Amazon Web Services is the latest vendor to pass a rigorous security review for all federal cloud products and services.
So far, only CGI Federal and North Carolina-based Autonomic Resources have completed the Federal Risk and Authorization Management Program (FedRAMP). The governmentwide program was launched in June to standardize security reviews of commercial cloud products and is housed within the General Services Administration.
Under the FedRAMP program, Amazon was granted a provisional Authority to Operate (ATO) by the Health and Human Services Department. This means HHS has certified that Amazon’s GovCloud and regional cloud service offerings meet federal security standards, and the company’s services are authorized for use at HHS. The purpose of FedRAMP is for other agencies to save time and money by using or building on the security review HHS has done.
More than 300 government agencies are currently using Amazon Web Services, Teresa Carlson, vice president of worldwide public sector, said in a statement.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
Agencies are on the hook to publicly release more digital data in a way that protects citizen’s personal information and does not comprise government security.
One challenge, however, will be determining how that data could be combined with existing public data to identify an individual or pose other security risks to agencies, according to experts speaking at ACT-IAC’s annual Management of Change conference this week.
“The awareness is there, the concern is there, [but] the practice of it is relatively immature,” said Mike Howell, deputy program manager in the Office of the Program Manager of the Information Sharing Environment. “The policy framework around how you prevent inadvertent aggregation of personal identifiable information [and] sensitive information, it’s a known problem. It’s good that people are paying attention, but it becomes incumbent on whoever the aggregator is what they do with that information.”
Howell, whose office falls under the Office of the Director of National Intelligence, highlighted the administration’s recent Open Data policy that refers to this issue as the mosaic effect. The policy memo, released this month, directs agencies to:
Consider other publicly available data –in any medium and from any source-to determine whether some combination of existing data and the data intended to be’ publicly released could allow for the identification of an individual or pose another security concern.
The challenge for many agencies, however, is they’re struggling to understand what data they have let alone what data is already in the public domain.
According to the policy, “it is the responsibility of each agency to perform the necessary analysis and comply with all applicable laws, regulations, and policies. In some cases, this assessment may affect the amount, type, form, and detail of data released by agencies.”
There’s a natural tension between releasing open data and securing it, said Donna Roy, an executive director in the Department of Homeland Security’s Information Sharing Environment Office.
Agencies have been instructed to:
- Collect or create only that information necessary for the proper performance of agency functions and has practical utility.
- Limit the collection or creation of information that identifies individuals to what is legally authorized and necessary for the proper performance of agency functions.
- Limit the sharing of information that identifies individuals or contains proprietary information to what is legally authorized.
The General Services Administration is moving forward with plans to stand up a cloud broker contract for acquiring and managing the performance of federal cloud services.
The Department of Homeland Security is one of two agencies that has committed to testing GSA’s cloud broker model in a pilot program expected to launch this fall, said GSA’s Mark Day. Speaking Monday at the annual Management of Change conference in Maryland, Day said GSA will award one contract to test the concept of a broker model and reevaluate the pilot by year’s end to determine how it could be expanded.
GSA has not yet defined all the services a cloud broker would provide, but the National Institute of Standards and Technology defines a cloud broker as “an entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.” Technology research firm Gartner defines cloud brokerage as a business model in which an entity adds value to one or more cloud services on behalf of one or more cloud users.
Some question whether the cloud broker model will add value or end up costing agencies more money. In a Feb. 14 letter to Rep. Doris Matsui, R-Calif., GSA’s Lisa Austin said the cloud broker model could be more effective in creating ongoing competition among cloud providers, rather than awarding single contracts for each cloud service.
“Part of the pilot is really understanding what’s the right role, [and] what’s the right process” for a cloud broker model, Day told Federal Times. ”We think we have an idea, but now we’ve got to test it.”
Day made clear what cloud brokers would not do inherently governmental functions, such as contracting. It isn’t clear to what extent brokers would negotiate services between agencies and cloud service providers, but the hope is that cloud brokers will increase vendor competition and reduce pricing and reduce the complexities of acquiring cloud services and integrating them with existing services.
Roughly 15 agencies are part of the cloud broker discussion, Day said. He would not name the second agency that has committed to testing the broker model because the agency has not announced it publicly.
The challenge for GSA has been attracting business to some of its existing federal contracts, rather than agencies launching their own contracts or using other agencies’ contracts. To garner greater use of its strategic sourcing contracts and future use of its cloud broker contract, GSA is meeting with agencies to determine their commitment to participate in market research and use the contracts, Day said. GSA can better leverage the federal government’s buying power, and vendors have an idea of what’s possible, in terms of business volume on a contract, he said.
Richard Spires has resigned from his post as chief information officer at the Department of Homeland Security, an agency official confirmed Tuesday.
Spires has been on elected leave since March 15, according to the DHS official. But the nature of his resignation is unclear. Margie Graves, the departnment’s deputy CIO, will continue serving as acting CIO.
DHS has yet to respond to earlier requests from Rep. Bennie Thompson, D-Miss., ranking member of the House Homeland Security Committee, concerning Spires’ extended leave from the agency. Specifically, Thompson asked why Spires was placed on voluntary or non voluntary leave, and who made the final decision regarding his leave. Responses were due May 6.
The Interior Department has awarded 10 vendors a spot on its $1 billion cloud services contract.
Under the 10-year indefinite delivery, indefinite quantity contract, vendors will provide a variety of services, including cloud storage, secure file transfer, database hosting, Web hosting, development and testing, and virtual machine services. The latter will allow agencies to create virtual, rather than physical, versions of their servers and virtual desktop capabilities that allow employees to access work documents and applications from any device.
The Foundation Cloud Hosting Services contract was awarded May 1 and will be available to other agencies.
Most of the winning vendors are also on the General Services Administration’s cloud email and infrastructure services contracts, including Autonomic Resources, CGI, Lockheed Martin, Unysis, IBM, Smartronix, Verizon and AT&T. Global Technology Resources and Aquilent were the other winning vendors.
Interior’s contract has three base years and several option periods through 2023.
The Defense Information Systems Agency is one step closer to standing up cloud broker services for the Defense Department.
As DoD’s cloud broker, DISA will manage the use, performance and delivery of cloud services and negotiate contracts between cloud service providers and DoD consumers.
DISA announced Tuesday that it has developed a process for gathering and assessing DoD’s cloud computing requirements, evaluating vendors’ cloud offerings against contract requirements and has created a catalog for cloud services. In a June 2012 memo, DoD Chief Information Officer Teri Takai said all DoD components must acquire government or industry-provided cloud services using DISA, or obtain a waiver.
DISA will manage cloud services categorized as low or moderate in terms of potential impact on DoD operations in the event of a disaster or cyberattack. The agency will also ensure that cloud offerings comply with the department’s information assurance and cybersecurity policies.
DISA is using Federal Risk and Authorization Management Program (FedRAMP) standards to vet cloud providers. The security program provides baseline standards to approve cloud services and products for governmentwide use.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
So, far, CGI Federal and North Carolina-based Autonomic Resources are the only companies that have completed the FedRAMP security reviews. The companies will be the first FedRAMP-approved vendors to host DoD’s public data inside commercial data centers.
DoD approval of these companies to provide commercial cloud services is imminent, according to DISA. Both companies have already seen big business among civilian agencies and have spots on the General Services Administration’s cloud computing contract.
GSA is deciding whether to stand up similar cloud broker services for civilian agencies, which could entail private companies serving as brokers.
House lawmakers will consider a bill Wednesday that would allow companies and federal agencies to voluntarily share and receive cyber threat information with each other.
The Cyber Information Sharing and Protection Act (CISPA) passed the House Permanent Select Committee on Intelligence April 10 and will be introduced on the House floor Wednesday. A vote is expected by Thursday.
An earlier version of the bill passed the House last April but lacked additional privacy controls included in the revised bill. Still, that has not satisfied the White House and civil liberties groups who say the bill’s current provisions are insufficient.
CISPA requires the director of national intelligence to enable intelligence agencies to share threat data with the private sector in real time. This includes information about vulnerabilities of federal and industry systems and networks and efforts to destroy or disrupt these systems. Companies that share information under the bill’s provisions would be granted legal protections if they are subject to a cyber attack.
The White House threatened to veto an earlier version of the bill that passed the House last April. Critics of the bill warned that it did little to protect citizens’ personal information and said it would not hold companies accountable for responding to threat information provided by the government.
Despite several amendments to the original bill, CISPA has not met White House expectations.
“We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections,” Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement.
“Further we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities,” Hayden said. She said the administration will continue working with the bill’s co-authors, House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., the committee’s ranking member.
In an effort to appease privacy and civil liberties groups, several amendments were added to the bill, including one that restricts how the government can use cyber information it receives from the private sector. The bill requires that the government only use shared information for cybersecurity, investigation and prosecution of cybersecurity crimes and protection of individuals and minors. A provision that would have allowed the information to be used for national security purposes was removed.
Several companies and trade groups, including Facebook, the U.S. Chamber of Commerce and industry group TechAmerica, have expressed support for the bill. But groups such as the American Civil Liberties Union are not satisfied.
“The changes to the bill don’t address the major privacy problems we have been raising about CISPA for almost a year and a half,” Michelle Richardson, legislative counsel at the ACLU’s Washington Legislative Office, said in a statement. “CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the internet records of everyday Americans.”
The president’s budget will propose a 2 percent increase in overall information technology funding in 2014 to about $82 billion.
The slight increase is compared with 2012 levels and may mean that agencies will be allowed to reinvest savings from targeted cuts the administration directed last fall. The increased funding, however, seems to contradict administration efforts to reduce IT spending.
Cybersecurity, innovation and delivering efficient IT are among the priorities expected to be outlined in the budget.
More details to come…
Agencies were directed last fall to cut a combined $7.7 billion from their information technology budgets in 2014 and propose ways to redirect those funds for priority projects.
Duplicative investments, failing projects, help desks and contracts for email, desktops and mobile devices are among the areas targeted for cuts, according to budget guidance released by the Office of Management and Budget in August.
Details of the proposed cuts were included in agencies’ budget submission documents and were incorporated into the president’s budget, which is due out Wednesday.
For each agency, cuts will amount to 10 percent of their average annual IT spending from 2010 to 2012. The combined cuts would reduce agencies’ IT budgets from $74.1 billion – the figure in the president’s 2013 budget plan – to $66.4 billion for 2014.
Hardest hit will be the Defense Department, which will see a $3.5 billion reduction; followed by the Health and Human Services Department, $662 million; and the Department of Homeland Security, $587 million.
Agencies must propose to OMB how they would reinvest at least 5 percent of that money in priority areas that align with administration initiatives such as:
* Cloud First, which requires agencies to use cloud computing technologies when a reliable and cost-effective solution exists.
* Shared First, an effort to share common IT services within agencies and ultimately across agencies.
* The Digital Government Strategy, aimed at providing better online services to citizens and making government data available in standard, digital formats.
Agencies must propose reinvestment projects that will show a return on investment within 18 months, according to OMB’s guidance. OMB will then decide whether to approve those plans. Projects can include:
* Improved citizen services or administrative efficiencies.
* Shared services.
* IT consolidation, including data center consolidation.
* Improved IT security and information assets.
* Improved energy efficiency of IT facilities and equipment.
* Innovative investments such as cloud computing, modular development, improper-payment reduction and digital government.
* Data analytics or data management consistent with administration priorities.
Chief information officers are also contending with across-the-board cuts, which took effect last month and total $85 billion governmentwide.
“Cuts like this require hard choices,” said Roger Baker, former CIO at the Veterans Affairs Department. If a program is facing a 9 percent cut, agencies have to decide what they can and cannot get done.
Baker, who now serves as chief strategy officer for Virginia-based Agilex Technologies, suggested CIOs prioritize what they can get done with their remaining funding, rather than trying to fund everything with a reduced budget.
At VA, there is a prioritized unfunded list for key projects that are next in line for funding, Baker said. A departmentwide team agrees on projects and submits those recommendations to an IT leadership board. The project list is then approved by the deputy secretary.
The issue for most agencies is they can’t move funding across different projects, he said.
Whether OMB will allow agencies to reinvest some or all of their savings is unclear, but Baker said software license spending is one area ripe for savings.
Agencies are better prepared to negotiate pricing when they know what software licenses they are using and how many. Over the past five years, VA has saved about $200 million on software licenses by purchasing only what is needed.
“Typically, what happens is in the year you make the optimization you get to keep the dollars, but there is no guarantee where federal budget is concerned,” Baker said.
You may want to think twice before opening that social media account for your agency.
In an April 4 memo, the Office of Management and Budget put agencies on notice that employees may be in violation of the Antideficiency Act by agreeing to open-ended terms of agreement for certain websites. You’ve seen them, the lists of terms and conditions that most of us bother not to read.
The good news: If you don’t have contracting authority, then your consent on the government’s behalf isn’t binding. For contracting officials, however, that’s a different story.
The Antideficiency Act prohibits agencies from spending funds that have not been appropriated or from accepting voluntary services. Here’s what the Justice Department’s Office of Legal Counsel has to say on the social media/Antideficiency Act issue:
…in certain circumstances, a Federal employee with contracting authority violates the Antideficiency Act when he or she opens an agency account for a social media application that is governed by Terms of Service (TOS) that include an open-ended indemnification clause. An Antideficiency Act violation may occur in such a situation because an agency’s agreement to an open-ended indemnification clause could result in the agency’s legal liability for an amount in excess of the agency’s appropriation.
Apparently the issue is serious enough for OMB to call on the Federal Acquisition Regulatory Council to get involved:
OMB has requested that the Federal Acquisition Regulatory Council (FAR Council) undertake a rulemaking-through the issuance ofan interim rule-to amend the Federal Acquisition Regulation (FAR) to require contracting officers to put contractors on notice that any [terms of service], [end user license agreements] or other agreement requiring the government or government-authorized end user to indemnify the contractor for damages, costs, or fees incurred is unenforceable against the government or end-user and will be read out ofthe agreement to prevent violations of the Antideficiency Act.
To be on the safe side, here’s a list of amended terms of service agreements from the General Services Administration.