Today is the deadline for U.S. federal government agencies and companies that provide cloud services to them to become compliant with a uniform set of security requirements called the Federal Risk and Authorization Management Program, or FedRAMP. The program is one of the biggest attempts by the government to streamline procurement of cloud services by its agencies.
It has been about three years since former federal CIO Vivek Kundra rolled out his Cloud First initiative, establishing a policy that required agencies to consider cloud as a way to deploy an application before considering any other deployment options. Cloud First was part of Kundra’s efforts to optimize federal IT infrastructure to make it more efficient.
But agencies have been slow to adopt cloud services over these past three years. Responding to a survey by IT services giant Accenture, about 70 percent of agency representatives said their cloud efforts were sluggish because they lacked the necessary staffing, and the rest attributed slow cloud take-up to lengthy procurement processes.
FedRAMP was created to address these issues. Agencies can pick from a list of pre-screened providers and services and deploy applications in the cloud without having to figure out whether the services meet their security requirements.
So far, a total of 16 service offerings by 11 providers have been certified as FedRAMP-compliant. They include Infrastructure-as-a-Service by the likes of Amazon Web Services, Microsoft, HP and IBM, three Software-as-a-Service offerings and two Platform-as-a-Service products (one by Microsoft and the other by Oracle).
Non-compliance unavoidable for many
Brian Burns, cloud division director at Agile Defense, a system integrator that helps federal agencies use cloud services, said that while most agencies were running applications within FedRAMP-compliant clouds, many would find themselves non-compliant as today’s deadline passed. Many of them host their own applications and have not gone through the FedRAMP authorization process, while others still have on-going long-term service contracts with non-compliant providers.
FedRAMP has a provision that enables agencies using non-compliant hosting companies to seek waivers, but each such request will be reviewed by a special board, and there are no guarantees that the board will approve it. One of the worst consequences of non-compliance for an agency would be a requirement to move applications from a non-compliant service into a compliant one. “You’re going to have to tear that application down, move it to a new cloud and start all over,” Burns said.
Amazon leading in government IaaS
Providing cloud services to federal agencies is a sizable opportunity for companies. Total U.S. government cloud budget for 2015 is $3 billion, according to slides from a presentation Office of Management and Budget’s Scott Renda made at the FOSE conference in Washington, D.C., in May. That figure, by the way, represents less than five percent of the total government IT budget, according to Renda.
About half of the cloud budget will be spent on Software-as-a-Service offerings; about 20 percent will be spent on Platform-as-a-Service, and about 30 percent on Infrastructure-as-a-Service.
So far, Amazon Web Services gets most of the government IaaS action, Burns said. The company owes that success primarily to its legacy as a pioneer in providing raw cloud-based infrastructure. “Amazon has more [government] customers than any cloud service provider,” he said. “They’re like the Kleenex brand. Everyone knows the name.”
VMware may threaten Amazon’s lead
Amazon’s existing FedRAMP-certified IaaS rivals are AT&T, HP, IBM, Lockheed Martin and Microsoft. Burns does not think any of them pose a significant threat to the dominance of AWS. There is, however, a rival in the pipeline that may become a problem for Amazon, and its name is VMware.
The Palo Alto, California, superstar of the enterprise IT space, has partnered with Carpathia Hosting in pursuing FedRAMP certification, which Burns expects them to receive this fall. “The big thing that’s going to cause some problems for Amazon is that VMware is a very trusted brand within the federal government,” he said. “Their technology works extremely well.”
VMware’s vCloud Government Service promises agencies a completely painless integration of their existing in-house VMware environments with cloud infrastructure in Carpathia data centers. As Burns described it, the service can add VMware cloud as just another node on the agency’s network, extending its existing policies to the cloud environment seamlessly.
Amazon simply cannot offer such an easy path to hybrid cloud, since its Citrix-based cloud is not compatible with VMware’s proprietary technology. The VMware threat is also not limited to VMware, the cloud service provider. Other providers, including Lockheed Martin and Verizon Terremark, also use VMware technology for their cloud services, Burns said.
Lack of variety no longer an excuse
Even with VMware’s government cloud still in the pipeline, agencies that have used lack of choice of providers as a reason for buying non-FedRAMP services no longer have that excuse. With 11 providers certified and offering a variety of solutions, justifying non-compliance will be a heavy burden for them, Burns said. “It really is on the agencies now to make the shift and move into one of those clouds.”