Cloud utilization in the private sector is firmly entrenched -- the first cloud provider, Amazon Web Services (AWS), launched nine years ago -- yet government adoption has lagged behind due to extensive requirements for vendor assessment and authorization (A&A) to ensure that vendors and products have adequate information security and risk management processes. Fortunately, the labors of that process are now handled by a new initiative from the US Chief Information Officer and the US General Services Administration (GSA) named FedRAMP (the Federal Risk and Authorization Management Program).
The FedRAMP website provides a standardized approach to A&A, and publishes a list of compliant and authorized vendors and services; the vendors have undergone extensive technical reviews, completed audits conducted by accredited third-party assessors (3PAOs), and granted authorizations to operate (ATOs). As a federal initiative, FedRAMP compliance is an easier target for vendors to comply with than standards for individual states, which generally have less stringent A&A requirements than the Federal Information Security Management Act of 2002 (FISMA). Even so, handling privileged information in the capacity of government operations, an abundance of caution in security is preferable--as such, FedRAMP compliance should be more than adequate for state or municipality level requirements.
FedRAMP-compliant vendors and services
From the current list of compliant and authorized vendors and services, these vendors have a longstanding reputation of trustworthiness and competency in the private sector, as well as solutions tailored to the needs of government users.
Amazon has obtained FedRAMP authorization for the most popular AWS offerings, including EC2, S3, Elastic Block Storage, Virtual Private Cloud, and Identity and Access Management; other AWS services can be reviewed on an individual basis for other authorizations. Best and supports FIPS 140-2 compliant end points. (An aside: The GovCloud US region uses only carbon-free power.)
HP cloud services for the public sector
HP's Fortify and Helion services are available in a variety of configurations including managed private clouds that, notably, have a provisional ATO from the CIOs of the Department of Homeland Security (DHS), Department of Defense (DoD), and GSA in addition to the technical review and third-party assessment that Amazon and has completed. Helion allows for the deployment of any Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), and is not restricted to vendor-developed solutions, like Office 365, though the two can be used together effectively.
Microsoft Office 365 Government and Azure Active Directory
Microsoft's Office 365 Government and Azure Active Directory are FedRAMP authorized, and provide the familiar Office applications that have been firmly entrenched in government and private sector work for decades.
IBM SmartCloud for government
IBM's SmartCloud services allow for eased collaboration and communication, with mail services including encryption and BlackBerry-specific support and collaborative document creation. IBM SmartCloud allows for the integration of various other cloud-enabled IBM or Lotus solutions.
The newest company to achieve FedRAMP authorization is Huddle, a cloud collaboration platform that has integrations with Microsoft Office, and includes a variety of other solutions and integrations with third-party programs. Huddle is used by various UK-based governmental organizations, including the Ministry of Justice and the Commonwealth Secretariat.
Future compliant systems
As this initiative is a relatively recent one, many solutions available from cloud providers are still in the process of obtaining FedRAMP authorization. While others, including CenturyLink Cloud, Dell Services Federal Government, and IBM Fiberlink MaaS360, are working with FedRAMP to receive a provisional ATO. Compliance checking for open-source packages is also a future possibility, though none are presently undergoing an evaluation.
Exercising care in vendor selection
The corporate culture of companies whose core competency is contracting -- not technology -- can be an encumbrance to a cloud deployment. Companies such as the Canadian CGI Federal, the organization responsible for the botched launch of the HealthCare.gov platform, have been criticized by commentators for excessive charges for solutions that do not work as specified. Tech vendors expanding into government contracting and government contractors expanding into technology are two remarkably dissimilar categories.
At the same time, tech firms are not always the picture of scrupulousness. In a peculiar situation, Microsoft is suing the state of Iowa for awarding a cloud services contract to Google-aligned Tempus Nova, instead of Planet Technologies, which uses Microsoft software. Tempus Nova underbid Planet Technologies by $5.1 million. Microsoft claims some requirements were waived for Tempus Nova that may have impacted the bid.
Finding a vendor that properly meets the needs of your organization, and has a track record of success in similar deployments is a process that should be given ample time and careful consideration. A poorly-managed cloud migration can cause issues across an organization, resulting in money wasted and sprawling inefficiencies.