Government cloud adoption: Certifications are speeding progress

By Microsoft Industry for Government Team

May 29, 2015

When it comes to government agencies implementing cloud technologies, progress to-date has been somewhat below expectations. However, as reported in “ From Promise to Reality: How Local, State and Federal Government Agencies Achieve Results in the Cloud,” a new report from Forbes Insights, conditions are right for rates of adoption to soar. In particular, agencies like the Federal Bureau of Investigation (FBI) and the Internal Revenue Service (IRS) have recently agreed to certify the cloud services of certain carefully vetted providers. This prized, highly selective designation is likely to trigger an avalanche of cloud adoption.

It’s all about that data

For many years, the most vocal objections to cloud migration in government have been over data security. But today that argument has lost its credibility. As Brunson White, secretary of information technology for the State of Alabama, explains, “For cloud providers — particularly those specializing in cloud for government — data security is everything. However, leading providers are gaining accreditation from a range of government entities.” Overall, says White, a leading provider can, in many instances, “create a more secure environment than the one currently in place.” So going to the cloud, says White, can actually enhance data security.

But not all clouds are created equal. As such, one of the first steps any government agency should take in its evaluation of any cloud provider is to examine its official government accreditations. Some of the most vital to consider include:

FedRAMP. The Federal Risk and Authorization Management Program (FedRAMP) reviews and certifies cloud providers and applications for government use. Once FedRAMP issues an “authority to operate,” a cloud program is cleared for use.
CJIS. Providing the information backbone for the FBI, Criminal Justice Information Services (CJIS) manages some of the nation’s most sensitive data. As such, CJIS interaction is essential to all federal, state and local law enforcement agencies — and any network seeking access must be CJIS certified. Also of note: cloud providers seeking this accreditation must sign a “CJIS Security Addendum,” acknowledging their legal accountability for data security. As such, CJIS certification indicates a highly secure environment.
IRS 1075. A key set of rules from the IRS, IRS 1075 sets out the encryption standards all agencies must follow to protect taxpayer information.
HIPAA. The Department of Health and Human Services establishes Health Insurance Portability and Accountability Act (HIPPA) guidelines for the protection of individual health records.
ECSB. The Defense Information Systems Agency operates what it calls the Enterprise Cloud Service Broker (ECSB). The goal of this entity is to evaluate and certify private-sector cloud providers for specific Department of Defense applications.

Another critical aspect of all of the above is that there will often be instances where the necessary accreditations will overlap. What some call a “trifecta” in accreditation could potentially occur any time a child welfare worker makes a home visit. Immediately, HIPAA standards come into play, as the worker will likely make a health assessment. In addition, both IRS 1075 and CJIS rules may be invoked, as child support payments and criminal acts are often associated with such visits. Thus, any cloud application for such case managers would need to comply with all three sets of rules, and very likely will conform to the most rigorous standard.

Only leading providers of cloud-based services using the latest in data security techniques as well as authentication and control environments can gain the above certifications. But just the fact that these certifications exist — and agencies are awarding them — indicates the high quality of data security ensured by some of today’s top government cloud providers.

With leading cloud providers achieving accreditations like those above, cloud adoption by government is poised to accelerate greatly.

The above discussion is abstracted from the Forbes Insights research report: “From Promise to Reality: How Local, State and Federal Government Agencies Achieve Results in the Cloud.” Developed in collaboration with Microsoft, the study features interviews with government executives who are leading the charge in cloud adoption as well as with various analysts and technology providers including Microsoft and its partners. To read more about insights gleaned from the report, visit the Microsoft Fire Hose blog post. In addition, leaders from government with an interest in better understanding how they can harness the cloud to improve their performance may also want to sign up for a related webinar: “ Transforming Government in a Mobile-First, Cloud-First World.”