It’s almost impossible to talk about a federal agency’s mission over the course of the past year without the conversation quickly turning to its use of cloud computing. With the federal government moving past the introductory stages of cloud, it spent 2014 refining how cloud is used within the government and how agencies can acquire it quicker and cheaper than ever.
There is no better example of how much the government has become comfortable with the cloud than the CIA’s
$600 million deal with Amazon Web Services, which went live this summer. The cloud will serve all 17 agencies that make up the U.S. intelligence community, offering all the perks of commercial cloud behind the CIA’s fence line. The CIA seems to have liked the offering so much that it announced a classified marketplace will be integrated into the system.
In other corners of the military, the Defense Information Systems Agency also reconfigured its cloud strategy, with DISA CIO David Bennett telling people
at an August industry day he plans to “not rule out anything” with how the military adopts new instances of the cloud.
On the civilian side, the Federal Risk and Authorization Management Program (FedRAMP) spent the year refining its processes, providing cloud computing companies an easier track for government certification. Earlier this year, then-FedRAMP Director
Maria Roat called the “Revision 4″ security bench line a huge lift and talked about moving toward a continuous monitoring security model.
In October, the program debuted
FedRAMP Ready, which was touted as a way for CSPs to gain federal authorization faster than ever before. “Agencies can use this documentation to initiate an assessment and authorize these systems in a faster time than starting from scratch,” Acting Director Matt Goodrich said in October.
This process is part of a two-year plan Goodrich outlined in October, which focuses on three core efforts: increasing cloud adoption and compliance, improving efficiencies in the approval system and continuing to adapt to changing technology. The first part of that effort seems to be a sore spot for FedRAMP; Goodrich said
during a meeting with the National Institute of Standards and Technologies’ Information Security and Privacy Advisory Board that only 25 to 40 percent of those cloud service providers are FedRAMP compliant.
If FedRAMP looks to 2015 as the year where it can raise those compliance numbers, it’s going to need some help. At the NIST meeting, Goodrich said his program management office’s workload is “50 percent over capacity,” currently working with 10 to 12 cloud service providers so they can earn authority to operate.
Top Story of 2014
By Greg Otto · Wednesday, Nov. 12, 2014 · 3:29 p.m.