Officials from the General Services Administration (GSA) said this week that the agency is preparing the next version of the federal government’s main cloud computing acquisition vehicle – the Infrastructure-as-a-Service Blanket Purchase Agreement (BPA) – as part of a broader effort to better position federal agencies to take advantage of the growing number of commercial cloud services.
Awarded to 12 cloud services vendors in October 2010, the $76 million Infrastructure-as-a-Service BPA was designed to provide agencies with a one-stop shop for ready-made cloud computing services, particularly Web hosting, storage and virtual machines. So far, the contract vehicle has attracted the likes of the Department of Homeland Security, which recently moved its public Web hosting to the cloud, and the Department of Labor, which now leverages cloud services for enterprise case and document management.
But now the GSA is planning to add Email-as-a-Service and possibly Platform-as-a-Service to the existing lineup of cloud offerings, according to two senior GSA officials who spoke at the Red Hat Government Symposium on Nov. 16. Changes will also be made to make the existing BPA a more effective contracting vehicle for federal cloud adoption.
“We’ve got to find some way to build some flexibility into that acquisition vehicle…to accommodate the cloud computing business model,” said Stan Kaczmarczyk, principal deputy associate administrator at the GSA (pictured center above.)
We’ve got a pipeline of close to another 35 agencies that are doing market research, putting data requirements together and readying [requests for proposals],” he said, adding that future contract vehicles may not all be BPAs.
“The government is not setup to take advantage of the cloud. For example, if an agency’s cloud usage surges during a particular timeframe, they may not have funds available to obligate to cover the usage surge.” – Stan Kaczmarczyk
One of the main drivers behind the push to revise the current BPA is the inability of federal agencies to take complete advantage of the flexibility offered by cloud services.
“The government is not setup to take advantage of the cloud,” said Kaczmarczyk. For example, if an agency’s cloud usage surges during a particular timeframe they may not have funds available to obligate to cover the usage surge, he said. Likewise, if an agency doesn’t use all of the capacity it paid for they will lose that money in the following year’s budget.
Sonny Hashmi, deputy CIO and chief technology officer at the GSA, said one of the new cloud contracting vehicles will cover email because of the large number of agencies that are currently pushing email and other “commodity” IT services into the cloud as a way to reduce costs.
“Cloud is an ideal home for commodity IT, especially public software as a service,” said Hashmi. “E-mail and collaboration are good examples, as are hosting and storage.” He also hinted at social networking applications as another area for government cloud adoption.
Significant Changes, Maturing Strategies
According to Hashmi, the mass exodus away from the so-called “on-premise, bare metal” IT services to the virtual cloud environment requires a significant change in how federal IT and business managers must think. And a lot of that thinking must be done up front, before a contract is issued, he said.
In almost every major area, from IT security to records management and mobile, “the solutions look different,” said Hashmi. IT security managers must “invest the effort in redefining what your system looks like because it’s not in your firewall [and] it doesn’t sit in a rack,” Hashmi said. “And mobile strategy changes dramatically,” he added. “You can’t just rely on deploying mobile devices that are talking to systems behind a firewall. You now have to authenticate many mobile devices of any ilk into a cloud provider that you don’t own, and doing it in a way that they are managed and monitored [appropriately].”
To be successful with a large cloud deployment, therefore, requires what Hashmi calls a “coalition” of agency leaders capable of obtaining executive “buy-in” early in the process. To be successful, “requires that a lot of different organizations within the agency come together. You need to get experts in access management, mobile, integration, and legal in the same room.”
This all leads to a detailed acquisition process, during which careful attention is given to contractual details.
“When moving to the cloud, you really need to make sure that in your contracts you have addressed issues of data portability, data ownership, location, issues of severance, and what happens if you decide to not use a vendor’s service,” said Hashmi. “How do you get your data back and how will the vendor help you migrate to a new service provider?”
Not focusing on these details could lead to costly problems. And that’s what worries Kaczmarczyk.
“One of the things I worry about is the cost of migrating to the cloud solution and the cost of getting out of it,” he said. “I worry about those costs exceeding the economic benefit of going to the cloud.” Kaczmarczyk said these potential problems could be alleviated by industry using open standards, following the NIST guidelines, and using the same language in service level agreements.
Security Challenges Remain
To date, only four of the 12 vendors on the Infrastructure-as-a-Service contract have been granted an Authority to Operate under the BPA due to the stringent security accreditation and certification process, according to Kaczmarczyk.
Cloud vendors must first complete the Assessment & Authorization (A&A) process at the FISMA Moderate Impact Data security level as administered by GSA. Once granted authority to operate, products are made available for purchase by government entities through the Apps.gov storefront.
One particular hurdle that many vendors have been unable to overcome has been the two-factor authentication requirement spelled out under FISMA, according to Kaczmarczyk. “They just can’t do it,” he said.
Ron Ross, a senior computer scientist at the National Institute of Standards and Technology (NIST) and the FISMA Implementation project leader, raised questions about the GSA push to help agencies migrate their email into the cloud. At a time when tens of thousands of classified and confidential government emails and cables have been exposed through WikiLeaks and other security breaches, Ross said “it’s kind of ironic that email is one of the first things going to the cloud.”
From a security perspective, “it’s really all about the data,” said Ross, cautioning against a move to the cloud without a real understanding of what the data contains. “Email can carry a payload from very low sensitivity to the highest sensitivity.”
Kaczmarczyk said security remains the central issue for the government moving forward with its cloud adoption. “It can be done,” he said. But “nobody’s talking right now about federal agencies putting high security systems in the cloud, at least [not] in the public cloud.”