by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : July 30, 2014
July 30, 2014 FCW.COM 27 Commercial cloud providers face a gray area when it comes to federal access to their systems. Vendors are obligated to safeguard the legal and constitutional rights of cloud tenants whose data is intermingled with that of federal users. Oversight officials, including IGs, say their mandate requires them to have physical access to any data center that holds agency data, potentially putting them in a posi- tion to access the information of non- federal users. “This is a legal boundary that I don’t believe was anticipated until someone actually bumped into it,” said Trey Hodgkins, senior vice president of the IT Industry Council’s IT Alliance for Public Sector. Paper laws for a tech age A lack of oversight into agency cloud operations can have financial conse- quences. At the Department of Veter- ans Affairs, a $36 million cloud deal was scuttled in 2013 in part due to a running disagreement between CIO Stephen Warren and Acting IG Rich- ard Griffin over the retention of email and overall access to cloud systems. The IG’s office had shared Coe’s draft language with the CIO’s office when the cloud email project was still on the drawing board, but its provisions were not part of the final request for proposals issued by the VA. For now, IGs who want guaranteed access to cloud environments must make their case internally. “That’s the part your IG has to be mindful and aware of when these contracts are being considered, and engage the CIO or the contracting officer,” Coe said. “You can do it at the agency level, but if it’s in the FAR, a contractor can’t argue with it.” The military is trying to move the ball forward on cloud access. Jodi Cramer, a senior attorney at the Judge Advocate General of the Air Force, is leading a parallel effort to modify the Defense Federal Acquisition Regula- tion Supplement. Launched about a year ago, the DFARS modification effort is part of a wider Defense Department strategy, led by the Defense Information Systems Agency, to offer commercial cloud services to the military. The effort is in still in the early stages, and it could be a year before the Office of Management and Budget accepts the proposed rule and posts it in the Federal Register for comment. Cramer could not comment on the exact contract language she is seek- ing, but the effort tracks closely with a March update to DISA’s cloud security model. Those guidelines specify that DOD and law enforcement agencies be granted physical access to data centers for audit purposes, FISMA compliance and IG investigations, and be permit- ted to copy or extract data as needed. The DISA requirements state that cloud vendors “shall segregate the data and afford access to such information in a secure and private space, and with- out [vendor] presence, if requested.” The document specifies additional requirements that cover agency users, including compliance with federal records law, and guarantees that law enforcement and auditing officials will be able to access data without a war- rant or subpoena. Yet adapting Privacy Act and Inspec- tor General Act rules to cover federal participation in the evolving commer- cial cloud industry is tricky. “We’re trying to fit laws based on paper into a technological age,” Cramer said. At the same time, “we feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in con- tracts to protect us.” Meanwhile, CIGIE is preparing a survey of cloud contracts as part of a process that involves 20 IGs. CIGIE’s study is based on a 2013 survey NASA conducted that found wide variances in the costs and security controls of the agency’s cloud contracts. CIGIE’s report is due out later this summer. “I think [the CIGIE report] is going to be very eye-opening in terms of how well the federal government is doing in writing cloud contract language,” Coe said. “If the NASA report is any indication, then I think it’s going to demonstrate that we have room for improvement.” Eroding leadership Access to cloud environments by law enforcement is not just a federal agency issue. Although most govern- ment clouds are required to store data on systems in the continental United States, commercial clients’ data can sprawl across the globe. And com- mercial providers are challenging law enforcement and regulators over requests for access to data — even when presented with subpoenas or search warrants. For instance, Microsoft is fighting an order from a federal magistrate to turn over a customer’s email messages that are stored on a data center in Ire- land. Microsoft argues that complying with the order “would violate interna- tional law and treaties, and reduce the privacy protection of everyone on the planet.” Although the case does not directly bear on the issue of federal cloud con- tracts — feds and contractors have no expectation of privacy while using fed- eral systems — the cloud industry is closing ranks against the government in the wake of Edward Snowden’s revelations about the extent of U.S. intelligence agencies’ surveillance of online activity. U.S. cloud providers are concerned that the surveillance is weakening their position in the global market. Last year, the IT and Innovation Foundation estimated that Snowden’s revelations would cost the U.S. cloud industry $35 billion in lost business. Microsoft’s filing reflects that con- cern, saying a government victory in this case would “ultimately erode the leadership of U.S. technology compa- nies in the global market.” ■
July 15, 2014
August 15, 2014