When it comes to moving the government’s computer operations to the cloud, the heavy lifting falls to the General Services Administration’s Katie Lewin and her staff of 14 contractor and federal employees.
Her office, tucked away in GSA’s Office of Citizen Services and Innovative Technologies, is tasked with identifying and addressing obstacles to governmentwide cloud adoption.
“I wish I had a few more government people, but the fact that we are small and agile has helped us move quickly,” Lewin said in an interview.
Her office — called the Federal Cloud Computing Initiative Program Management Office — is developing a new program, launched this month, that will review companies’ compliance with cloud computing security standards. It is called the Federal Risk Authorization Management Program (FedRAMP).
Lewin’s office wrote the technical specifications for GSA’s Infrastructure-as-a-Service contract, which offers cloud-based storage, virtual machines and Web hosting, and for the upcoming Email-as-a-Service contract, which will provide cloud-based email, electronic records management and other services once awarded this summer.
The office has also provided other tools to help agencies meet the administration’s Cloud First mandate, which requires agencies to use cloud technologies when a reliable and cost-effective solution exists.
“We don’t have any enforcement standing, but we have assisted agencies in trying to provide ways that they can comply,” Lewin said. The program office provides online resources and shares success stories about agencies, such as the National Oceanic and Atmospheric Administration, that have adopted cloud computing for services like email.
GSA also manages Apps.gov, an online storefront where agencies can choose from more than 3,000 cloud-based products and services.
Lewin said most agencies have moved at least one or two services to the cloud in response to the Office of Management and Budget’s June deadline to move three services in the cloud. Federal CIO Steven VanRoekel said “agencies have made great progress” but did not provide details on whether they are meeting OMB mandates.
OMB is “the lead, but we are the legs,” Lewin said.
Lewin’s office was created in April 2009 at the request of then-federal CIO Vivek Kundra to help speed cloud adoption. The program office doesn’t have firm numbers on how many agencies have used its resources, but with the launch of FedRAMP, the administration will gain a firm grasp on the program’s impact.
FedRAMP’s success will be based on several factors:
How many cloud service providers apply for FedRAMP reviews.
The number of additional reviews conducted by a board of department chief information officers.
How many agencies opt to build on the security reviews conducted by the board.
Lewin said the goal is for two or three companies to undergo the FedRAMP process and receive approval from the board by year’s end.
The numbers are low, “but that doesn’t mean we have low ambitions,” she said about FedRAMP goals. It’s hard to set numeric goals when launching a program for the first time. FedRAMP has to prove its worth as it evolves into a fully operational program, she said.
Cloud computing initiatives, such as FedRAMP, are largely funded with e-government dollars, which have been the target of congressional appropriators. GSA received $2.74 million last fiscal year for the cloud computing program office and $3.5 million this year.
Vendors have questioned whether FedRAMP will be able to efficiently approve their cloud products and services.
Last month, GSA awarded a one-year, $830,000 contract to Virginia-based Noblis to serve as an information system security officer and the main point of contact for vendors and sponsoring agencies during FedRAMP assessments. The company gives vendors feedback on implementing FedRAMP security requirements, creating required documentation and performing security testing. The contract has two option years and a ceiling of $2.2 million.
Lewin said educating agencies and the acquisition community about cloud technology will continue to be a priority. She wants to make the cloud case studies more detailed and wants to provide more recent examples. Ideally, agencies would be able to find cloud scenarios based on their needs and to contact appropriate agency officials.
Much work remains to be done, vendors say.
“We’ve gone beyond the tipping point,” of cloud adoption, said Chris Niehaus, director of Microsoft’s Office of Civic Innovation. “No agency today can afford to just keep doing the status quo.”
Although OMB is pushing agencies hard to move more operations to the cloud, there are no metrics to define success, such as numbers or types of legacy applications that are shut down after moving to the cloud, said Nick Combs, chief technology officer of cloud provider EMC’s federal division. Many agencies label applications and services as cloud-based to show they are meeting OMB mandates and to protect their budgets.
“The problem is we are not transforming our IT,” he said. “We are still doing it the same way we were four years ago.”