White House to Rewrite Cloud Vendor Contracts for Security Liability

White House | May 21, 2020

  • The Office of Management and Budget plans to standardize language in all government contracts with cloud vendors.

  • Santucci provided a status report on the government’s efforts to improve efficiency and lower costs by moving to the cloud during a virtual conference the Digital Government Institute hosted today.

  • Technology vendors precluding liability in government contracts has long been an issue, and it could be one reason some in government agencies have been timid about moving to the cloud in the past.


The Office of Management and Budget plans to standardize language in all government contracts with cloud vendors that would update liability terms regarding security, according to the official in charge of leading federal agencies’ move to the shared-responsibility ecosystems.

“I think there is a need to update our [service level agreements] with the cloud providers and we're actively working on that within [the General Services Administration],” Thomas Santucci, the director of the Data Center and Cloud Optimization Infrastructure Program Management Office at GSA, said.

Santucci provided a status report on the government’s efforts to improve efficiency and lower costs by moving to the cloud during a virtual conference the Digital Government Institute hosted today.

Read More: Trump Government Moves to Cut off Huawei from Global Chip Suppliers

“OMB has just stood up a [program management office] to work on a cloud SLA template for the federal government to be attached to every contract,” Santucci said when asked about the liability issue and whether cloud service providers or government customers should be held responsible for security.

Security was one of the topics mentioned in establishing the new contract templates, he said.

Technology vendors precluding liability in government contracts has long been an issue, and it could be one reason some in government agencies have been timid about moving to the cloud in the past, according to a program manager speaking from the “frontlines” of the cloud migration effort during the DGI conference.

“The common themes that I heard were ‘I don’t understand security, I don’t want to have to deal with security by myself, and I’m also not a cloud expert,’” Joe Foster, cloud computing program manager at NASA’s Goddard Space Flight Center, said regarding his early days of trying to get agency components to move to the cloud.
 

In some ways, the pandemic is taking the issue out of officials’ hands.

 

Could anyone plan for what’s going on now? Probably not, but who could imagine let alone fund it? Referring to the pandemic. The situation does exactly that. Your users are now remote rather than in a central building or campus. Agencies that are doing well are mostly in the cloud with little or no impact. Remote users do not need a [virtual private network] to gain access to their emails or files, collaboration products have significantly reduced file duplicates, and bandwidth consumption is between the home internet connection and the cloud. It’s a great success story,

Thomas Santucci, the director of the Data Center at GSA.



Outside of no longer needing to run energy-intensive data centers, there are other, security-based reasons for moving to the cloud. Enabling security and development professionals to work in the same space has allowed for changes to applications to be pushed out faster, as Susie Adams, chief technology officer for Microsoft Federal, noted, for example.

But as officials at the National Institute of Standards and Technology have stressed, moving to the cloud does not make security a “set it and forget it” feature. There are a lot of configurations and other considerations that customers may be responsible for under contracts.

During an event hosted Tuesday by the Information Technology Industry Council, Rep. Doris Matsui, D-Calif., also observed the pandemic causing a rush to the cloud but expressed more trepidation than exuberance.

“This comes with an increased use of personal devices and cloud services, which may not be secure,” Matsui, co-chair of the House of Representatives’ High Tech Caucus, said.

Matsui on Tuesday sent a letter to NIST Director Walter Copan asking that the agency work to establish metrics to accompany its landmark Cybersecurity Framework. The framework allows entities to select and implement security controls based on their individual subjective needs and risks. Matsui’s letter calls for a way to evaluate the security implications of those decisions.

“As companies, nonprofits, and state and local governments work to quickly assess their cybersecurity strategies and evaluate measures to improve security during the pandemic, additional guidance from NIST could help speed the decision-making process and funnel resources to effective, proven methods,” she wrote. “With quantifiable measurement tools, cybersecurity strategies can be compared across industries and between entities. Metrics and measurements that facilitate comparisons and assess risk will be valuable for consumers, companies, and governments.”

Read More: How to secure the U.S. government’s technology supply chain

Spotlight

Spotlight

Related News

Emerging Technology, Infrastructure

Clarius Named by Government of Canada as One of the Country’s Global Hypergrowth Companies

Businesswire | July 25, 2023

Clarius Mobile Health, a leading provider of high-definition handheld ultrasound systems, has been selected by the Government of Canada to participate in the new Global Hypergrowth Project (GHP), powered by the Federal Ministry of Innovation, Science, and Economic Development. GHP is designed to help the country’s most promising scale-up companies to further fuel their growth with the support of a team of experts with extensive public and private sector experience. “Canada wins when cutting-edge companies keep operations, profits, and jobs here at home. And when they scale up around the world, they signal that Canada is open for business,” said Minister Mary Ng. “With the Global Hypergrowth Project, we're doubling down on Canada's most promising firms, to help them scale up, from here.” Clarius has an ambitious mission to improve patient care globally and reduce healthcare costs by enabling clinicians to instantly look into a patient’s body to confidently diagnose disease and enhance procedural safety. The company was the first to develop a high-definition pocket-size wireless ultrasound scanner that works with an app on Apple and Android smart devices. Since Clarius began selling its ultrasound scanners in 2016, more than 20,000 clinicians have used them performing more than 3.8 million scans. Clarius currently employs over 150 people at its headquarters, an innovation center and manufacturing facility in Vancouver, British Columbia. “We share the government of Canada’s goal to build a vibrant, local medical technology community and we’re extremely honoured to be one of a select few innovative companies in Canada chosen to participate in the Global Hypergrowth Project,” said Clarius CEO Ohad Arazi. “Having our government’s support for funding, international expansion, access to government procurement projects, and more will help rapidly accelerate our growth. Our team is energized to be recognized as one of Canada’s 15 most promising companies!” Minimum criteria for participation in the GHP include: annual revenues of $30 million; 40% gross margin; 30% revenue compound annual growth over the last three years; and headquarters in Canada with at least 60% employees based in the country. Clarius underwent a rigorous selection process to demonstrate its ability to execute on growth ambitions and prove its potential to seize opportunities for global leadership and to create and maintain highly-skilled jobs in Canada. Clarius was selected by a volunteer panel of notable Canadian business leaders appointed by Innovation Canada. Clarius is the only ultrasound company to offer 10 AI-powered models of handheld ultrasound scanners designed for a broad range of medical specialists including orthopedic surgeons, aesthetic clinicians, emergency physicians, and veterinarians. About Clarius Mobile Health Clarius is on a mission to make accurate, easy-to-use, and affordable ultrasound tools available to all medical professionals in every specialty. With decades of experience in medical imaging, the team knows that great ultrasound imaging improves confidence and patient care. Today, Clarius handheld wireless ultrasound scanners connect to iOS and Android devices, delivering high-resolution ultrasound images traditionally only available with bulkier, high-end systems at a fraction of the cost. Three million high-definition scans have been performed using Clarius wireless handheld scanners. Clarius scanners are available in over 90 countries worldwide. Learn more at www.clarius.com.

Read More

Cybersecurity

Aquia Inc. Selected to Support the U.S. Air Force and DoD's Platform One CNAP Team on its Mission to Modernize Federal Government's Cybersecurity

PR Newswire | September 01, 2023

Aquia Inc., a Service-Disabled Veteran-Owned Small Business (SDVOSB) specializing in cloud and cybersecurity professional services, today announced it has been awarded a subcontract from Omni Federal to support its 3-year contract with the United States Department of Defense's (DoD's) Platform One Cloud Native Access Point (CNAP). CNAP is a cloud-based enterprise security framework with a zero trust architecture core that enables collaboration across the DoD landscape. The solution allows for simplified access to Amazon Web Services (AWS) GovCloud (IL 2/4/5) environments through a device-based zero trust approach to access. The platform removes the need for additional Virtual Private Networks (VPNs), Non-Classified Internet Protocol Router Network (NIPRNet) routing, and Defense Information Systems Agency Cloud Access Point (DISA CAP). It also enables the United States Air Force (USAF) to continue to advance its zero trust maturity, aligning with the cybersecurity executive order (EO) 14028 and federal and DoD zero trust strategies. "We feel privileged to support Platform One's CNAP team as they spearhead the transformation of cybersecurity practices within the U.S. government," said Savannah Burke, associate security engineer, Aquia. "During my time at AWS, I provided guidance and technical insight on cloud best practices to enterprise customers, and I look forward to bringing that expertise to the United States Air Force." This effort is one of several of Aquia's projects supporting Platform One services. Aquia also supports Platform One's Party Bus and Big Bang teams. About Aquia Inc. Aquia Inc. is a developer-centric company passionate about the intersection of security and velocity. We maintain a strong bias towards transformational work that disrupts the status quo — delivering elegant, modern solutions to cutting-edge cybersecurity problems. Founded by military veterans in 2021, we are a Service-Disabled, Veteran-Owned Small Business (SDVOSB). Our team has decades of experience driving transformational change across the public sector, enterprise businesses, and top-tier technology companies.

Read More

Emerging Technology

Carahsoft, Coalfire, and Google Public Sector Partner on FedRAMP® Accelerator to Enable SaaS Providers Selling into the Federal Government

PR Newswire | July 03, 2023

Cybersecurity pioneer Coalfire, IT solutions provider Carahsoft Technology Corp., and Google Public Sector have entered into a partnership to accelerate FedRAMP Authority to Operate (ATO) certification and public sector opportunities for customers deployed on Google Cloud. Coalfire's FedRAMP expertise and offerings will be bundled and delivered to Google Cloud's state, federal, and institutional clients by Carahsoft, one of the public sector's largest solution providers, and its ecosystem of reseller partners and systems integrators. "With the Federal Risk and Authorization Management Program now the law of the land, achieving FedRAMP certification has quickly evolved from cost burden to exponential business opportunity," said Troy Bertram, managing director of Google Cloud's Public Sector Partner Ecosystem. "Whether or not our clients are selling into government markets or looking ahead to renewing contracts, Coalfire's disruptive services portfolio and ability to provide enterprise SaaS companies with FedRAMP advisory and assessment services that accelerate time to market is a mission-critical differentiator for government contractors." The collaboration enables Google Public Sector and Carahsoft clients to accelerate their digital transformation and enter new federal markets through Coalfire's FedRAMP advisory services. These offerings allow customers to quickly and cost-effectively understand gaps and build required architectures and documentation to achieve FedRAMP authorization, reducing the historically exorbitant financial barriers to entry that FedRAMP was known for. Once clients achieve ATO, they are positioned to sell across multiple agencies (not just one), and with the Coalfire/Google Public Sector/Carahsoft solution, clients retain ownership of all technology deliverables. "The FedRAMP roadmap leads to a threat-informed approach to risk management, and the FedRAMP Authorization Act passed in December of last year opens new opportunities for companies to test once and certify many times with reciprocity among agencies," said Carahsoft President Craig P. Abod. "From gap and desired architecture analysis to audit-ready, this partnership with Coalfire enables Carahsoft technology partners operating in Google Cloud to confidently accredit and deploy FedRAMP-compliant environments within an accelerated timeline. Carahsoft and its ecosystem of partners are excited for the opportunity to offer public sector customers a greater variety of FedRAMP-certified solutions deployed on Google Cloud to achieve their mission goals." "Bringing disruptive and cost-effective FedRAMP services to companies on or considering Google Cloud through channel leader Carahsoft now enables customers to accelerate or expand their sales opportunities with the federal government," said Coalfire CEO Tom McAndrew. "As a FedRAMP pioneer, we have a 100% pass rate on FedRAMP environments we've built. This partnership enables a faster, more cost-effective path for companies considering FedRAMP." Coalfire has a well-established relationship with Carahsoft and a long history of serving as the trusted FedRAMP auditor and assessment body for Google Cloud. "Whether required or not, FedRAMP is a business opportunity, and every cloud services and SaaS provider should have a FedRAMP strategy," said Jeff Rector, head of worldwide channels and partnerships at Coalfire. "We're excited to take this next step with Google Public Sector and Carahsoft as we work together to help our customers manage and monetize the FedRAMP opportunity." About Carahsoft Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider®, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator® for our vendor partners, we deliver solutions for Cybersecurity, MultiCloud, DevSecOps, Big Data, Artificial Intelligence, Open Source, Customer Experience and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Visit us at www.carahsoft.com About Coalfire The world's leading organizations – including the top five cloud service providers and leaders in financial services, healthcare, and retail – trust Coalfire to elevate their cyber programs and secure the future of their business. Number one in compliance, FedRAMP®, and cloud penetration testing, Coalfire is the world's largest firm dedicated to cybersecurity services, providing unparalleled technology-enabled professional and managed services. To learn more, visit Coalfire.com.

Read More