Federal Cloud Market Drivers: Security Compliance and Brokers

Published: January 29, 2014

Cloud ComputingCybersecurityGSAInnovationOMB

As federal agencies face meeting cloud security compliance this June, acquisition in the government cloud market continues to evolve.

The Office of Management and Budget launched the Cloud First Policy back in 2010, spurring agency adoption of cloud-based solutions whenever such secure, reliable options exist. Since then, a lot of progress has been made around clarifying the capabilities of cloud solutions by standardizing definitions, developing security controls, and exploring contracting practices. Over the past few years, the General Services Administration (GSA) has steadily rolled out the Federal Risk and Authorization Management Program (FedRAMP) through its initial operating phase. 

FedRAMP established a cloud security baseline, leveraging guidance documents from the National Institute of Standards and Technology (NIST).  Agencies can, however, require security beyond the level established by these controls. While agencies determine their individual cloud adoption needs, this combination ensures their ability to adjust controls around specific security needs while meeting government-wide standards. 

At the outset of 2013, some 70 cloud service providers were reported to be in the FedRAMP application queue. A year later, thirteen different cloud-based solutions have received provisional authority to operate (ATO), most of which are Infrastructure-as-a-Service (IaaS) offerings. Since the NIST guidance documents shaping the FedRAMP controls undergo updates, a lingering question surrounds how changes to the baseline will impact FedRAMP approved providers as well as applications under review. 

With the standard definitions and security baselines etched out for cloud services, the contracting landscape has proved to be another area of steady development. While many agencies have contracted services independently with commercial services providers, others have sought to use channels established by GSA and other organizations. According to a representative from GSA’s Federal Acquisition Service, several acquisition vehicles were established with the intention of providing agencies with a means to pursue cloud solutions. Adoption through GSA’s Infrastructure-as-a-Service and Email-as-a-Service blanket purchase agreements (BPAs) has been slower than expected, partly due to the lag in expiration dates for current contracts. As the demand for cloud capabilities continues to expand, GSA is looking to leverage existing channels rather than standing up separate “boutique” options.  Currently, cloud offering can be found through GSA’s IT Schedule 70 as well as Government-wide Acquisition Contracts (GWACs), such as Alliant and Alliant Small Business

In a recent panel discussion, several government representatives described efforts to define the role of cloud brokers as the footprint cloud implementation continues across the government.  The role of cloud brokers could build on strategic sourcing initiatives, curating the solutions that government organizations pursue. One of the challenges for these brokers is varying knowledge-levels across the customer base: Some organizations know exactly what they want, while others are still developing an understanding of cloud capabilities and their specific requirements. 

One way the cloud broker model can operate takes offerings from various commercial providers, integrates them, adds layers of security, and presents the combination as a service to the government. By reducing the costs with pre-build services and improving the time to market, the broker model also stands to generate competition among providers to increase capabilities while keeping costs down. At the same time, this model carries risks for the brokers. Often there are significant gaps between the services sought by the government and what providers are willing to offer.

Some government officials describe their ideal cloud acquisition environment as a sort of buffet of services with endless possible combinations. Even under a broker, however, the reality is likely to be more of fixed menu. Cloud services providers accept financial risk by undergoing the FedRAMP approval process without any assurance of future business from receiving an ATO. Brokers are also taking on risks, like closing gaps around services level agreements. As government looks to industry to carry more and more risks, the costs to businesses will create an ecosystem that supports certain businesses and creates barriers for others.