DHS working with FedRAMP, CIO Council to boost agency use of cloud computing services

Tools

A Homeland Security Department official testified Sept. 22 that the department is stepping up efforts to help federal civilian agencies increase their use of cloud computing services beyond just email and website management collaboration tools.

Mark Kneidinger, who is the federal network resilience director within DHS's cybersecurity and communications office, said the department is currently working with the Federal Risk and Authorization Management Program, or FedRAMP, and Federal Chief Information Officers Council on two activities to help agencies move mission-critical legacy applications into the cloud so they can save money, become more efficient and enhance security.

With FedRAMP and several agencies, DHS is developing recommendations for additional security controls to establish a "high confidentiality, high integrity high availability in cloud environments," he said during a congressional hearing in San Antonio on cloud adoption by agencies.  

This cloud environment will provide Continuous Diagnostic and Mitigation, or CDM, services to agencies within the cloud. The CDM program provides tools and services to help agencies identify network security issues and prioritize their mitigation.

Additionally, Kneidinger said DHS is working with the Federal CIO Council and several agencies to identify common elements of legacy applications used across government that could be stood up in a cloud environment. This would permit agencies that move legacy apps to the cloud to reference common capabilities rather than duplicate development of similar tools.

Kneidinger was one of several witnesses testifying before the House Oversight and Government Reform subcommittee on information technology about the tepid use of cloud services by agencies five years after the federal program was established.

In his opening statement, Rep. Will Hurd (R-Texas), who chairs the committee, cited a September 2014 report (pdf) from the Government Accountability Office that found that seven major agencies, including DHS, Health and Human Services and Treasury departments, among others, collectively doubled the percentage of their IT budgets for cloud computing services from 1 to 2 percent from fiscal years 2012 to 2014.

That's because a large amount of agency spending is focused on maintaining legacy systems, he said, adding that 80 percent of the $80 billion federal IT budget is earmarked for those older systems.

"In 2015, many agencies are still using cloud computing similar to 2010," confirmed Kneidinger, who said, along with some other witnesses, that part of the reason why agencies aren't moving more mission-critical apps into cloud is culture and security.

"It's a perspective of wanting to know where their systems are," he said. "Now the early migration from the focus of IT commodity was a little bit easier to move off. But, from the application side, the ownership is still a concern." 

In 2010, when the cloud-first policy was issued, agencies assumed that cloud providers would provide a majority of certain services, lessening the responsibility for agencies. But that wasn't the case and agencies need to develop a true partnership with cloud service providers to gain additional trust and that means crafting contracts with clear roles and responsibilities.

"So we're making gains along that line, but it is a cultural shift, it's an awareness shift," he said. "It's also, I would say, a trust shift from a contract perspective because there's been a number of contracts that did not go well and agencies are remembering those."

Witnesses also said that security will increase with a shift into the cloud. John Engates, who is chief technology officer for San Antonio-based Rackspace, said cloud providers like his operate on a large scale not just in terms of servers and technology provided but also the number of people who can manage and monitor security.

Mark Ryland, who is senior technologist with cloud provider Amazon Web Services, said the cloud isn't a panacea but the advantage is that agencies can reduce the surface area of concerns that security professionals have to worry about. Additionally, he said that agencies have a greater knowledge of their inventory of assets.

"If you don't know what you have, you can't control it," he said.

For more:
- view the House Oversight and Government Reform's information technology subcommittee hearing (includes downloadable testimony of witnesses)

Related Articles:
DISA releases 'best practices' guide to help military shift services to the cloud   
82% of cloud implementations in government went through FedRAMP, reports GSA   
Goodrich: Agencies get better security through FedRAMP than they do with in-house systems