Amazon Web Services is the latest vendor to pass a rigorous security review for all federal cloud products and services.
So far, only CGI Federal and North Carolina-based Autonomic Resources have completed the Federal Risk and Authorization Management Program (FedRAMP). The governmentwide program was launched in June to standardize security reviews of commercial cloud products and is housed within the General Services Administration.
Under the FedRAMP program, Amazon was granted a provisional Authority to Operate (ATO) by the Health and Human Services Department. This means HHS has certified that Amazon’s GovCloud and regional cloud service offerings meet federal security standards, and the company’s services are authorized for use at HHS. The purpose of FedRAMP is for other agencies to save time and money by using or building on the security review HHS has done.
More than 300 government agencies are currently using Amazon Web Services, Teresa Carlson, vice president of worldwide public sector, said in a statement.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
Agencies are on the hook to publicly release more digital data in a way that protects citizen’s personal information and does not comprise government security.
One challenge, however, will be determining how that data could be combined with existing public data to identify an individual or pose other security risks to agencies, according to experts speaking at ACT-IAC’s annual Management of Change conference this week.
“The awareness is there, the concern is there, [but] the practice of it is relatively immature,” said Mike Howell, deputy program manager in the Office of the Program Manager of the Information Sharing Environment. “The policy framework around how you prevent inadvertent aggregation of personal identifiable information [and] sensitive information, it’s a known problem. It’s good that people are paying attention, but it becomes incumbent on whoever the aggregator is what they do with that information.”
Howell, whose office falls under the Office of the Director of National Intelligence, highlighted the administration’s recent Open Data policy that refers to this issue as the mosaic effect. The policy memo, released this month, directs agencies to:
Consider other publicly available data –in any medium and from any source-to determine whether some combination of existing data and the data intended to be’ publicly released could allow for the identification of an individual or pose another security concern.
The challenge for many agencies, however, is they’re struggling to understand what data they have let alone what data is already in the public domain.
According to the policy, “it is the responsibility of each agency to perform the necessary analysis and comply with all applicable laws, regulations, and policies. In some cases, this assessment may affect the amount, type, form, and detail of data released by agencies.”
There’s a natural tension between releasing open data and securing it, said Donna Roy, an executive director in the Department of Homeland Security’s Information Sharing Environment Office.
Agencies have been instructed to:
- Collect or create only that information necessary for the proper performance of agency functions and has practical utility.
- Limit the collection or creation of information that identifies individuals to what is legally authorized and necessary for the proper performance of agency functions.
- Limit the sharing of information that identifies individuals or contains proprietary information to what is legally authorized.
The General Services Administration is moving forward with plans to stand up a cloud broker contract for acquiring and managing the performance of federal cloud services.
The Department of Homeland Security is one of two agencies that has committed to testing GSA’s cloud broker model in a pilot program expected to launch this fall, said GSA’s Mark Day. Speaking Monday at the annual Management of Change conference in Maryland, Day said GSA will award one contract to test the concept of a broker model and reevaluate the pilot by year’s end to determine how it could be expanded.
GSA has not yet defined all the services a cloud broker would provide, but the National Institute of Standards and Technology defines a cloud broker as “an entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.” Technology research firm Gartner defines cloud brokerage as a business model in which an entity adds value to one or more cloud services on behalf of one or more cloud users.
Some question whether the cloud broker model will add value or end up costing agencies more money. In a Feb. 14 letter to Rep. Doris Matsui, R-Calif., GSA’s Lisa Austin said the cloud broker model could be more effective in creating ongoing competition among cloud providers, rather than awarding single contracts for each cloud service.
“Part of the pilot is really understanding what’s the right role, [and] what’s the right process” for a cloud broker model, Day told Federal Times. ”We think we have an idea, but now we’ve got to test it.”
Day made clear what cloud brokers would not do inherently governmental functions, such as contracting. It isn’t clear to what extent brokers would negotiate services between agencies and cloud service providers, but the hope is that cloud brokers will increase vendor competition and reduce pricing and reduce the complexities of acquiring cloud services and integrating them with existing services.
Roughly 15 agencies are part of the cloud broker discussion, Day said. He would not name the second agency that has committed to testing the broker model because the agency has not announced it publicly.
The challenge for GSA has been attracting business to some of its existing federal contracts, rather than agencies launching their own contracts or using other agencies’ contracts. To garner greater use of its strategic sourcing contracts and future use of its cloud broker contract, GSA is meeting with agencies to determine their commitment to participate in market research and use the contracts, Day said. GSA can better leverage the federal government’s buying power, and vendors have an idea of what’s possible, in terms of business volume on a contract, he said.
On Nov. 27, 2012, at 3:38 p.m., an employee at Insight Systems Corp., which was bidding on a health services contract, submitted a revised quote to two employees inside the U.S. Agency for International Development.
The deadline for doing so was 5 p.m.
The message reached the first of three agency-controlled servers at 3:41 p.m., but then it got stuck. And it wasn’t until 5:18 p.m. that the email reached the first USAID employee, while the second employee didn’t receive the message until 5:57 p.m.
Around the same time, an employee at another company, CenterScope, which was submitting its own revised quote, sent a submission to the same USAID employees at 4:39 p.m., but that email did not reach the intended recipients until 5:15 p.m. and 6:08 p.m., respectively.
Too late, right?
Not according to U.S. Court of Federal Claims Judge Francis Allegra.
In a 22-page opinion released Monday, Allegra rules in favor of both contractors in a recent complaint against USAID.
Aside from calling USAID’s decision to reject the quotes because they were late “arbitrary, capricious and contrary to law,” the ruling — in case you’re interested — provides a road map of a typical email message through a maze of internal servers.
In this case, the emails were received and accepted by the USAID’s internal server, but they got stuck there for a while and weren’t forwarded to the next server because of an internal error.
The delays lasted as long as more than two hours, but none of the messages made it to their final recipients by the 5 p.m. deadline.
Still, USAID sent both contractors letters days later saying their quotes wouldn’t be considered because, after all, late is late.
Allegra disagreed, sharply
He went so far as to say USAID approached the question of the timeliness of electronic submission “with the zeal of a pedantic school master awaiting a term paper.”
He also ruled that couldn’t see any reason why possession of the quotes couldn’t be effectuated through a government computer server any less than through a clerk in a mail room.
In the end, Allegra’s ruling bars USAID from making an award unless it accepts quotes from both contractors.
Or, he ruled, USAID could start all over with a new procurement.
The Defense Information Systems Agency is one step closer to standing up cloud broker services for the Defense Department.
As DoD’s cloud broker, DISA will manage the use, performance and delivery of cloud services and negotiate contracts between cloud service providers and DoD consumers.
DISA announced Tuesday that it has developed a process for gathering and assessing DoD’s cloud computing requirements, evaluating vendors’ cloud offerings against contract requirements and has created a catalog for cloud services. In a June 2012 memo, DoD Chief Information Officer Teri Takai said all DoD components must acquire government or industry-provided cloud services using DISA, or obtain a waiver.
DISA will manage cloud services categorized as low or moderate in terms of potential impact on DoD operations in the event of a disaster or cyberattack. The agency will also ensure that cloud offerings comply with the department’s information assurance and cybersecurity policies.
DISA is using Federal Risk and Authorization Management Program (FedRAMP) standards to vet cloud providers. The security program provides baseline standards to approve cloud services and products for governmentwide use.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
So, far, CGI Federal and North Carolina-based Autonomic Resources are the only companies that have completed the FedRAMP security reviews. The companies will be the first FedRAMP-approved vendors to host DoD’s public data inside commercial data centers.
DoD approval of these companies to provide commercial cloud services is imminent, according to DISA. Both companies have already seen big business among civilian agencies and have spots on the General Services Administration’s cloud computing contract.
GSA is deciding whether to stand up similar cloud broker services for civilian agencies, which could entail private companies serving as brokers.
Agencies were directed last fall to cut a combined $7.7 billion from their information technology budgets in 2014 and propose ways to redirect those funds for priority projects.
Duplicative investments, failing projects, help desks and contracts for email, desktops and mobile devices are among the areas targeted for cuts, according to budget guidance released by the Office of Management and Budget in August.
Details of the proposed cuts were included in agencies’ budget submission documents and were incorporated into the president’s budget, which is due out Wednesday.
For each agency, cuts will amount to 10 percent of their average annual IT spending from 2010 to 2012. The combined cuts would reduce agencies’ IT budgets from $74.1 billion – the figure in the president’s 2013 budget plan – to $66.4 billion for 2014.
Hardest hit will be the Defense Department, which will see a $3.5 billion reduction; followed by the Health and Human Services Department, $662 million; and the Department of Homeland Security, $587 million.
Agencies must propose to OMB how they would reinvest at least 5 percent of that money in priority areas that align with administration initiatives such as:
* Cloud First, which requires agencies to use cloud computing technologies when a reliable and cost-effective solution exists.
* Shared First, an effort to share common IT services within agencies and ultimately across agencies.
* The Digital Government Strategy, aimed at providing better online services to citizens and making government data available in standard, digital formats.
Agencies must propose reinvestment projects that will show a return on investment within 18 months, according to OMB’s guidance. OMB will then decide whether to approve those plans. Projects can include:
* Improved citizen services or administrative efficiencies.
* Shared services.
* IT consolidation, including data center consolidation.
* Improved IT security and information assets.
* Improved energy efficiency of IT facilities and equipment.
* Innovative investments such as cloud computing, modular development, improper-payment reduction and digital government.
* Data analytics or data management consistent with administration priorities.
Chief information officers are also contending with across-the-board cuts, which took effect last month and total $85 billion governmentwide.
“Cuts like this require hard choices,” said Roger Baker, former CIO at the Veterans Affairs Department. If a program is facing a 9 percent cut, agencies have to decide what they can and cannot get done.
Baker, who now serves as chief strategy officer for Virginia-based Agilex Technologies, suggested CIOs prioritize what they can get done with their remaining funding, rather than trying to fund everything with a reduced budget.
At VA, there is a prioritized unfunded list for key projects that are next in line for funding, Baker said. A departmentwide team agrees on projects and submits those recommendations to an IT leadership board. The project list is then approved by the deputy secretary.
The issue for most agencies is they can’t move funding across different projects, he said.
Whether OMB will allow agencies to reinvest some or all of their savings is unclear, but Baker said software license spending is one area ripe for savings.
Agencies are better prepared to negotiate pricing when they know what software licenses they are using and how many. Over the past five years, VA has saved about $200 million on software licenses by purchasing only what is needed.
“Typically, what happens is in the year you make the optimization you get to keep the dollars, but there is no guarantee where federal budget is concerned,” Baker said.
You may want to think twice before opening that social media account for your agency.
In an April 4 memo, the Office of Management and Budget put agencies on notice that employees may be in violation of the Antideficiency Act by agreeing to open-ended terms of agreement for certain websites. You’ve seen them, the lists of terms and conditions that most of us bother not to read.
The good news: If you don’t have contracting authority, then your consent on the government’s behalf isn’t binding. For contracting officials, however, that’s a different story.
The Antideficiency Act prohibits agencies from spending funds that have not been appropriated or from accepting voluntary services. Here’s what the Justice Department’s Office of Legal Counsel has to say on the social media/Antideficiency Act issue:
…in certain circumstances, a Federal employee with contracting authority violates the Antideficiency Act when he or she opens an agency account for a social media application that is governed by Terms of Service (TOS) that include an open-ended indemnification clause. An Antideficiency Act violation may occur in such a situation because an agency’s agreement to an open-ended indemnification clause could result in the agency’s legal liability for an amount in excess of the agency’s appropriation.
Apparently the issue is serious enough for OMB to call on the Federal Acquisition Regulatory Council to get involved:
OMB has requested that the Federal Acquisition Regulatory Council (FAR Council) undertake a rulemaking-through the issuance ofan interim rule-to amend the Federal Acquisition Regulation (FAR) to require contracting officers to put contractors on notice that any [terms of service], [end user license agreements] or other agreement requiring the government or government-authorized end user to indemnify the contractor for damages, costs, or fees incurred is unenforceable against the government or end-user and will be read out ofthe agreement to prevent violations of the Antideficiency Act.
To be on the safe side, here’s a list of amended terms of service agreements from the General Services Administration.
After transforming information technology operations at the Veterans Affairs Department, Roger Baker has moved back to the private sector to continue serving federal customers from the outside.
Baker has been named chief strategy officer for Virginia-based Agilex Technologies, a professional IT services firm known for its work in developing IT projects in smaller, faster increments, or agile development. In this newly created position, Baker will assist federal customers with IT modernization efforts and lowering IT operations and will also play a key role in expanding the company’s federal reach. At VA, Agilex has been a major player in advancing the department’s mobile initiatives through several contract awards, including one to develop mobile applications for VA clinicians.
After a four-year tenure, Baker stepped down last month as VA’s CIO and assistant secretary for information and technology. Prior to that, Baker held executive roles at several companies, including General Dynamics Information Technology and CACI International.
Thousands of rogue Apple, Android and Windows devices found operating on the Army’s network could pose major security risks to sensitive data and Army network operations, according to a recent report.
Army commands failed to report more than 14,000 commercial smartphones and tablet computers being used across the service for research activities, data collection, mobile device pilot programs and other tasks, according to the March 26 inspector general report. Army Corps of Engineers, Engineer Research and Development Center in Vicksburg, Miss., and the U.S. Military Academy at West Point, N.Y., were among the locations using unapproved devices.
Army officials at those sites did not ensure devices met security standards to protect data, and they failed to require all smartphones and tablets be wiped clean of data if reported lost or given to a new user. A lack of clear guidance from the Army chief information officer resulted in officials forgoing training and user agreements before handing out mobile devices.
“The Army did not implement an effective cybersecurity program for commercial mobiles devices,” the report said. “If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information.”
“The Army CIO inappropriately concluded that [commercial mobile devices] were not connecting to Army networks and storing sensitive information; and, therefore, did not” require the same security standards used for other information systems, according to the report.
The IG review was conducted between April 2012 and February 2013 and did not include Blackberry devices.
The IG office set an April 25 deadline for the Army to comment on its recommendations, which include creating clear policy for tracking and reporting mobile device purchases and ensuring mobile devices follow the same security standards as other information systems. Earlier comments provided by the director for the Army CIO Cybersecurity Directorate were deemed nonresponsive.
As of February, DoD reported more than 600,000 commercial mobile devices in use and in a pilot test phase, including 470,000 Blackberrys, 41,000 Apple devices and 8,700 Android devices. The challenge, however, is managing those devices.
Army officials are eager for DoD’s mobile device contract to be awarded this month. The management software will eventually manage, monitor and enforce security for 8 million devices. The software will allow the Army to remotely wipe data from devices and monitor what applications users download, websites they visit and data viewed or modified on their devices.
The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.