There has been a lot of talk about the US government’s adoption of the cloud since the Administration changed a couple of years ago. Driven by the massive spend in the fed IT budget (> $70B a year!) and some key initiatives that clearly date the current federal IT platform … "its time for a change" … pardon the pun. But this isn't exactly new thinking. The UK has had the G-Cloud as part of the digital Britain initiative. In fact, the UK also has a pretty amazing IT budget of 15B pounds (24B dollars).
It’s interesting to watch the evolution of cloud thinking in the Administration, with several agencies taking on the challenge. DISA has been driving the adoption in the DoD with the Rapid Access Computing Environment (RACE), and more recently with initiatives like forge.mil. NASA, with Nebula which is in the process of transitioning from an internal IT project to a pre-release platform available agency-wide, and of course, the GSA's IaaS initiative, awarded to 11 teams just a couple of weeks ago. GSA IaaS will become the commercial platform to deliver cloud services to the government.
Carpathia Hosting is thrilled to be part of two of the eleven teams receiving the initial awards. The vision for GSA is government customers will simply be able to visit apps.gov and purchase cloud services in just the same way they would procure a mailbox or gain access to a SaaS application. The award has been split into three lots covering storage, webhosting and infrastructure. In fact, there is already a landing page -https://apps.gov/cloud/advantage/cloud/category_home.do?BV_UseBVCookie=Yes&c=IA
The award is just the start. The eleven teams must now meet the requirements of FedRAMP, focusing on a moderate impact system.
FedRAMP was also a big news story in the last couple of weeks. Today’s C&A process - be it DIACAP or FISMA - is very system-centric. Each system must complete a process resulting in an authority to operate (ATO) being issued. Every year a “lighter” version of the process is repeated to ensure continued compliance.
FedRAMP has two admirable goals at its core. The first is the idea that a platform - in this case an approved cloud - can gain accreditation. In theory, enabling a fast track approach to the systems deployed on the cloud can also receive accreditation (although specifics of this are still a little hazy). The second is to make compliance a continuous process vs. an annual event.
After spending some quality time with the FedRAMP draft issued this week, its pretty clear there is an ongoing struggle in defining between “old school” where it’s possible to wrap your arms around something cleanly, and “new school” consuming infrastructure on demand and disposing of it just as easily is commonplace. While there are several cases where the cloud “twitterrati” slam the standard, I'm looking at this in a different way. The glass is half full for me. NIST800.53 barely makes reference to virtualization, let alone shared delivery platforms. FedRAMP is a genuine step in the right direction.
As Vivek Kundra requests in his introduction, I'm very much looking forward to providing a "robust debate on the best path forward".