The General Services Administration is supposed to be the leader guiding agencies’ adoption of cloud computing. But some agencies have gone elsewhere for cloud services. (File photo / Getty Images)
The General Services Administration is supposed to be the leader guiding agencies’ adoption of cloud computing. But some agencies have gone elsewhere for cloud services.
One reason is GSA was delayed in launching a governmentwide contract for cloud email until last month. Another reason is GSA has been slow in verifying that awardees on an earlier contract have information systems that meet federal security standards.
The Consumer Financial Protection Bureau, the Energy Department’s Lawrence Berkeley National Laboratory, and the Agriculture and Interior departments and others have contracted directly with vendors or agencies for cloud services. And they project millions of dollars in annual savings.
Agencies are under pressure from the Office of Management and Budget to identify information technology services that can be moved to the cloud. They are “responding with agency-by-agency procurements,” said David Bodenheimer, a partner with law firm Crowell & Moring’s government contracts group. “It tells us that GSA ... services are available but apparently are not fitting the agency needs either in terms of scope or availability or timing.”
In anticipation of the administration’s IT reform plan released in December 2010, then-federal chief information officer Vivek Kundra in 2009 asked GSA to create the Federal Cloud Computing Initiative Program Management Office. The GSA office was charged with speeding cloud adoption across government by identifying and addressing obstacles.
In addition, GSA was tasked with launching contract vehicles for secure cloud storage, web hosting and other IT infrastructure services in the cloud. GSA awarded a five-year, $76.5 million contract in 2010 to 12 vendors.
Seven agencies, including the Department of Homeland Security, have made awards on the Infrastructure-as-a-Service blanket purchase agreement to date, said Mark Day, director of GSA’s Office of Strategic Programs. Total business across state, federal and local governments is more than $44 million, but it isn’t clear how much of that is attributed to federal agencies. Day said the current level of business is within GSA’s expectations.
“We know there is much work to be done to help government tap into [the] cloud’s true transformative potential, and GSA’s goal is to ensure that the options we put forward receive prime consideration because of the value they provide,” Day said.
Zachary Brown, chief information security officer at the Consumer Financial Protection Bureau, said the bureau’s adoption of cloud services for storage, file sharing and long-term archiving predated GSA’s cloud contracts. Brown said he would consider using GSA contracts for future cloud migrations, but most of the vendors have not passed the mandatory security assessment process.
Only five of the dozen vendors on GSA’s Infrastructure-as-a-Service (IaaS) contract have received a so-called Authority to Operate, or ATO, from GSA. An ATO indicates that a vendor’s information system has appropriate safeguards for storing government data, according to GSA.
“We’re not going to do business with anyone that doesn’t have an ATO,” Brown said.
As of last week, Apptis, AT&T, Autonomic Resources, CGI Federal and Verizon Federal were the only IaaS contractors with ATOs, GSA said. An ATO is required before a vendor can start work under the GSA contract, which in this case narrows agencies’ options.
But this has been a boon for the companies that have passed GSA’s security reviews.
For CGI Federal, most of its cloud business comes through GSA’s cloud infrastructure contract as opposed to direct contracts with agencies, said James Pyon, vice president of emerging markets at CGI.
Awardees that have not received ATOs can undergo similar security assessments under the Federal Risk and Authorization Management Program (FedRAMP), a GSA initiative launched in June to spare agencies from duplicating assessments for the same cloud products and services.
“It would be easy to see FedRAMP as a new additional hurdle that agencies have to get through to go to cloud services, but that’s not how it should play out,” said Keren Cummins, director of federal and mid-Atlantic programs for security solutions firm nCircle, which provides some cloud-based solutions. “At the end of the day, FedRAMP should shorten the effort to get to the cloud.”
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements. Agencies can now use these standard guidelines to vet the security of their own contractors, or wait for FedRAMP reviews to be completed.
John Keese, president of Autonomic Resources, which was awarded spots on both GSA cloud contracts, questioned whether current awardees would make it through FedRAMP, considering they’ve failed to meet GSA standards.
GSA also has had challenges with certifying the security of vendors it hires for GSA work, according to a July Government Accountability Office report.
One issue has been that cloud vendors must certify that any infrastructure used to support their federal cloud business meets government standards. It took GSA more than a year to certify more than 200 Google employees and thousands of servers before GSA would use Google for its internal cloud email service, GAO said.
“I don’t think most [cloud] providers understood what the security process was going to entail,” Keese said.
A GSA inspector’s general audit in June raised concerns that GSA’s cloud infrastructure contract did not provide agencies the best value, among other issues.
“While we recognize that GSA views bringing cloud solutions to the federal marketplace as a priority, this should not come at the expense of sound contracting practices,” the audit said.
The audit found, for example, a lack of collaboration between contract evaluation teams. Two vendors awarded contracts for identical work showed a 55 percent price difference. As a result, some agencies may pay different prices for identical items.
GSA’s $2.5 billion contract awarded to 17 vendors last month for cloud email has also had its challenges.
“There were pre-solicitation protests in late 2011 that extended the procurement timeline,” Day said. These companies will also have to undergo security assessments through FedRAMP.
The administration is expecting big business on the contract.
Last April, Kundra said the contract would help some 15 agencies that had identified 950,000 email accounts, across 100 email systems, to move to the cloud.
But during the contract delay, some agencies moved ahead with their own email contracts. The Agriculture Department, for example, expects to save $6 million annually since moving its email boxes to Microsoft’s cloud solution last year.
Day expects GSA’s contract prices will be an attractive option for agencies once their current cloud contracts expire.
Smaller entities, such as national laboratories, are exploring options for services not available on GSA’s cloud contracts.
“GSA works much better with the large agencies,” said Rosio Alvarez, CIO at Lawrence Berkeley National Lab. “When you’re smaller ... you have a lot more flexibility and agility to move faster and more independently.”
Alvarez said a handful of labs are considering joining forces to negotiate better pricing for a human resources cloud service.
“It’s a very unstructured landscape right now,” she said. “People are using a variety of vehicles to get the best arrangements with cloud providers.”