WASHINGTON, D.C. - The United States federal government is moving beyond high-level cultural concerns as it looks...
to catch up to the private sector in cloud computing.
Instead of conversations about culture, this week's Amazon Web Services Public Sector Symposium here featured discussions about legislation and regulatory initiatives that are in the works to connect the federal government to public cloud.
Federal government poster children were paraded before the crowd at a keynote presentation with tales of success in the trenches with cloud computing -- including Healthcare.gov.
The site famously experienced freezes, crashes and other glitches when it first opened to the public in October 2013. Last year, the Centers for Medicare and Medicaid Services (CMS), which oversees the site, moved large portions of the site's consumer-facing application for coverage and health plan comparison tool to Amazon Web Services (AWS) in an effort to improve performance.
Healthcare.gov needed a system capable of handling the extreme traffic spikes generated during the health plan marketplace open enrollment period, while protecting a highly visible public site from becoming a target of attacks, according to Jon Booth, director of the website and new media group at CMS.
It took 90 days for Amazon to move from a contract award to production readiness. Now, Healthcare.gov uses a combination of Windows, Red Hat Enterprise Linux, Node.js, MySQL, Go and Postgres workloads on Amazon's Elastic Compute Cloud (EC2) and Relational Database Service, as well as Direct Connect to link the CMS network to the cloud.
As a result of the move to AWS, Healthcare.gov has successfully offered citizens open enrollment under the Affordable Care Act, offloaded significant traffic from other Healthcare.gov systems and supporting data centers, and maintained system uptime as well as the ability to scale compute resources to support traffic spikes, Booth said.
CMS has also been able to build a platform as a service which uses AWS APIs to build systems in an automated and repeatable fashion, in which system requirements are folded in at the Virtual Private Cloud and EC2 level as resources are provisioned.
Another federal agency with a success story to tell here the Public Sector Symposium was Mark Schwartz, CIO of the U.S. Citizenship and Immigration Services program within the Department of Homeland Security, which has developed a DevOps pipeline for creating applications that builds in security through automated testing. This move to DevOps, in which the back-end infrastructure also runs on AWS, has reduced purchasing cycles that used to take years down to programs which regularly deploy as often as once per day.
Government officials and those in regulated industries often cite security as the reason to delay a move to the cloud, but Schwartz said the cloud makes security easier.
"If we discover a vulnerability, it's easy to patch it quickly, or tear down virtual machines and start new ones," he said.
Many federal agencies still have a long way to go
While there are success stories to be told, there are plenty of federal agencies which have yet to move to the cloud because of roadblocks that include the federal IT procurement system and regulations that have to be updated to take advantage of new technology.
The Federal Risk and Authorization Management Program (FedRAMP) has been a step in the right direction in providing consistent guidelines on security assessment, authorization and continuous monitoring for cloud services, according to Gerry Connolly, a member of the U.S. House of Representatives who spoke about migration challenges to the federal cloud.
But there is still much left to be desired about the federal IT procurement process, Connolly said. Of $84 billion spent annually on government IT procurement, $20 to $30 billion is spent maintaining legacy systems. And recently, the Office of Personnel Management (OPM) was hacked in a massive data breach that stole personal information on millions of federal employees, which exposes the vulnerabilities of antiquated systems still being used in government, Connolly said.
"Some systems are so old encryption is not possible," Connolly said, adding that the OPM sees some 10 million hacks per month. At the IRS, employee hard drives crash so often they're instructed to print and save important documents.
"This is the most reliable way to manage the tax system of the U.S.?" Connolly said. "We can't accept that."
Thus he is among House supporters of a bill called the Federal Information Technology Acquisition Reform Act (FITARA), which aims to reduce duplication and waste in the federal IT procurement process.
Meanwhile, even agencies which have authorization to connect to the cloud struggle with a way to connect mobile users with cloud resources without having to go through agency networks. In the works to fix this is a pilot program being undertaken by AWS and other cloud providers to become Trusted Internet Connection (TIC) Ready for such workloads.
Right now, agency networks are overloaded.
"The pipes just aren't big enough," said Matthew Goodrich, director of FedRAMP for the General Services Administration.
However, the TIC Overlay Pilot, as the project with Amazon is officially named, is still in the testing phase, with an assessment report from Amazon due in August. Until it's finished, some federal agencies will have to wait to go to the cloud.
"These standards for security are preventing one of my customers from going to AWS," said one account executive with a value-added reseller (VAR) who works with federal agencies.
Other attendees here who work with federal agencies said they still doubt their departments will ever move to cloud, in part because they usually can't do their own background checks on cloud data center employees.