The US government’s “cloud first” initiative has boosted and secured the cloud industry
The Federal Data Center Consolidation Initiative (FDCCI) handed a mandate to the federal government to reduce the costs and increase the efficiency of government-operated data centers. How can private industry profit from the government’s experience?
Originally launched in 2010, the FDCCI was signed into law in 2014 as the Federal Information Technology Acquisition Reform Act (FITARA). In 2016 it was further refined by the Data Center Optimization Initiative (DCOI). This sets out the “why and how” of consolidation efforts, and emphasizes a “cloud first” approach to government IT, which was first suggested in the original FDCCI.
By the end of 2016, as part of the DCOI, there will be a freeze on new data centers or significant data center expansions without direct approval of the Office of Management and Budget’s Office of the CIO (OFCIO). Agencies will be required to use the following guidelines, in the order listed below, as part of their consolidation efforts:
1. Transitioning to provisioned services, including configurable and flexible technology such as software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), to the furthest extent practicable, consistent with the cloud first policy.
2. Migrating to interagency shared services or colocation data centers.
3. Migrating to better optimized data centers within the agency’s data center inventory.
Benefits of FedRAMP
This centralized clearing house for consolidation efforts provides clarity, and the cloud first effort demonstrates demand. The monetary value of the contracts being offered by the government for cloud technologies could make or break even a good-sized company, depending upon its ability to handle, or even be eligible, for the work. The commercial vendor community has responded in providing appropriate cloud services.
Meanwhile, the government has set out security requirements under the Federal Risk and Authorization Management Program (FedRAMP). As commercial cloud services companies implement these, it will go a long way towards improving their overall security. It will also help in the market as, without question, security is the number one concern expressed by all customers of cloud service providers.
Given the level of effort that well-known cloud providers such as Amazon, Microsoft, and Google need to go through for FedRAMP accreditation, they are likely to take the simplest route and apply technical security capabilities through all versions of their product lines, while adding government-specific requirements to those that are offered to federal agencies.
All of the most familiar cloud service providers have been FedRAMP-authorized for their core cloud services. But applications also see the benefit of the security compliance audits necessary for authorization. For example, Microsoft Office 365 Government has passed through the security assessments needed to allow it to be deployed at any agency. This means that not only can the familiar Office applications be used, but also Skype for Business, OneDrive for Business, and SharePoint applications are available, all meeting the rigorous security standards.
Any commercial customer can now have the assurance that these applications have been tested to this level of scrutiny. Customers looking for identity management and single sign-on capabilities might be surprised to learn that Microsoft’s Active Directory for Azure is also available. Other well-known commercial products, such as Cisco’s WebEx, have also achieved appropriate accreditation.
Even vendors that don’t come to mind when looking for cloud services have been able to take advantage of providing services to the government. Dell was one of the first to begin offering dedicated IaaS services and now delivers Dell Cloud for the US government (DCG).
Dell offers multi-tenant IaaS to US government agencies at all levels – from local to federal, higher-education customers, federal contractors, and other government organizations that require the low and moderate levels of accreditation.
The process of meeting FedRAMP requirements is a costly one for a company, so it makes sense to get as much return on that investment as possible. For pursuing government contracts, compliance is a “get once, use many” type requirement. Once certified, specific services including IaaS, SaaS or PaaS can be included in any other government agency’s plans, without the need to be re-certified for a specific deployment.
Even though the total number of vendors currently listed on the FedRAMP website is well under 100, the impact of these requirements on the data center industry cannot be understated.
Security has been one of the biggest stumbling blocks in general business acceptance of cloud services. While various standards for different security models have long been in place, the FedRAMP guidelines, along with FISMA and FITARA and, to a lesser extent, the DISA SRG, have received a lot of attention from commercial customers.
Data center operators who hadn’t previously considered the impact of government efforts for consolidation and security have begun to see that the FedRAMP standards set an effective minimum level of security.
And there is an additional financial benefit that might attract customers. The stringent security requirements for FedRAMP certification mean that an individual customer need not pay for the development of equally strict security themselves during deployment, whether a commercial or government customer. The certification having already been achieved means that security was baked in.
Companies have found that there is enough interest from commercial customers to make it worth asking for permission to brand versions of their products as FedRAMP-approved. This has led to the US government to release a 14-page document outlining how to brand properly.
It’s clear that the government initiative has had a significant effect on the data center business as a whole. By issuing rigorous security standards it gives both technologists and operators a solid target for their own efforts, meaning that customers, both governmental and commercial, can now expect a much more secure environment by default.
It has also changed the way that data center operators do business, impacting on the way they approach offering cloud services to their customers. And, more importantly, with its stamp of approval, the government has, possibly unintentionally, placed a certain level of cachet on cloud service providers, which has raised the profile of the entire industry.
This article appeared in the July/August issue of DatacenterDynamics magazine.