Cloud Computing Concerns at GSA
STATEMENT OF DR. DAVID MCCLURE ASSOCIATE ADMINISTRATOR OFFICE OF CITIZEN SERVICES AND INNOVATIVE TECHNOLOGIES GENERAL SERVICES ADMINISTRATION BEFORE THE HOUSE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, ORGANIZATION, AND PROCUREMENT JULY 1, 2010
Chairman Towns, Chairwoman Watson, and Members of the Committee, I am David McClure, Deputy Administrator, Office of Citizen Services and Innovative Technologies at the General Services Administration (GSA). Thank you for the opportunity to appear before you today to discuss GSA’s role in supporting development and deployment of cloud computing technology.
Cloud computing enables convenient, rapid, and on-demand computer network access—most often via the Internet--to a shared pool of configurable computing resources (in the form of servers, networks, storage, applications, and services). Quite simply, it is the way computing services are delivered that is revolutionary. Cloud computing allows users to provision computing capabilities rapidly and as needed; that is, to scale out and scale back as required, and to pay only for services used. Users can provision software and infrastructure cloud services on demand with minimal, if any, human intervention. Because cloud computing is based on resource pooling and broad network access there is a natural economy of scale that can result in lower costs to agencies. In addition, cloud computing offers a varied menu of service models from a private cloud operated solely for one organization to a public cloud that is available to a large industry group and the general public and owned by an organization that is selling cloud computing services.
At GSA, we think the adoption of safe and secure cloud computing by the Federal government presents an opportunity to close the IT performance gap. Various forms of cloud computing solutions are already being used in the federal government today to save money and improve services. Let me illustrate with just a few examples:
The Department of the Army Experience Center in Philadelphia is piloting the use of a customer relationship management (CRM) tool. The Center is a recruiting center that reaches out to young people who are interested in joining our armed forces. The Center wants to move to real time recruiting and to use tools and techniques that are familiar and appeal to its young demographic. They are using a CRM provided by SalesForce to track recruits as they work with the Center. Since the tool integrates directly with e-mail, Twitter and Facebook, recruiters can maintain connections with potential candidates directly after they leave the Center. The Army estimated that to implement a traditional CRM would have cost $500,000. The cloud-based solution has been implemented at the cost of $54,000.
The Department of Energy is evaluating the cost and efficiencies resulting from leveraging cloud computing solution across the enterprise to support business and scientific services. The Lawrence Berkeley Lab has deployed over 5,000 mailboxes on Google Federal Premiere Apps and they are now evaluating the use of Amazon Elastic Compute Cloud (EC2) to handle excess capacity for computers during peak demand. The Lab estimates that they will save $1.5 million over the next five year in hardware, software and labor costs from the deployments they have made.
Finally, my own agency – GSA has moved the primary information portal, USA.gov, to a cloud-based host. This enabled the site to deliver a consistent level of access to information as new data bases are added, as peak usage periods are encountered, and as the site evolves to encompass more services. By moving to a cloud, GSA was able to reduce site upgrade time from nine months to one day; monthly downtime improved from two hours to 99.9% availability; and GSA realized savings of $1.7M in hosting services.
In addition to improved services, GSA anticipates that cloud computing will be a major factor in reducing the environmental impact of technology and help achieve important sustainability goals. Effective use of cloud computing can be part of an overall strategy to reduce the need for multiple data centers and the energy they consume. Currently, GSA is supporting OMB in working with agencies to develop plans to consolidate their data centers. Using the right deployment model – private cloud, community cloud, public cloud, or a hybrid model – can help agencies buy improved services at a lower cost within acceptable risk levels, without having to maintain expensive, separate, independent and often needlessly redundant brick and mortar data centers.
In February 2010, the Federal CIO announced the Federal Data Center Consolidation Initiative. In it, he designated two Federal agency CIOs -- Richard Spires (DHS) and Michael Duffy (Treasury) – to lead the effort inside the Federal CIO Council. It also highlighted the following goals:
• Reduce the cost of data center hardware, software and operations
• Increase the overall IT security posture of the government
• Shift IT investments to more efficient computing platforms and technologies
• Promote the use of Green IT by reducing the overall energy and real estate footprint of government data centers
GSA has a significant leadership role in supporting the adoption of cloud computing in the federal government. We have concentrated our efforts on facilitating easy access to cloud based solutions from commercial providers that meet federal requirements, enhancing agencies’ capacity to analyze viable cloud computing options that meet their business and technology modernization needs, and addressing obstacles to safe and secure cloud computing. In particular, GSA facilitates innovative cloud computing procurement options, ensures effective cloud security and standards are in place, and identifies potential multi-agency or government-wide uses of cloud computing solutions. GSA is also the information “hub” for cloud use case examples, decisional and implementation best practices, and sharing exposed risks and lessons learned. We have set up the Info.Apps.Gov site as an evolving knowledge repository for all government agencies to use and contribute their expertise.
Let me briefly highlight how GSA is specifically providing execution capabilities to empower sensible cloud computing adoption in the federal government.
Federal Cloud Computing Project Management Office
In March of 2009, the Federal Chief Information Officer (CIO) Council identified cloud computing as a priority for meeting the growing need for effective and efficient use of information technology to meet the performance and mission needs of the government. To assist in fostering cloud computing adoption, the Federal Cloud Computing Program Management Office (PMO) was created in April of 2009 at GSA. The PMO resides in the Office of Citizen Service and Innovation Technologies and is directed by Ms. Katie Lewin who directly reports to the Deputy Administrator for Innovative Technology, Mr. Sonny Bhagowalia. The Director of the PMO also meets weekly with the Federal CIO to report on progress, discuss risks and mitigations, identify promising cloud projects across the government and refine direction. The PMO also reports on its activities and results to the CIO Council Cloud Computing Executive Steering Committee (ESC). The ESC provides oversight for the Federal Cloud Computing Initiative and fosters communications among agencies on cloud computing. ESC Membership includes senior IT executives from across the entire Federal government.
The PMO provides technical and administrative leadership to cloud computing initiatives. PMO staff is drawn from GSA technical experts with some additional contractor support. The primary focus of the PMO is on the following activities:
• Support for the design and operation of the Apps.Gov cloud computing storefront and related cloud procurement initiatives
• Facilitating identification of key cloud security requirements (certification, accreditation, and authorization), particularly on a government-wide basis through a new FedRAMP initiative
• Promotion of current and planned cloud projects across the government
• Data center consolidation analysis, planning, and strategy support
• Development and open dissemination of relevant cloud computing information.
To augment their skill base, the PMO has formed working groups to address specific areas including security, standards and specific cloud-based solutions with government or multi-agency use, such as cloud based e-mail services. The working groups are composed of staff from across the government who bring expertise and interest to address specific obstacles or define paths to adoption. Each group is chaired by a government expert. The National Institute of Standards and Technology (NIST) led both the security and the standards groups. The e-mail group is chaired by an expert from Department of the Interior.
Cloud Computing PMO Operations
Cloud Procurement
Cloud services are usually offered and purchased as commodities. This is a new way of buying IT services and requires careful research on both government requirements and industry capability to meet demand. To assist agencies in buying new commercially provided cloud services, GSA established a website -- Apps.Gov -- modeled on other GSA product and service acquisition “storefronts.” The purpose of Apps.Gov is to provide easy, simple ways to find, research, and procure commercial cloud products and services. Agencies can search for software as a service (SaaS) products categorized under 33 business purpose headings and get product descriptions, price quotes, and links to more information on specific products. Usage patterns to date indicate that agencies use this information to either directly buy SaaS products or, alternatively, as a source of marketplace research that is used to support cloud procurements using other vehicles such as GSA Schedule or GSA Advantage.
Apps.Gov also has information on no-cost social media applications that have agreed to “government-friendly” Terms of Service. When a user hits the SEND REQUEST button, they are linked to their agency’s social media coordinator to complete the request for use of the tool in compliance with their agency’s social media policy.
To support access to cloud-based Infrastructure as a Service (IaaS), the Cloud PMO works with the Federal Acquisition Service (FAS) at GSA. FAS has primary responsibility for operating on-line acquisition services that are available for government-wide use. In May 2009, the PMO issued a Request for Information (RFI) asking the marketplace how they would address cloud computing business models, pricing, service level agreements, operational support, data management, security and standards. The responses to this RFI were incorporated into a Request for Quote (RFQ) for Infrastructure as a Service capabilities and pricing. The result will be a multiple award blanket purchase agreement that agencies can use to procure cloud based web hosting, virtual machine, and storage services within a moderate security environment as defined by the Federal Information Security Act (FISMA). That RFQ closed yesterday and is currently in an evaluation stage.
Cloud Computing Security
One of the most significant obstacles to the adoption of cloud computing is security. Agencies are concerned about the risks of housing data off-site in a cloud if FISMA security controls and accountabilities are not in place. In other words, agencies need to have valid certification and accreditation (C&A) process and a signed Authority to Operate (ATO) in place for each cloud-based product they use. While vendors are willing to meet security requirements, they would prefer not to go through the expense and effort of obtaining a C&A and ATO for each use of that product in all the federal departments and agencies. The PMO formed a security working group, initially chaired by NIST to address this problem. The group developed a process and corresponding security controls that were agreed to by multiple agencies – which we have termed as the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP is a government-wide initiative to provide joint authorizations and continuous security monitoring services for all federal agencies with an initial focus on cloud computing. By providing a unified government-wide risk management for enterprise level IT systems, FedRAMP will enable agencies to either use or leverage authorizations with:
• Vetted interagency approach;
• Consistent application of Federal security requirements;
• Improved community-wide risk management posture; and
• Increased effectiveness and management cost savings.
FedRAMP allows agencies to use or leverage authorizations. Under this program, agencies will be able to rely upon review security details, leverage the existing authorization, and secure agency usage of system. This should greatly reduce cost, enable rapid acquisition, and reduce effort.
FedRAMP has three components:
1. Security Requirement Authorities which create government-wide baseline security requirements that are interagency developed and approved. This will initially be the Federal Cloud Computing Initiative and ultimately live with the ISIMC Working Group.
2. The FedRAMP Office which will coordinate authorization packages, manage authorized system list, and provide continuous monitoring oversight. This will be managed by GSA.
3. A Joint Authorization Board which will perform authorizations and on-going risk determinations to be leveraged government-wide. The board will consist of representatives from GSA, DoD, DHS and the sponsoring agency of the authorized system.
GSA is working with OMB, security groups including the Federal CIO Council’s Information Security and Identity Management Committee, and the marketplace to vet this program and ensure that it will meet the security requirements of the government while streamlining the process for industry.
Cloud Computing and Open Government
In the past decade, vast increases in the ubiquity and availability of storage space, bandwidth, and computing power have enabled a new class of Internet-based applications—broadly called "web 2.0"—that focus less on one-way delivery of information and more on enabling large, diverse communities to come together, share their wisdom, and take action. Increasingly, citizens—government's customers—simply expect to find the information they want and need through the use of the on-line social networks and platforms they are rapidly adopting and use as part of their everyday lives.
As our Administrator, Martha Johnson, noted upon being sworn in February 2010:
Hoarding and hiding information prevents citizens and civil servants from understanding and participating in the public process effectively…We at GSA can help change that. We can make the information more available, as a first step. And we can do much more. We can, and will, take advantage of emerging technologies for sorting, sharing, networking, collective intelligence, and using that information. Our goal is nothing short of a nation that relies not on select data and statistical boxing matches, but on accurate evidence that supports knowledge and wisdom.
Most of these new web 2.0 technologies and tools are available as cloud-based SaaS solutions and/or are hosted in cloud computing infrastructure environments. This allows the government to offer these tools and services in a very cost-efficient manner. Let me highlight a few examples:
The Common Open Government Dialogue Platform is a project undertaken by GSA in response to the Open Government Directive's mandate that agencies "incorporate a mechanism for the public to provide input on the agency’s Open Government Plan." Over the course of six weeks, GSA provided interested agencies with a no-cost, law- and policy-compliant, public-facing online engagement tool, as well as training and technical support to enable them to immediately begin collecting public and employee input on their forthcoming open government plans. Since then, GSA has worked to transfer ownership of the open government public engagement tool, powered by a cloud SaaS platform called IdeaScale, to interested agencies, in a manner that provided both policy and legal compliance, as well as support for sustained engagement. The tool was launched in February 2010 across 22 federal agencies and the White House Office of Science and Technology Policy; overall resource investment was less than $10,000 – far less than the hundreds of thousands or millions of dollars that would have resulted from agencies independently pursuing and procuring IT solutions. The agencies’ dialogue sites garnered over 2,100 ideas, over 3,400 comments, and over 21,000 votes during a six-week "live" period and the tool continues to be used by several agencies for a variety of other open government purposes.
USASpending.gov is a source for information collected from agencies in accordance with the Federal Funding Accountability and Transparency Act of 2006. This public facing web site is a cornerstone of the Administration’s efforts to make government open and transparent. Using USAspending.gov, the public can determine how their tax dollars are spent and gain insight into the Federal spending processes across agencies. It also houses the Federal IT Dashboard, which displays details on the nearly 800 major federal IT investments based on data reported to the Office of Management and Budget. This data is also now housed in a cloud infrastructure environment maintained by NASA.
Data.gov is the central portal for citizens to find, download, and assess government data. It now hosts over 270,000 data sets covering topics ranging from healthcare to commerce to education. Data.gov was one of the first public facing government websites to deploy cloud computing successfully in government. It empowers citizens by allowing them to create personalized mash-ups of information from diverse sources (e.g., local school academic scores arrayed by education spending levels), solve problems (e.g., FAA flight time arrival information), and build awareness of government’s role in activities affecting daily activities (e.g., food safety, weather, and the like).
Challenge.gov is a government-wide challenge platform that will be hosted in a cloud computing infrastructure service to facilitate government innovation through challenges and prizes. This tool provides forums for seekers (the federal agency challenger looking for solutions) and solvers (those with potential solutions) to suggest, collaborate on, and deliver solutions. It will also allow the public to easily find and interact with federal government challenges. The platform responds to requirements defined in a March 8, 2010, OMB Memo, “Guidance on the Use of Challenges and Prizes to Promote Open Government” which included a requirement to provide a web-based challenge platform within 120 days. GSA is also exploring acquisition options to make it easier for agencies to procure products and services related to challenges.
Citizen Engagement Platform will provide a variety of blog, challenge and other engagement tools to make it easy for government to engage with citizens, and easy for citizens to engage with government. The platform addresses agencies’ need for easy-to-use, easy-to-deploy, secure and policy-compliant tools. This “build once, use many” approach adds lightweight, no-cost options for agencies to create a more open, transparent and collaborative government with tools either hosted or directly managed by GSA.
Conclusion
Mr. Chairman, cloud computing has a promising future in transforming the federal government because of its ability to fundamentally reshape government IT operations used for critical government business process and citizen service delivery support. It can help shift our focus to value added use of the information we collect and provide cost effective services in a digitally and networked enabled world. Additionally, it has the potential to free up resources that have gone to support data centers and capabilities that are better leveraged across the community – at bureau, agency or cross-agency level. At GSA, we are supporting this transformation by leveraging cloud solutions and acquisitions on a government-wide basis wherever possible to maximize economies of scale.
Thank you for the opportunity to appear today and I look forward to answering questions from you and members of the Subcommittee.
Source: https://www.gsa.gov/node/78287