There’s clearly a lot to learn in public sector cloud computing. As cloud providers seek more government business, they need to get up to speed on federal-specific requirements. Government agencies, meanwhile, need to review vendors’ security profiles. Into that environment steps Apptis Inc., an IT and communications service provider based in Chantilly, Va. The company this month announced its cloud services offering. Here's the background.
Apptis taps Amazon Web Services, as available under its General Services Administration Schedule 70 contract. GSA’s Schedule 70 is open to federal as well as state and local government agencies. Apptis aims to position itself at the intersection of cloud provider and government customer. The company offers a broker service in which it takes on a chunk of the work agencies would typically need to do to vet the security of a new system. The Federal Information Security Management Act (FISMA) calls for agencies to put systems through a certification and accreditation (C&A) process before moving them into production. Agencies must document the controls -- security measures -- that safeguard a given system.
In the case of a cloud service, some 150-plus controls* need to be accounted for. Apptis offers to document the security controls and give them to a third-party to validate, noted Cameron Chaboudy, director of the Advanced Technology Group at Apptis.
Apptis’ documentation job applies to the cloud infrastructure layer; agencies will handle the C&A legwork associated with the application they plan to run on the cloud. But Chaboudy says Apptis’ infrastructure work will cover 80 percent of an agency’s C&A chore. And therein lies the potential for cost savings: Apptis estimates that 15 percent of a federal agency’s IT project cost is linked to C&A. In its FY2009 report on FISMA implementation, the Office of Management and Budget pegged the average C&A cost (PDF LINK) per system at $78,000.
Apptis believes cloud vendors can also benefit from its security work. Conceivably, a multitude of government entities could descend on a vendor to certify its service offering. But when the process goes through Apptis, vendors are insulated from having to work individually with numerous agencies, noted William (Bill) Perlowitz, vice president of the Advance Technology Group at Apptis.
“They just deal with one broker,” he said.
Other Cloud ServicesApptis also offers professional services as part of its cloud lineup. The company will help agencies define their cloud strategies and design cloud solutions. Apptis also provides cloud engineering services, in which the company helps customers migrate applications to the cloud or develop new ones. In addition, Apptis provides its FedCloud.com portal, which lets customers provision cloud computing and storage services and keep tabs on the services they use.
Federal IT policy favors cloud computing at the moment, but agencies still have misgivings when it comes to resource control and security. The Apptis cloud service offering is an attempt to bridge that gap.
Apptis breaks down the list of controls as follows: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security control for the FIPS 199 moderate-impact category currently contains 154 controls. In addition to these, there are somewhere between 50 to 70 cloud-specific controls that will soon be issued from the FedRAMP program. These additional controls have been jointly agreed to by the GSA, DHA, and DoD.MSPmentor will continue its government cloud watch in the days ahead.
Sign up for MSPmentor’s Weekly Enewsletter, Webcasts and Resource Center. And follow us via RSS,Facebook, Identi.ca; and Twitter. Plus, check out more MSP voices at www.MSPtweet.com.