Feds Advance Cloud Adoption Plans

The federal government has made a number of moves on several fronts in the past two  weeks with respect to its cloud computing initiatives. It has issued a new request for quotations for infrastructure-as-a-service, updated its Apps.gov cloud computing store, released a report on the state of public sector cloud computing, revealed details about a cloud security effort, and formally launched a cloud standards effort.

First, after a failed first attempt, the General Services Administration last week quietly re-started its search for infrastructure-as-a-service providers whose services will eventually appear in the federal government's cloud computing application store, Apps.gov. GSA has posted an RFQ on the GSA's newly announced cloud computing reference site, info.apps.gov, whereas the old RFQ was only posted on a site made available to government employees and some contractors.

The new procurement vehicle replaces one that was posted last summer that sought similar services. The earlier RFQ laid out the ground rules for being an infrastructure-as-a-service provider to the federal government, but was canceled at the beginning of March in order to create a new RFQ that better represents the government's needs and the state of the fast-evolving cloud computing market. Quotes based on the new RFQ are due from vendors by June 15.

The 78-page document, first posted on eBuy on May 13, includes requests for storage services, virtual machine services, and cloud-based Web hosting. It lays out the government's requirements for infrastructure as a service, including essential elements like on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and visibility into service usage. In addition, it outlines service provisioning requirements, an uptime requirement of 99.5% service availability, disaster recovery requirements, and more.

The new RFQ has been expected to place a greater emphasis on security as well -- the old RFQ covered only "low impact" systems as characterized by federal cybersecurity compliance guidance, while the new RFQ requires services to meet the needs of "moderate impact" systems in terms of confidentiality, data integrity and availability.GSA is also aiming to give its Apps.gov cloud computing Website a jumpstart by adding a new information-heavy area on Apps.gov. While Apps.gov has gotten off to a slow start in terms of actual transactions completed -- only 170 through early May, according to the Wall Street Journal -- visitors have been using Apps.gov to do research and so GSA this week launched info.apps.gov, a site to give those visitors more of what they've been looking for.

In addition to the cloud RFQ, info.apps.gov includes links to highlighted articles about public sector cloud computing, a calendar of upcoming cloud-related events, details about cloud computing, reference documents on everything from the government's cloud strategy to NIST's cloud computing definition, 29 possible usage scenarios, and case studies from several agencies.

Meanwhile, the CIO Council on Thursday released a new report, "State of Public Sector Cloud Computing," which outlines the scope of federal cloud initiatives and provides 24 case studies of cloud computing in federal, state and local government.

The government is also moving forward with a recently announced shared security certification and accreditation process known as FedRAMP, which will be led in the near term by GSA CISO Kurt Garbars, who this week took on an additional role as chair of the cloud computing security work group of the CIO Council's cloud computing advisory council.

FedRAMP, which NIST computer scientist Peter Mell characterized Thursday at NIST's Cloud Computing Forum and Workshop as a "government-wide initiative to provide joint authorization services," will be in a planning phase until the end of the fiscal year as details like how it will be implemented and who will pay for it are worked out.However, Mell noted that the Department of Defense and even the intelligence agencies have bought into the concept, giving it broad support, and both Microsoft and Google are actively working through the first FedRAMP pilot authorizations.

The cloud RFQ makes reference to requirements that full authorization via FedRAMP must be done before any ordering is done and that the cost of FedRAMP authorizations could be factored into pricing, Katie Lewin, director of GSA's cloud computing program, said in a brief interview Thursday that the RFQ may be modified slightly because FedRAMP isn't likely to be able to accept vendors quite yet.

Finally, NIST announced Thursday that it has decided to help facilitate the collaborative development of standards for cloud computing in an effort it calls Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC). According to Dawn Leaf, NIST's new senior executive for cloud computing, SAJACC aims to accelerate the development of cloud standards and develop some consensus around elements of cloud computing which are amenable to standardization.

In general terms, SAJACC will define specific use cases cloud computing standards could cover, such as moving a virtual machine between clouds, develop methods to test whether those scenarios are actually possible by creating test specs and executing against them, and posting this information on a cloud standards portal that it plans to launch.

"We're not trying to write cloud computing standards, but are trying to do some testing on reasonable system interfaces or specifications of systems and make the test results available so people can see something is absolutely possible because the test results show it," NIST senior computer scientist Lee Badger said Thursday.