Congress ordered the Defense Department to develop a plan to use more cloud-computing services, a move that may lead to U.S. contracts for suppliers including Microsoft Corp., Google Inc. and Amazon.com Inc.
The fiscal 2012 defense authorization bill, approved by Congress on Dec. 15, requires the Pentagon to develop a strategy by April 1 to migrate its data to cloud-computing services to consolidate resources, according to the legislation. The cloud is a Web-based pool of shared computing resources such as software and data storage.
The White House is trying to get agencies across the government, including the Pentagon, to embrace cloud computing to reduce $80 billion in annual U.S. spending. Moving Pentagon data to cloud services raises security concerns that call for service contract requirements, said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies in Washington.
“The secret to cloud is what does your contract say about quality of service, how your data is secured and what happens if a server rack goes down,” he said. “And if you do it right you’re certainly no worse off and you might be better off.”
The Federal Risk and Authorization Management Program’s creation was announced on Dec. 8 by Steven VanRoekel, the U.S. government’s chief information officer. It will serve as a clearinghouse of information to help agencies migrate toward cloud services, including a prescreened list of service providers.
The program is intended partly to ease concerns among technology officials at U.S. agencies that the cloud is less secure than government agencies, VanRoekel said. It will establish minimum security requirements that agencies must include in contracts. The program will be rolled out in phases and become operational in six months, according to the Office of Management and Budget.
The defense authorization bill doesn’t set a timeline for when the Pentagon must migrate to cloud services. Addressing security concerns, the bill stated that the Pentagon should use “computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security.”
It also directs the Pentagon to use privately managed security services for data centers and cloud computing. Intelligence agencies such as the National Security Agency and the National Reconnaissance Office may be exempt from using cloud services when the Pentagon and director of national intelligence consider an exemption appropriate, according to the bill.