For contractors, offering federal cloud services is a risky business
Security and data retention requirements specific to the government raise the stakes for vendors to make sure they frame their services correctly, law firm says.
Companies offering cloud services to government agencies will have to address federal security and data retention requirements, possibly making it difficult for small businesses to sell their services, according to a new report released by a law firm.
Contractors face legal risks when assisting federal agencies in implementing cloud computing, the practice of purchasing computing services that are stored and maintained by third-party providers, according to a white paper released by the law firm Reed Smith.
"You have to accept certain federal terms and conditions, and they're unique and different from those in commercial contracts," said Lorraine Mullings Campos, a partner with Reed Smith and co-author of the white paper.
Security is one area in which the risks are higher for contractors, because cloud services providers must meet additional expectations and ensure their applications comply with the 2002 Federal Information Security Management Act, which requires a lengthy certification and accreditation process.
"The cloud isn't unique, but . . . the requirements of FISMA [make it] much worse," said Gunnar Hellekson, chief technology strategist for Red Hat's public sector team. "I can provide a single service, [but] . . . I'd have to produce 92 separate pieces of documentation."
A government initiative being developed to address the security issue is the Federal Risk and Authorization Management Program (FedRAMP), which offers services to certify information systems in the cloud meet FISMA guidelines, including continuous network monitoring. The program is based on risk management processes defined by the National Institute of Standards and Technology in Special Publication 800-37.
Hellekson also pointed to the Security Content Automation Protocol, which vendors can use to test computer networks and tools for compliance with the Federal Desktop Core Configuration, which requires agencies to standardize operating systems and browser settings to prevent breaches.
These federal standards actually could advance by creating a safe space for the market to develop, Hellekson said.
"In cloud, everything old is new again," he added. "We had similar discussions about security when agencies first considered outsourcing applications," which were hosted by service providers on their computer servers. "In the absence of policy pushes, there is enough risk in cloud deployments that people might be afraid to do it."
Another obstacle is agencies' expectations of data availability, according to the report.
"If data is lost or not available, there's little recourse the commercial customer can take against the cloud provider," said Stephanie Giese, an associate at Reed Smith and co-author of the white paper. "But for government, particularly if it's important to national security, there must be 24-hour access to data."
Expectations typically will be written into stricter service-level agreements. "Full understanding of the expectations between parties is crucial not only because of legal implications for the contractor but also implications to the agency themselves in terms of their own reputations," said Steven Kousen, vice president of federal engineering and cloud computing services with Unisys. "All requirements have to be built in to the contract from the beginning, so the contractor or vendor or system integrator can understand whether they're even qualified to respond."
Although large government contractors, many of whom have started offering cloud services, are well-equipped to manage the demands of federal customers, the launch of the online storefront website Apps.gov, where agencies can purchase cloud-based IT services, and the announcement of federal contracts offering cloud services could drive more niche players to compete for federal opportunities.
"Because of this new marketplace opportunity, you have a lot of niche players that were born based on the idea that they can meet this business model," Kousen said. "But they don't always have the market background. They need help, or else they'll get into trouble."