As the nation’s first federal chief information officer (CIO), Vivek Kundra published a “
.” This plan’s overarching goal was to deliver more value to the American public with regard to IT spending. In addition, he put in place a “Cloud First” policy. This was done to better serve the American people by:
- Accelerating a safe and secure adoption of cloud computing;
- Shifting up to $20 billion worth of federal IT spending to cloud-based solutions, and
- Focusing on mission-critical tasks instead of on purchasing, configuring and maintaining redundant infrastructure.
All federal agencies are in the process of moving to the cloud. My question is: How do we continue to facilitate this transfer of data, and consolidation of redundant infrastructure, while at the same time ensuring security and privacy protections are in place to foster the trust of the American people? Our entire democracy is built upon trust.
All federal agencies must have a cohesive strategy in order to protect the data that has been entrusted to them, regardless of where the data is actually stored. Federal managers must have an understanding of the level of risk associated with their specific cloud strategies.
Privacy must be built into the front end of the overall process and not added on towards the end. This will require an immense shift in the mindset of all participants of the team. This is an enormous cultural change that will require cross-organizational training to all members of the system design life cycle (SDLC) as well as all acquisition pipelines.
Any consideration to place federal data into the cloud environment cannot truly be successful without the cooperation and thorough integration of the cloud-based solution through your security, privacy, acquisition, contracts, management and legal counsel’s offices. Ten specific areas are highlighted in the paper titled, “
.” The 10 areas are:
- Selecting a cloud service
- Cloud Service Provider (CSP) and End-User Agreements
- Service Level Agreements (SLAs)
- CSP, agency and integrator roles and responsibilities
- Standards
- Security
- Privacy
- E-Discovery
- Freedom of Information Act (FOIA)
- E-Records
The Feb. 24 document is a first step in providing guidance to successful implementation of the “Cloud First” strategy. In addition to the 10 areas mentioned, the document also has an Appendix A, where suggested procurement preparation items are listed in checklist-formatted questions in the areas of general questions, service-level agreement, CSP and end-user agreements, e-discovery, cybersecurity, privacy, FOIA and recordkeeping.
These questions will help in the preparation of a successful launch of IT services into the cloud.
Listed below are general ideas that will assist you in your attempt to protect the data:
- Agencies should ensure the CSPs have completed a Security and Privacy Authorization to assess the risk level and to have it at a level commensurate with the sensitivity level of the data to be stored into the cloud.
- Contracts with CSPs shall be prepared with great effort and in concert to include all stakeholders and experienced members of the team—security, privacy, acquisitions, contracts and management—to ensure that specific items are included in the contract. Failure to put forth sufficient effort in this stage will greatly limit your recourse in the event of a loss incident and put your agency at risk of unsecured data being lost or stolen. This will result in having to incur penalties, and fines associated with the loss, not to mention the embarrassment as an agency to the general public.
- All federal agencies are required to use the Federal Risk and Authorization Management Program (Fed RAMP). This is a platform set up in December of 2011 by the White House to help federal agencies with security risks and computing costs. Fully understanding the security risk to the data will allow for preparing controls and protection methodology to be incorporated into the cloud solution.
Current Federal CIO Steve VanRoekel is in place to help build an IT infrastructure that works better for the American people. Maximizing IT return-on-investment and improving the productivity of all IT systems is essential in order to obtain the desired positive effect as we move forward.
In February, the Obama administration held a privacy summit at the White House that produced a “Consumer Privacy Bill of Rights.” This is supposed to be a blueprint to give users more control over how their personal information is used over the Internet and help businesses maintain trust in the rapidly changing digital environment. Elevating privacy to the point of a White House visit by privacy professionals clearly shows the importance of privacy matters to the federal government. It is our job as privacy professionals to leverage off of this historic first step and continue to protect the privacy of information as we collect it in our daily work. Throughout all of this innovation, IT sharing, consolidation and cost savings-efforts, one thing must remain constant. Regardless of whether your information is being collected by commercial entities, or by the government, one best practice statement soars above all others: “If you collect it, you must protect it.”
