Cloud Computing and Government Data: Navigating a Complex Landscape

Cloud computing is a concept for enabling on-demand network access to a shared pool of programmable computer resources that can be swiftly deployed and released with no management overhead. This technology provides a big opportunity for government contractors to minimize IT and cybersecurity maintenance costs by utilizing cloud-based services. However, hosting government data on the cloud is a complex matter that must be carefully considered in terms of legal, regulatory, and security factors.

Government data, particularly nonpublic information, is subject to protecting obligations. These standards vary according to the sensitivity level of the information, which ranges from public to classified data. The broadcast and use of public information, such as press releases and non-login federal websites, is subject to few limitations. In contrast, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are subject to stricter security procedures. FCI refers to non-public information produced or generated for the government under a contract, omitting simple transactional information required for payment processing. CUI refers to unclassified material that requires protection or dissemination controls under law, regulation, or government policy.

The Federal Acquisition Regulation (FAR) 52.204-21 governs FCI security, outlining precise standards for limiting information system access, controlling external information systems, and protecting organizational communications. Contractors must pass on these criteria to all subcontractors whose information systems will handle FCI, unless the subcontractor's services are commercially available off-the-shelf (COTS). However, the definition of Software as a Service (SaaS) services as COTS is uncertain, which complicates compliance.

When it comes to CUI, the Department of Defense (DoD) has taken a stance that requires contractors who use external cloud service providers to ensure that the providers meet security standards equivalent to those established by the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. FedRAMP is a standardized approach to security assessment and authorization of cloud services used by federal agencies. Obtaining FedRAMP authorization is a demanding process of adopting and evaluating a set of safeguarding measures based on the impact degree of the information handled by the service.

One of the most difficult aspects of employing cloud services for government data is the concept of "equivalency" with FedRAMP permission. The Department of Defense has clarified this issue, stating that equivalency is met if the cloud service provider's System Security Plan (SSP) or other security documentation adequately describes the system environment and responsibilities, the status of the required controls, and a Customer Responsibility Matrix that maps to the NIST SP 800-171 requirements. However, the DoD has created some ambiguity by requiring 100% compliance with all FedRAMP criteria and no Plans of Action and Milestones (POA&Ms), which may present difficulties for contractors and cloud service providers.

FedRAMP status is provided to cloud service providers (CSPs) who successfully complete the FedRAMP authorization procedure, which evaluates their security measures and compliance with federal cloud security standards. Some of the prominent cloud providers that have obtained FedRAMP status are:

1. Amazon Web Services (AWS): AWS provides a wide range of cloud services, including many offerings that have received FedRAMP authorization at varying impact levels (e.g., FedRAMP Moderate, FedRAMP High).

2. Microsoft Azur: Azure offers a complete range of cloud services, including those that have received FedRAMP authorization.

3. Google Cloud Platform (GCP): GCP provides cloud computing services and has received FedRAMP certification for several of its products.

4. IBM Cloud: IBM Cloud offers a number of cloud services, including infrastructure as a service (IaaS) and platform as a service (PaaS), and has received FedRAMP authorization for certain of them.

5. Oracle Cloud: Oracle Cloud provides cloud infrastructure and platform services, and several of its offerings have received FedRAMP approval.

6. Salesforce: Salesforce offers cloud-based customer relationship management (CRM) and other commercial tools, and some of its services have been FedRAMP certified.

These are only a few FedRAMP-compliant cloud providers. The list of authorized providers is constantly changing as additional CSPs complete the licensing procedure. The FedRAMP Marketplace website (https://marketplace.fedramp.gov) has the most recent list of FedRAMP-authorized providers and services.

In addition to FedRAMP regulations, contractors must be aware of additional potential dangers, such as provisions governing incident reporting, harmful software, media preservation, access to material for forensic investigation, and cyber incident damage assessment. Furthermore, handling export-controlled information in the cloud requires careful thought to ensure compliance with licensing requirements and access restrictions for non-US persons.

In summary, while cloud computing provides tremendous benefits to government contractors, it is critical to manage the complex ecosystem of legal, regulatory, and security obligations with caution. Contractors must choose cloud service providers who understand the complexities of government data, commit to satisfying the criteria, and provide transparent evidence to verify compliance. Contractors can take use of the benefits of cloud computing while maintaining the security and integrity of government data.

For more articles that enhance your engagement with federal procurement & contracting throughout its various phases, please view our home page.

For blog posts about recent government contracting news and information, please click here.

For our coaching services, please click here.

For our training courses, please click here.

© 2024, Fed Contract Pros™. All Rights Reserved. The content on this website, including but not limited to articles, images, videos, and logos, is the property of Fed Contract Pros™ and is protected by copyright and other intellectual property laws. No part of this website may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of Fed Contract Pros™, except in the case of brief quotations embodied in critical reviews and certain other non-commercial uses permitted by copyright law. For permission requests, write to the attention of the "Permissions Coordinator" at the address below: info@fedcontractpros.com .

The content on this website is provided solely for educational and informational purposes and should not be construed as legal advice, guidance, or a guarantee of any specific result. The material covered is intended to offer general information on the topics discussed and is not tailored to any specific circumstances or individual needs. Please note that laws and regulations may vary by jurisdiction and are subject to change, rendering the information outdated or inapplicable. Therefore, the content should not be used as a substitute for seeking professional legal counsel. If you require legal advice or services, please consult with a qualified attorney or legal professional in the relevant field.