Washington to address the benefits of the cloud security program and what agencies need to know to use it.
Along with FedRAMP, the CIO Council and DHS are trying to help move agencies beyond those security concerns.
DHS’ National Protections and Programs Directorate (NPPD) is figuring out how cloud fits in with other security initiatives.
“There is a mechanism here at work that is maturing, but still has a ways to go particularly as we move into a continuous monitoring world,” Spires said. “Under the federal CIO Council, there is a continuous monitoring working group that is working hard right now with NPPD, and the Cybersecurity and Communications office in particular, regarding continuous monitoring and concept of operations, and how that is really going to work and mature. We still are at the early stages of true continuous monitoring, but many of us certainly feel that is where we need to go.”
The White House recently updated its cross agency cybersecurity goals and added cloud to the mix, especially around the Trusted Internet Connections initiative. That should add another step toward acceptance of cloud and its security rules across government.