Many U.S. Agency for International Development workers are using iPads--a fact that recently drew the ire of Secretary of State Hillary Clinton when she sat next to a USAID official on a plane, said Jerry Horton, chief information officer at USAID. Horton spoke April 7 at a cloud computing forum at the National Institute of Standards and Technology in Gaithersburg, Md.

Clinton wanted to know why a USAID official could have an iPad while State Department officials still can't. The secret, apparently, lies in the extensive use of waivers. It's "hard to dot all the Is and cross all the Ts," Horton said, admitting that not all USAID networked devices are formally certified and accredited under Federal Information Security Management Act. 

"We are not DHS. We are not DoD," he said.

While the State Department requires high-risk cybersecurity, USAID's requirements are much lower, said Horton. "And for what is high-security it better be on SIPR."

Horton also said his agency doesn't feel bound to "CONUS support," referring to the data sovereignty issues some agencies face. If USAID workers are in Afghanistan, it makes much more sense for them to use mobile devices that touch servers in Doha rather than servers in the United States, he explained.

Agency CIOs present at the event also discussed barriers to cloud computing. "For the most part it wasn't the technology and standards that's given us problems," said Rob Vietmeyer, of Defense Networks and Information Integration.

"The biggest challenge that I think we're facing now, culturally, is actually the migration from system development to providing a service," said Vietmeyer. "So we have [the DoD] 5000 that tells us what to do, with all these governance processes that say ‘here's how we go buy these systems.' And what we're finding is that it completely fails to work in terms of meeting the needs of a service provider, consumer, cloud sort of environment."

Government is inherently risk averse and that's especially true when it comes to cloud computing service delivery models, said Simon Szykman, CIO at the Commerce Department. From a risk management perspective, the majority of government IT systems could be moved out to the cloud right now, said Szykman.

Agencies should realize that just because their systems are owned and operated by the government doesn't mean that they're currently secure, he said. Therefore, moving those systems to the cloud doesn't make them inherently less secure, said Szykman.

Related Articles: 
NIST, GSA: Real cloud guidance by fall 2011
FedRAMP officials reach consensus on controls, says Bhagowalia 
Kundra: Cloud computing data sovereignty a matter for 'international law'  
EPA taps three applications for cloud migration 
Davie: Cloud computing myths untrue