Federal Cloud Spending Is Surging, But An Outdated Process Could Slow Its Data Center Growth

The federal government represents a growing segment of the exploding cloud services market, but its private sector partners say the decade-old system to authorize cloud products for government use needs some serious tweaks.

As agencies move toward cloud-based IT rather than operating their own data centers, the federal government is becoming a much bigger force in the data center business. Federal agencies are expected to spend north of $11B on cloud services in 2022, up from $8.2B in 2021 and $6.6B in 2020. In CBRE's most recent Data Center Trends Report, it identified federal cloud adoption as a significant growth driver in certain markets such as Northern Virginia that have a sizable government presence.

Because of the sensitivity of government data, cloud service providers need to gain approval through an agency called the Federal Risk and Authorization Management Program, or FedRAMP. Over the past decade, FedRAMP has helped drive federal cloud migration by providing clear standards for security and a centralized approval process. But after 10 years, industry insiders say that changes are necessary to update security standards for data centers and streamline the approval process so that FedRAMP remains a growth driver for the federal data center market, not an impediment to it.

“It’s so the federal government, whose mission capability is increasing but whose IT budget is decreasing, can continue to do the job of the government — that’s why this is so important,” said Melvin Greer, chief data scientist for Intel’s Americas division and an FBI fellow focused on cybersecurity and cloud adoption, speaking at Bisnow’s DICE East event last week. “This is really foundational to the way our government operates.” 

FedRAMP was set up specifically to enable and accelerate federal cloud adoption. Prior to the agency’s creation in 2011, government entities that wanted to migrate some of their IT infrastructure to the cloud had to take on the risk of security vulnerabilities and threats by themselves. There were no standards for basic security, or even a common understanding of what certain security protocols entailed. In such a piecemeal marketplace, it made little sense for cloud providers to develop products tailored to the specific risk factors for government agencies.  

“Pre-FedRAMP, you had agencies that were doing all sorts of things willy-nilly — you didn't have any consistency or a repeatable process,” Greer said. “You didn't have an understanding of what the core security requirements are, and these security controls were interpreted very differently across agencies.”

In order to provide a cloud service to a federal agency now, a provider such as Microsoft or Amazon Web Services must receive FedRAMP approval for each individual product. This centralized evaluation process, which can take the better part of a year, involves demonstrating compliance with hundreds of security controls that range from effective physical security at data centers to specific password protection systems. Cloud services must also be approved by third-party auditors who attempt to expose any physical or cybersecurity vulnerabilities. 

Experts say FedRAMP has been successful in its mission to get federal agencies to embrace the cloud by codifying a single set of security criteria, and it has consolidated the approval process and created a centralized marketplace for agencies looking for cloud services. Perhaps most significantly, it has given the leaders of government agencies confidence that they can securely move data to the cloud without having to worry about whether they have the expertise within their organization to properly evaluate all the possible risks. 

“When I first started working with the federal government on this, there was a lot of concern, and the conversation was always about whether the cloud was as secure as their data centers that they could touch and wrap their arms around,” said Katy Warren, principal at MITRE Corp., which manages federally funded research and development centers. “Now the conversations now are very, very different: They’re eager to offload IT to somebody else so they can do their mission, and there is a huge push to adopt cloud computing as a modernization and mission improvement capability.”

As FedRAMP has successfully driven demand for cloud services among government agencies, it has also led to a surge in the development of government-focused products by major cloud providers like Microsoft, AWS, Oracle and Google. Intel’s Greer said that although FedRAMP is ostensibly a set of regulations, the presence of those standardized rules has led to a flood of innovation. 

“The reason that a race car can go 200 miles an hour is because it has brakes,” he said. “We're seeing an acceleration of innovation because we have a consistent way of securing the systems data and software.” 

Yet many of those crediting FedRAMP with kick-starting the federal cloud market also say the system’s security criteria and the accreditation process for cloud products need of an overhaul. Failure to make these changes, they say, will not only make government data less secure but will turn FedRAMP from a demand driver to an impediment to growth for government-focused cloud services. 

There is a growing consensus the increasingly sluggish FedRAMP approval process itself needs some urgent tweaks. A small government agency that initially processed less than 20 applicants at a time, FedRAMP currently has 112 different applications pending approval, in addition to the 262 approved products that need to be relicensed annually, according to the agency's website. 

The result has been a growing logjam that experts say is dramatically increasing the time it takes to have products approved, making the process increasingly untenable for providers and their federal customers. It is a problem that MITRE’s Warren said will only get worse if the agency's processes aren’t streamlined or automated. 

“In some ways it’s the victim of its own success,” she said. “The demand that has been placed on FedRAMP has been extensive, so getting things through the process … is beginning to take more and more and more time.” 

Warren and others are hopeful that legislation currently making its way through Congress will help alleviate this bottleneck. The bill, which has passed both houses but is awaiting the reconciliation process, would provide $20M in additional funding to improve FedRAMP’s administrative processes and mandate changes to certain aspects of the approval process that have caused delays. 

“Streamlining of the process and adding more transparency would really help reduce the amount of time this takes and would help to increase the number of services that make it into the marketplace,” said Steve Derr, vice president for cloud operations and engineering at Oracle’s National Security Group. “So, this is going to be very important.” 

Additionally, industry insiders say the security controls and protocols mandated through the FedRAMP regime need to be overhauled.  

Speaking at DICE East, CyrusOne Vice President for Public Sector Anthony Rizzo pointed to the vulnerability of data centers’ industrial controls as a glaring weakness of the current FedRAMP protocols. Cloud providers must demonstrate a facility’s physical and environmental security and prove it vets its personnel, but Rizzo said systems like cooling and remote monitoring that keep data centers running aren’t evaluated for security flaws, despite known vulnerabilities. He said hackers could take down a cloud data center just by remotely shutting down its cooling system and making it overheat. 

“If you look at the automation systems, the building management systems, the intelligent battery monitoring, the software that helps power and cool the data center and data halls, it's vulnerable and it's open to a cyberattack,” Rizzo said. “It’s very surprising to me that the physical infrastructure itself isn’t already part of the process.” 

In addition to addressing existing vulnerabilities, FedRAMP’s security controls need to be tweaked to account for new threats emerging from a rapidly evolving digital infrastructure landscape, experts say. Developments like blockchain and so-called Web3 will require a new security model, while the conflict in Ukraine has highlighted the need for secure information systems with international partners and U.S. facilities overseas. MITRE’s Warren says FedRAMP’s regulations need to be rewritten so that products can be developed to address these needs. 

“Conversations about FedRAMP’s evolution are changing radically, this is not just a national system anymore,” she said. “This is something that is going to have huge international security elements.”