It's no secret that agencies core to the U.S. government have a central plan -- known as Cloud First -- to move most operations toward a cloud computing service. In the process of course is a never-ending evaluation by other agencies to talk about how those cloud implementations are doing.
The Office of Management and Budget (OMB) issued the Cloud First policy in December 2010 which requires federal agencies to implement cloud services whenever a secure, reliable and cost-effective cloud option exists; and to have migrated three technology services to the cloud by June.
This week the Government Accountability Office issued a report on the overall progress of that plan and in the process found seven common challenges that the GAO said may end up impeding their ability to realize the expected benefits of cloud-based implementations.
From the GAO report, those seven common challenges include:
• Meeting federal security requirements: Cloud vendors may not be familiar with security requirements that are unique to government agencies, such as continuous monitoring and maintaining an inventory of systems. For example, State Department officials described their ability to monitor their systems in real time, which they said cloud service providers were unable to match. U.S. Treasury officials also explained that the Federal Information Security Management Act's requirement of maintaining a physical inventory is challenging in a cloud environment because the agency does not have insight into the provider's infrastructure and assets.
• Obtaining guidance: Existing federal guidance for using cloud services may be insufficient or incomplete. Agencies cited a number of areas where additional guidance is needed such as purchasing commodity IT and assessing Federal Information Security Management Act security levels.
• Acquiring knowledge and expertise: Agencies may not have the necessary tools or resources, such as expertise among staff, to implement cloud solutions. DHS officials explained that delivering cloud services without direct knowledge of the technologies has been difficult. Similarly, a Department of Health and Human Services official stated that teaching their staff an entirely new set of processes and tools — such as monitoring performance in a cloud environment — has been a challenge. For example, an HHS official noted that the 25-Point Plan required agencies to move to cloud-based solutions before guidance on how to implement it was available. As a result, some HHS operating divisions were reluctant to move to a cloud environment. In addition, Treasury officials noted confusion over National Institute of Standards and Technology definitions of the cloud deployment models, but noted that recent NIST guidance has been more stable.
• Certifying and accrediting vendors: Agencies may not have a mechanism for certifying that vendors meet standards for security, in part because the Federal Risk and Authorization Management Program had not yet reached initial operational capabilities.
• Ensuring data portability and interoperability: To preserve their ability to change vendors in the future, agencies may attempt to avoid platforms or technologies that "lock" customers into a particular product. For example, a Treasury official explained that it is challenging to separate from a vendor, in part due to a lack of visibility into the vendor's infrastructure and data.
• Overcoming cultural barriers: Agency culture may act as an obstacle to implementing cloud solutions. For example, a Department of State official explained that public leaks of sensitive information have put the agency on a more risk-averse footing, which makes it more reluctant to migrate to a cloud solution.
• Procuring services on a consumption (on-demand) basis: Because of the on-demand, scalable nature of cloud services, it can be difficult to define specific quantities and costs. These uncertainties make contracting and budgeting difficult because of the fluctuating costs associated with scalable and incremental cloud service procurements. For example, HHS officials explained that it is difficult to budget for a service that could consume several months of budget in a few days of heavy use.
In the end the GAO concluded that while there has been significant progress in implementing cloud systems, "until agencies' cloud implementations are sufficiently planned and relevant systems are retired, the benefits of federal efforts to implement cloud solutions — improved operational efficiencies and reduced costs — may be delayed or not fully realized."