Bill Aims to Bolster Use of Cloud Services by U.S. GovernmentBackers Portray Cloud as a More Secure Alternative to Legacy Systems
A bipartisan group of lawmakers has introduced identical bills in the House and Senate to encourage agencies to use secure cloud computing services as an alternative to continued reliance on legacy systems, which some government officials and IT security practitioners say puts data at risk.
See Also: Securing Data Before the Cloud
The Modernizing Outdated and Vulnerable Equipment and Information Technology Act - known as the Move IT Act - aims to enhance cybersecurity while reducing wasteful spending by hastening the federal government's transition to cloud computing.
"Using these old systems makes data housed by federal agencies more vulnerable to digital attacks, and it's a gigantic waste of taxpayers' money," says one of the bill's sponsors, Rep. Will Hurd, R-Texas. "There is a better way to do this. This legislation is an outside-the-box, innovative solution and is another step forward in modernizing our digital infrastructure."
About three-quarters of the federal government's annual $80 billion IT budget is devoted to operating and maintaining existing systems, and the amount earmarked for investments in new systems has plunged by $7.3 billion since 2010, according to a Government Accountability Office audit published earlier this year (see ISMG Security Report: To Whom Should CISO Report?).
Significant Security Vulnerabilities
David Powner, GAO director of information management issues, questions whether the government gets value from investing so much money in legacy systems. "Not only are they old and they're difficult and complex to maintain, but you also have security issues because you've got hardware and software that are no longer supported, and there are significant security vulnerabilities associated with these systems," he says.
In April, the Obama administration unveiled a program to spend $3.1 billion next year to seed a fund to improve cybersecurity by modernizing federal information systems (see White House Proposes $3 Billion Fund to Modernize Federal IT).
The Move IT Act instead would require each agency to establish an IT modernization and working capital fund, which could be financed through redirecting funds intended for the operation and maintenance of legacy systems.
Some IT security experts see cloud services as offering a more secure computing environment. "If you use modern, advanced technologies instead of trying to drag forward your old concepts into the new world, you can save money and lower your risks at the same time," says Tom Patterson, chief trust officer at systems integrator Unisys.
Robert Bigman, an independent IT security consultant who served for 15 years as CISO at the Central Intelligence Agency, contends that "for a few more dollars" federal agencies and other enterprises using cloud services would receive "better configuration security, better auditing, better identification and authentication and better encryption" than what legacy systems furnish.
Factors to Consider in Making the Shift
Cloud services are not fundamentally more or less secure than in-house systems. If organizations "maintain their software and their hardware in an up-to-date manner, and they have good security around their data center, then the cloud is no more secure than they are," says Mac McMillan, CEO of the security consultancy CynergisTek. "But if they're having trouble doing that, or if they're not able to do that, then the cloud may present a better option, and a more secure option."
David McClure, who once led the federal government cloud-vetting program known as FedRAMP - the Federal Risk and Authorization Management Program - stresses that it's critical for enterprises to have an understanding of services, applications, interfaces and networks of any IT architecture, especially those hosted by third parties, such as cloud service providers, to grasp their security weaknesses and vulnerabilities.
And employing cloud services could present a challenge for enterprises in keeping track of their critical assets.
It's a problem the Defense Department faces. "Without accurate and complete inventories of cloud computing systems, [DoD] agencies did not know the extent to which their data resided outside their information system boundaries and were, therefore, subject to the inherent risks of cloud systems," Carol Gorman, DoD assistant inspector general, readiness and cyber operations, said in an audit issued in December (see Tracking Cloud Services: An Essential Security Step).
The Move IT Act aims to bolster FedRAMP, which facilitates the certification of cloud service providers that qualify to be used by federal agencies. The legislation would require the Office of Management and Budget and the General Services Administration, which administers FedRAMP, to streamline and accelerate the FedRAMP accreditation process for cloud service providers. The bill would establish a public-private liaison group to facilitate information sharing and identify best practices, including security, for cloud service providers and the FedRAMP office.
The legislation also would require OMB and the National Institute of Standards and Technology to establish performance metrics for the FedRAMP process of authorizing cloud service providers to sell cloud services to federal agencies.
The bill also would require agencies' CIOs to assess cloud computing opportunities and issue policies and guidelines for adopting a standardized approach to assess the security of cloud products and services.
One of the bill's sponsors, Democratic Rep. Gerry Connolly of Virginia, sees great potential for cloud services as a replacement for unsecure older systems. "We have not yet fully realized the potential for cloud computing to transform the way the federal government uses IT and to spur the transition away from hard-to-maintain, unsecure legacy systems," he says.