The benefits of cloud computing are too compelling and numerous for agencies not to take serious adoption steps in this budget-constrained fiscal environment. Some estimate the government can save as much as $14.4 billion through cloud adoption.
Looking ahead, cloud will provide a platform for integrating mobility and BYOD into agencies’ day-to-day operations. The benefits of an increasingly commoditized IT world will be passed along quickly to taxpayers in the form of better and more cost-effective government services delivery. Sooner than expected, the government will be in the “Everything as a Service Era” with the vast majority of IT services being provided virtually via the cloud.
The rolling out of the Federal Risk and Authorization Management Program (FedRAMP) is a critical milestone in this journey.
FedRAMP Will Shape Public Sector Cloud Adoption
According to the 2009 Federal Information Security Management Act (FISMA) report to Congress,agencies spend $300 million annually on IT certification and accreditation activities.
The General Service Administration’s (GSA) FedRAMP program cuts much of this red tape by adopting an “approve once use many times” model. The Office of Management and Budget (OMB) estimatesthis model will save agencies $200,000 every time they use a FedRAMP-accredited provider. FedRAMP also established the process of using credentialed independent third party organizations(3PAOs) to ensure accredited providers offerings are secure and appropriate for government use. In fact, the OMB estimates a 75 percent reduction in assessment time.
Realizing the projected $200,000 in savings in each instance is a very desirable target for federal CIOs looking to cut costs and redundancies. Inevitably, data center consolidation and virtualization efforts will also be taken to the next level which will result in additional federal spending reductions.
Private Sector Demand for FedRAMP
There is a considerable demand for cloud services in the public sector, and the private cloud providers are just as eager to provide these services to a potentially lucrative market.
For example, even before DRC was selected as a 3PAO, we had conversations with a handful of cloud service providers, and we saw a significant increase in calls and requests after the announcement. Many cloud service providers are still in the vetting phase, but those who already have an established footprint are aggressively moving forward. Smaller commercial vendors are not far behind and it is likely there will be a steady ramp up throughout 2012.
A Security Vision Forward
FedRAMP uses NIST 800-53 cybersecurity controls standard and real-time monitoring measures will need to be in place for cloud service providers to become accredited.
The General Services Administration (GSA), Department of Homeland Security (DHS) and Department of Defense (DoD) have taken a leading role on the Joint Authorization Board, which reviews auditor’s accreditations and grants cloud service providers ATOs (Authority to Operate). Under their leadership, agencies will overcome the initial cloud security skepticism and bring forward solutions like Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Ultimately, FedRAMP is a huge step in the right direction. The program demonstrates how serious the government is about cloud adoption. While FedRAMP certifications and procedures will likely continue to evolve, now the government has outlined a detailed adoption roadmap.
The future is no longer cloudy.
Todd Coen (@TConHS) is the Vice President of the Homeland Security Solutions Division within Dynamics Research Corporation, an accredited FedRAMP 3PAO. He is an active participant in groups such as TechAmerica, AFCEA Bethesda, and the Homeland Security and Defense Business Council.