When we reported on federal spending in the cloud a few years ago, American federal agencies were spending several billion dollars on cloud technologies.
Fast forward a few years, and that amount has skyrocketed, with reports of over $10 billion spent in the 2021 fiscal year.
With so much cloud spending in play at the federal level, it doesn't make sense to try to enumerate every single way that a federal agency uses the cloud – but by looking at some common trends, we can see more about how Uncle Sam is leveraging cloud principles and practices in the post-coronavirus era.
Covid-19 and Tech Updates
First, it's important to acknowledge the changes that Covid-19 brought to both government and business.
Remote work models led to more demand for cloud-related products and agencies supercharged their procurement and innovation processes. Zoom stock soared. Everyone was trying to figure out how to release an in-office workforce to a model where each individual stayed in his or her own “pod” and telecommuted, for the purposes of social distancing. Some were more successful than others. (Read also: The Pros and Cons of Hybrid Work.)
Early on, however, federal agencies were already planning long-term. “Agencies drafted workplace reentry plans shortly after most civilian feds shifted to telework,” wrote analysts at the U.S. Government Accountability Organization.
“There was no government-wide oversight or review of these initial plans and the plans didn't consistently align with federal guidance. A new task force on COVID-related workplace safety was created in January, 2021. It oversaw new agency reentry planning. Agencies' new plans generally aligned with federal guidance, including such measures as mandatory mask-wearing.”
That’s just a bit of how federal offices have tried to course-correct through a few challenging years. Cloud adoption was undoubtedly part of that process, but what do federal cloud practices look like?
The FedRAMP Program
We also reported last time around on the FedRAMP program, which establishes cloud standards for the government. FedRamp was created in 2011 to help do away with redundant and duplicate processes for figuring out security compliance and other issues in cloud procurement.
This kind of “re-use” of research and protocol keeps costs lower for agencies. As stated on FEDRamp’s website, the mission of the program involves providing “a uniform approach to risk-based management … enhancing transparency between government and Cloud Service Providers … improving the trustworthiness, reliability, consistency, and quality of the Federal security authorization process.”
But what's happening right now?
Here's some of what FedRAMP continues to do to promote cloud involvement – an agency blog post from June 1, 2022, shows that stakeholders are being accredited to “work with the jab”:
“Cloud Service Providers (CSPs) have been selected to work with the Joint Authorization Board (JAB) for a Provisional Authority to Operate (P-ATO)…” writes a spokesperson.
This and other connectivity work, including a revamped authorization process for CSPs, boosts the agency’s accomplishments in safeguarding the federal cloud sector.
Relying on NIST Standards
Looking at the broader (and more fundamental) points of federal cloud adoption, what we see is that government offices are using a set of principles from the NIST to drive their cloud integrations.
FedRAMP uses NIST’s Special Publication [SP] 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations series as a guide. Then, according to internal resources, the agency goes through a cycle:
- Create draft FedRamp baselines.
- Put out baselines for public comment.
- Update based on public comment.
- Release updates.
All of this, agency personnel say, is in aid of establishing better security and privacy policies in cloud models.
Other parties are also chipping in. The Federal Chief Information Officer Council in conjunction with OMB has developed this process for cloud analysis; they explain, in part:
“The Chief Information Officers Council will work with the Office of Management and Budget, the General Services Administration, and agency and private industry experts to develop methods for optimizing agency usage of cloud services. This will be accomplished by:
- Determining and sharing best practices in cloud performance measurement, migration, and implementation based on leading industry trends;
- Connecting agencies to gain insights into cloud options and access to subject matter expertise, or to review their cloud strategic plans; and
- Coordinating to ensure agencies have access to Federal acquisition tools and services pertaining to cloud procurement, migration, and optimization.”
All of this also centers on the broader work of updating federal cloud practices.
Private, Public and Hybrid Clouds
Broadly speaking, cloud computing is divided into private, public and hybrid.
Private cloud represents a setup where a particular client gets their own cloud structure, separate from that of any other client or "tenant." (Read also: Single Tenant vs Multi Tenant Applications: How to Choose.)
Public cloud, on the other hand, is a strategy that's often cheaper, but in the view of some parties, less secure. Concerns about crossover and other problems apply to public cloud setups.
Some government offices are therefore choosing a hybrid design, where some sensitive workloads go to a private cloud, and others reside in public storage.
In looking at what FedRAMP does, in accreditation or elsewhere, it's instructive to look at lists of agencies that have chosen one or the other methodology, and why.
As industry specific and multicloud platforms become more popular, they government will want to explore the possibilities they hold as well. Matching the right cloud to the workload and the work is becoming a reality in ways it hasn't been before.
A Case Study: Teamcenter X
Here we have a release from Siemens about some of their defense technology that is offering cloud services to government agencies:
“Deemed ‘ready’ by the Federal Risk and Authorization Management Program, Siemens Defense Cloud — which includes the Teamcenter X software — is now available for ‘high impact’ product lifecycle management government agency deployment,” writes Charles Lyons-Burt. “The centerpiece application of the Defense Cloud suite, Teamcenter X is commonly used by Department of Defense clients and the aerospace industry and is reportedly trusted to digitally host sensitive, unclassified data. The U.S. Air Force selected Teamcenter for its acquisition and sustainment efforts of critical apparatuses and technologies.”
This shows how the company positions itself and its technology for U.S. federal cloud adoption.
What's Next?
Cloud computing technology continues to get more sophisticated, tailoring industry-specific options and creating new ways to secure the information it holds. Josh Hilliker, principal engineer and director for cloud solutions at Intel, has highlighted what he saw as the next steps for the feds. In an interview with FedTech, he mentions multicloud platforms, AI-driven app development and scalability as important focuses for the government.
The challenges faced by federal government offices will be the same challenges that face private businesses: the burden of making sure that cloud services are secure, staying compliant with industry standards, and ensuring the solutions are cost-effective.
