Listen to my podcast with Tarak Modi, Vice President and CTO of CALIBRE Systems, In this podcast, we pick up on my first podcast with Tarak, Government Cloud Is Where the Action Is, and see how the federal government has continued along its journey towards the adoption of cloud computing.
Listen to or download the 12:09 minute podcast below:
PS: So now in our first podcast we talked about how the federal government is an early adopter of cloud computing. Would you say this is still true?
TM: Oh absolutely, everything we talked about last time still holds true. The fed is still very much into embracing the cloud model. And we talked about so many cloud initiatives in our first podcast and there's plenty more to talk about. But as the fed continues to move to the clouds, concerns over security of government information, the privacy of citizen data, and the safeguards over our national security interests still remain high. And then there's the Federal Information Security Management Act or FISMA and its very stringent compliance requirements. So how can federal employees and the American people be confident that their information is safe in the cloud?
I think that a root cause of the challenge was accurately summarized by Peter Mell, a cloud computing guru at NIST. According to him, the lack of a government wide authorization program for contracted IT services has really hindered federal adoption of cloud computing. The question at the heart of the matter is how do we best perform security authorization and continuous monitoring for large scale, outsourced and multiagency systems such as the cloud. The answer to this question leads us to a new program called the Federal Risk and Authorization Management Program or FedRAMP.
FedRAMP provides the missing link. It's the unified government wide risk management program that will enable centralized certification and security management of cloud computing platforms and solutions for federal agencies. I like to compare the challenge we have today with cloud computing in the federal government with the classic conundrum of a many-to-many relationship in the database world. As database architects already know, the only effective solution to the many-to-many conundrum is the introduction of an arbitrating entity called the "Join Table". Think of FedRAMP as the Join Table for the many-to-many relationship between cloud providers and federal agencies.
Interesting. Now, you've already touched on both FedRAMP and the security challenges. Could you drill down on that a little bit more because from what I'm hearing is everybody is definitely interested in security when it comes to cloud?
Sure. Well, the basic ideas behind FedRAMP are quite straightforward. First, ensure government wide systems and services have adequate information security. Second, eliminate the duplication of effort and risk management costs. And third, make the procurement of government wide information systems and services more efficient and cost effective. Most times when you hear about or read about FedRAMP, it will actually be a reference to an umbrella over three entities, which include the various security requirements authorities, the joint authorization board, and the FedRAMP office itself. The security requirement authorities are responsible for creating the government wide security baselines for specific domains.
A perfect example of that is the Federal Cloud Initiative. The joint authorization board is the group of authorizing officials who perform the joint authorizations that are then leveraged by the other agencies. This board consists of the sponsoring agency as well as three permanent members, the Department of Defense, the Department of Homeland Security, and the General Services Administration or GSA. The FedRAMP office itself is managed by the GSA with liaisons from NIST, and OMB, and performs program management, security reviews, and continues monitoring services for the government wide use.
I'd also like to mention two other noteworthy assets of FedRAMP. First, FedRAMP will not require any new laws to implement, which means that it's going to be quite easy to put into place. And second, FedRAMP is not mandatory so agencies with unique needs are still free to define their own security requirements. It makes sense since ultimately agencies are always responsible for securing their systems. In fact, even after FedRAMP is fully functioning, I expect that there's going to be a list of security controls that can't ever be done government wide and they will always be the responsibility of the respective agency.
It sounds like FedRAMP if it's going to be successful is going to have huge implications on how people access and use the cloud, is that correct?
Absolutely, Peter. Your observation is spot on. Ultimately, FedRAMP is about achieving two main goals. The first goal is to aggregate cloud computing standards. Today, each agency has its set of standards, which complicates procurement and it frustrates federally focused technology vendors. FedRAMP is intended to consolidate the cloud computing requirements into one set of consistent and uniform standards that span the entire federal government.
The second goal is to ease the cloud certification process, particularly, as it relates to FISMA. And as you noted in your question Peter, if FedRAMP is successful in its goals, the implications will be substantial and precedence setting. The General Services Administration, for example, could accredit a cloud computing provider such as Microsoft or Google and other agencies could piggyback on that authorization instead of each agency having to go back and do a complete reauthorization for their own purposes, which is the situation today.
Everybody including the fed understands that the economic benefits of cloud computing simply cannot be realized if every agency has to independently review and certify solutions. The current fragmented model is just too redundant, time consuming, and costly. And we're not talking about small numbers either. For example, what if I told you that over the last six years the Department of State has spent about $133 million creating 95,000 pages of security documentation. That's a lot of money. Now how much of this money could have been saved and how much of the work could have been avoided? My educated guess is a lot.
And now, NIST seems to be taking a leading role in helping agencies build trust in cloud computing. Can you elaborate on that a bit on NIST?
Sure. As you know, NIST's primary role have been to promote the effective and secure use of cloud computing within the government and the industry by providing technical guidance and related standards. To that end, they provided us with one of the most comprehensive definitions of cloud computing and some pretty good guidance on effectively and securely using cloud computing. Actually Peter, your question is very timely as NIST just hosted a cloud summit a week ago with representative from both government agencies and the private sector. The intent of the summit was simple, jumpstart the process of developing data interoperability, portability, and security standards for cloud computing that can be acquired across all agencies.
NIST is primarily focused in three main areas: setting standards, issuing guidance via special publications, and leading a unified consistent risk management framework for cloud services. Now we already talked about FedRAMP quite a bit so let's focus on standards and special publications. I think we all agree that we're not going to have wide scale government adoption of clouds without standards. NIST is now leading that effort with a new initiative called Standards Acceleration to Jumpstart Adoption of Cloud Computing or SAJACC. To the world, SAJACC will be a publically accessible portal that facilitates a collaborative development of cloud computing standards and will host technical use cases, documented interfaces, reference implementations, and test results.
The special publications in turn will provide best practice based guidance on implementing the standards developed in SAJACC and other related issues such as secure server virtualization and applying FISMA and 800-53 controls to cloud computing. As you can see, NIST has a lot going on and it's central to a successful adoption of cloud computing in the federal government.
Indeed and it sounds like the federal government is getting their cloud act together. Now looking ahead, what do you see for cloud computing in the federal government?
Well, I think it's clear by now that the federal government is very interesting in clouds. And it's no surprise either when we hear a number of such as 1,200 data centers, 6 billion kilowatt hours of energy being used at a cost of over $450 million, and estimates of 12 billion kilowatt hours of energy being used by 2011, which will be close to a billion dollars worth of energy. Now these are pretty big numbers to throw around lightly. And given those numbers, it's no surprise that clouds figure prominently in the 2011 budget where President Obama has earmarked $35 million to fund cloud computing programs and other IT initiatives and another $70 million for NIST to develop cloud related standards. We just talked about all the initiatives NIST has going on so just SAJACC and FedRAMP.
Now, if you recall, in our very first podcast, I talked about several cloud initiatives. The Federal CIO Council led by Vivek Kundra has recently documented in detail about 16 case studies of different agencies using cloud computing to gain significant efficiencies. Some examples include the Department of Health and Human Services using clouds to support electronic health records, the Department of Interior using clouds for agency wide e-mail saving about 30%, and my favorite, NASA's Be A Martian website on the Microsoft Azure platform. That has been a huge success with over 250,000 very cool pictures of Mars. Honestly, we're just at the tip of the iceberg so hold on tight and stay tuned for a lot more action in the coming years.