Cloud utilization in the private sector is firmly entrenched -- the first cloud computing provider, Amazon Web Services (AWS), launched thirteen years ago -- yet government cloud adoption has lagged behind due to extensive requirements for vendor assessment and authorization (A&A) to ensure that vendors and products have adequate information security and risk management processes. Fortunately, a joint effort between the US Chief Information Officer and the US General Services Administration (GSA) have given government employees and decision makers FedRAMP (the Federal Risk and Authorization Management Program).
The FedRAMP website provides a standardized approach to A&A, and publishes a list of compliant and authorized vendors and services; the vendors have undergone extensive technical and security reviews, completed audits conducted by accredited third-party assessors (3PAOs), and granted authorizations to operate (ATOs). As a federal initiative, FedRAMP compliance is an easier target for vendors to comply with than standards for individual states, which generally have less stringent A&A requirements than the Federal Information Security Management Act of 2002 (FISMA). Even so, when handling privileged information in the capacity of government operations, an abundance of caution in security is preferable -- as such, FedRAMP compliance should be more than adequate for state or municipality level requirements.
Looking through the list of top cloud providers for government, you'll notice something about the cloud products government agencies are using: They're the same applications hosting commercial data.
The variations in cloud-based platforms certified for government use and those in the commercial world are minimal -- it's what's going on behind the scenes that matters for government users. AWS, Salesforce, IBM, and the rest offer government products based on enhanced security needs in government computing.
The benefits for government agencies using industry cloud is largely the same as they are for commercial businesses: reduced computing hardware needs, standardized software, and improved collaboration.
SEE: How to build a successful career as a cloud engineer (free PDF) (TechRepublic)
FedRAMP-compliant cloud vendors and services
From the current list of compliant and authorized vendors and services, these major cloud providers have a longstanding reputation of trustworthiness and competence in the private sector. These products for the government cloud sector offer similar services that are tailor-made for government use.
Amazon has obtained FedRAMP authorization for the most popular AWS offerings, including EC2, S3, Elastic Block Storage, Virtual Private Cloud, and Identity and Access Management; other AWS services can be reviewed on an individual basis for other authorizations. Amazon notes that GovCloud facilities are accessible only by US citizens, and supports FIPS 140-2 compliant end points. (An aside: The GovCloud US region uses only carbon-free power.)
Microsoft Office 365 Government and Azure Government
Microsoft's Office 365 and Azure Government are FedRAMP authorized, and provide the familiar Office applications that have been firmly entrenched in government and private sector work for decades.
IBM SmartCloud for Government
IBM's SmartCloud for Government services allow for eased collaboration and communication, with mail services including encryption and BlackBerry-specific support and collaborative document creation. IBM SmartCloud allows for the integration of various other cloud-enabled IBM or Lotus solutions.
Salesforce Government Cloud
Since its approval in 2014, Salesforce has taken the government computing world by storm. Salesforce is one of the most popular platforms on the FedRAMP market, and is used by everyone from the Department of Defense to the Bureau of Engraving and Printing.
Huddle is a cloud collaboration platform that has integrations with Microsoft Office, and includes a variety of other solutions and integrations with third-party programs. Huddle is used by various UK-based governmental organizations, including the Ministry of Justice and the Commonwealth Secretariat.
Cloud systems working on becoming FedRAMP compliant
Many solutions available from cloud providers are still in the process of obtaining FedRAMP authorization. Others, including OneLogin, Sumo Logic, and Snowflake Computing are working with FedRAMP to get ready to receive compliance. Compliance checking for open-source packages is also a future possibility, although none are presently undergoing an evaluation.
Be cautious when choosing cloud vendors
The corporate culture of organizations whose core competency is contracting rather than technology can be an encumbrance to a cloud deployment. The Canadian CGI Federal, for example, which was responsible for the botched launch of the HealthCare.gov platform, has been criticized by commentators for excessive charges for solutions that do not work as specified. Tech vendors expanding into government contracting and government contractors expanding into technology are two remarkably dissimilar categories.
At the same time, tech firms are not always the picture of scrupulousness. In a peculiar situation, Microsoft sued the state of Iowa for awarding a cloud services contract to Google-aligned Tempus Nova, instead of Planet Technologies, which uses Microsoft software. Tempus Nova underbid Planet Technologies by $5.1 million. Microsoft claims some requirements were waived for Tempus Nova that may have impacted the bid.
The FedRAMP website offers a wealth of resources for government buyers and team leaders to make good choices. The site is organized to show what particular modules in a given suite are authorized, see who else in the US government is using it, and get a link to the vendor's website to learn more.
It's safe to assume that none of the vendors and cloud platforms listed here and on the approved list are security risks, so that shouldn't be a concern when shopping for the right choice. What government decision-makers need to plan for is to avoid wasting time or money on the wrong product or service.
Editor's note: This article was updated by Brandon Vigliarolo on July 25, 2019.