White House to Rewrite Cloud Vendor Contracts for Security Liability

White House | May 21, 2020

  • The Office of Management and Budget plans to standardize language in all government contracts with cloud vendors.

  • Santucci provided a status report on the government’s efforts to improve efficiency and lower costs by moving to the cloud during a virtual conference the Digital Government Institute hosted today.

  • Technology vendors precluding liability in government contracts has long been an issue, and it could be one reason some in government agencies have been timid about moving to the cloud in the past.


The Office of Management and Budget plans to standardize language in all government contracts with cloud vendors that would update liability terms regarding security, according to the official in charge of leading federal agencies’ move to the shared-responsibility ecosystems.

“I think there is a need to update our [service level agreements] with the cloud providers and we're actively working on that within [the General Services Administration],” Thomas Santucci, the director of the Data Center and Cloud Optimization Infrastructure Program Management Office at GSA, said.

Santucci provided a status report on the government’s efforts to improve efficiency and lower costs by moving to the cloud during a virtual conference the Digital Government Institute hosted today.

Read More: Trump Government Moves to Cut off Huawei from Global Chip Suppliers

“OMB has just stood up a [program management office] to work on a cloud SLA template for the federal government to be attached to every contract,” Santucci said when asked about the liability issue and whether cloud service providers or government customers should be held responsible for security.

Security was one of the topics mentioned in establishing the new contract templates, he said.

Technology vendors precluding liability in government contracts has long been an issue, and it could be one reason some in government agencies have been timid about moving to the cloud in the past, according to a program manager speaking from the “frontlines” of the cloud migration effort during the DGI conference.

“The common themes that I heard were ‘I don’t understand security, I don’t want to have to deal with security by myself, and I’m also not a cloud expert,’” Joe Foster, cloud computing program manager at NASA’s Goddard Space Flight Center, said regarding his early days of trying to get agency components to move to the cloud.
 

In some ways, the pandemic is taking the issue out of officials’ hands.

 

Could anyone plan for what’s going on now? Probably not, but who could imagine let alone fund it? Referring to the pandemic. The situation does exactly that. Your users are now remote rather than in a central building or campus. Agencies that are doing well are mostly in the cloud with little or no impact. Remote users do not need a [virtual private network] to gain access to their emails or files, collaboration products have significantly reduced file duplicates, and bandwidth consumption is between the home internet connection and the cloud. It’s a great success story,

Thomas Santucci, the director of the Data Center at GSA.



Outside of no longer needing to run energy-intensive data centers, there are other, security-based reasons for moving to the cloud. Enabling security and development professionals to work in the same space has allowed for changes to applications to be pushed out faster, as Susie Adams, chief technology officer for Microsoft Federal, noted, for example.

But as officials at the National Institute of Standards and Technology have stressed, moving to the cloud does not make security a “set it and forget it” feature. There are a lot of configurations and other considerations that customers may be responsible for under contracts.

During an event hosted Tuesday by the Information Technology Industry Council, Rep. Doris Matsui, D-Calif., also observed the pandemic causing a rush to the cloud but expressed more trepidation than exuberance.

“This comes with an increased use of personal devices and cloud services, which may not be secure,” Matsui, co-chair of the House of Representatives’ High Tech Caucus, said.

Matsui on Tuesday sent a letter to NIST Director Walter Copan asking that the agency work to establish metrics to accompany its landmark Cybersecurity Framework. The framework allows entities to select and implement security controls based on their individual subjective needs and risks. Matsui’s letter calls for a way to evaluate the security implications of those decisions.

“As companies, nonprofits, and state and local governments work to quickly assess their cybersecurity strategies and evaluate measures to improve security during the pandemic, additional guidance from NIST could help speed the decision-making process and funnel resources to effective, proven methods,” she wrote. “With quantifiable measurement tools, cybersecurity strategies can be compared across industries and between entities. Metrics and measurements that facilitate comparisons and assess risk will be valuable for consumers, companies, and governments.”

Read More: How to secure the U.S. government’s technology supply chain

Spotlight

The federal government has spent at least $20 billion in taxpayer money this year on items and services that it is permitted to keep secret from the public, according to an investigation by the News4 I-Team. The purchases, known among federal employees as “micropurchases,” are made by some of the thousands of agency employees who are issued taxpayer-funded purchase cards. The purchases, in most cases, remain confidential and are not publicly disclosed by the agencies. A sampling of those purchases, obtained by the I-Team via the Freedom of Information Act, reveals at least one agency used those cards to buy $30,000 in Starbucks Coffee drinks and products in one year without having to disclose or detail the purchases to the public.

Spotlight

The federal government has spent at least $20 billion in taxpayer money this year on items and services that it is permitted to keep secret from the public, according to an investigation by the News4 I-Team. The purchases, known among federal employees as “micropurchases,” are made by some of the thousands of agency employees who are issued taxpayer-funded purchase cards. The purchases, in most cases, remain confidential and are not publicly disclosed by the agencies. A sampling of those purchases, obtained by the I-Team via the Freedom of Information Act, reveals at least one agency used those cards to buy $30,000 in Starbucks Coffee drinks and products in one year without having to disclose or detail the purchases to the public.

Related News

GOVERNMENT BUSINESS

Mendix Signs First Federal Marketplace Partnership with Vital Edge to Help Government Agencies Drive Digitalization

Mendix | September 01, 2021

Vital Edge Solutions, a specialist in systems integration for government and commercial organizations, today announced that it has entered a strategic partnership with Mendix, a Siemens business and the global leader in low-code application development for enterprises, to bring low-code to the Federal Marketplace. This is Mendix's first partnership within the US Federal Marketplace and comes at a time when the industry is experiencing an unprecedented growth in interest surrounding low-code platforms. Mendix is a high productivity low-code app platform that enables you to build and continuously improve mobile and web applications at scale. The Mendix Platform is designed to accelerate enterprise app delivery across your entire application development lifecycle, from ideation to deployment and operations. The all-in-one low-code platform is a visual approach to software development, allowing users to create better software faster by abstracting and automating every step of the application lifecycle. The pandemic has put increased pressure on government agencies in the US to provide new services to citizens and more productive environments for public sector employees, with many undertaking digitalization to achieve this. This has driven the need for these agencies to build applications and software more quickly than ever before. Many are responding by adopting low-code development platforms to accelerate innovation in an efficient manner. The combined expertise of Vital Edge and Mendix will enable government agencies to make the most of low-code technology and respond to this need for digitalization. "We are delighted to have this important partnership with Vital Edge as we pioneer the next-generation of low-code application development and deployment," said Matthew Garst, the vice president leading Mendix's Federal Practice. "The pandemic has accelerated the need for government agencies to digitize, and this partnership will address the needs of those that are looking for economically efficient application services which can rapidly scale their digital solutions. Vital Edge has fantastic experience and expertise within this space, putting it in a great position to take our offering to the Federal Market." "We have a clear understanding of how the Mendix platform creates efficiencies and simplifies process," said Brett Pfeffer, managing partner at Vital Edge. "Mendix provides government agencies with faster implementation at a lower cost and is truly low-code's only all-in-one solution. We are looking forward to taking Mendix to market and help government agencies deliver better experiences for their end users." About Mendix Mendix, a Siemens business and the global leader in enterprise low-code, is fundamentally reinventing the way applications are built in the digital enterprise. With the Mendix platform, enterprises can 'Make with More,' by broadening an enterprise's development capability to conquer the software development bottleneck; 'Make it Smart,' by making apps with rich native experiences that are intelligent, proactive, and contextual; and 'Make at Scale,' to modernize core systems and build large app portfolios to keep pace with business growth. The Mendix platform is built to promote intense collaboration between business and IT teams and dramatically accelerate application development cycles, while maintaining the highest standards of security, quality, and governance — in short, to help enterprises confidently leap into their digital futures. Mendix's 'Go Make It' platform has been adopted by more than 4,000 leading companies around the world.

Read More

GOVERNMENT BUSINESS

LifeOmic's Precision Health Platform for Government Achieves FedRAMP Ready Status

LifeOmic | June 16, 2021

LifeOmic, the creator of the LIFE mobile apps, Precision Wellness, and the Precision Health Cloud platform, which are used at major medical and cancer centers, announced today that its Precision Health Platform for Government had achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready status (PHP-G). PHP-G is a cloud and mobile platform that aggregates data for storage, analytics, and the development of predictive models. Today's healthcare IT systems do not democratize data, making research and discovery more difficult. The LifeOmic PHP-G cuts down these silos while drastically speeding a wide range of precision health and wellness use cases, including clinical trials and health research. LifeOmic can now provide its safe and endlessly scalable mobile-to-cloud solution to government agencies to combine multi-omics and clinical data, conduct research, engage in telehealth coaching, and expedite discovery due to FedRAMP Ready status. The LifeOmic PHP-G was designed by the same team that built one of Amazon Web Services' most complex cloud applications (AWS). It was developed as a cloud-first model, employing the most secure and scalable design principles, such as a zero-trust security model and serverless computing. Customers of LifeOmic can use the PHP-G to store, combine, and analyze data using any set of tools. The platform complies with HIPAA, is HITRUST CSF Certified, GDPR compliant, and CCPA compliant. FedRAMP is a US government-wide initiative that provides a consistent cloud security assessment, authorization, and continuous monitoring. FedRAMP compliance indicates that a cloud computing system has developed and documented a highly secure environment that has undergone a thorough and rigorous review. The FedRAMP Marketplace lists authorized cloud service providers. PHP-G is a few biomedical firms offering FedRAMP Ready mobile, biomedical informatics, data management, and machine learning solutions. About LifeOmic LifeOmic is a software company that uses the cloud, machine learning, and mobile devices to enable precise health and wellness solutions for employers, providers, researchers, healthcare IT, pharmaceutical companies, and people. The cloud-based software used by the company securely gathers, saves, and analyzes patient data to expedite the development and delivery of precision health treatments, disease management, and disease prevention. LifeOmic's enterprise product portfolio includes the Precision Health Cloud and Precision Health Platform for Government, both cloud and mobile-based sources for all patient data, including clinical data, whole genome sequences, gene expression levels, lab results, and medical images. Precision Wellness, a scientifically rigorous, employee-first corporate wellness solution, was also developed by the company. The LIFE Extend and LIFE Fasting Tracker mobile applications; the LIFE Apps health resources website; Lifeology, health literacy, and education platform; and SkillSpring, which links health coaches and medical professionals specialists with consumers the company's consumer products.

Read More

GOVERNMENT BUSINESS

Westinghouse Announces New President of Westinghouse Government Services

Westinghouse Electric | December 13, 2021

Westinghouse Electric Company announced that Paul Longsworth has been appointed president of Westinghouse Government Services (WGS). Longsworth joined WGS in June 2021, bringing more than 35 years of experience in nuclear energy, national security and environmental industries. Previously, he served as Vice President, Secure Services at Flour, and was the Deputy Administrator for Defense Nuclear Nonproliferation at the U.S. Department of Energy. He takes over the business following the retirement of Bob Cochran. “Westinghouse has a strong record of leadership and support for the government for decades, and we look forward to building on this with Paul’s experience and strategic vision. Paul’s deep understanding of the government market segments will strengthen our ability to deliver best-in-class technologies and excellence in nuclear operations to accelerate environmental cleanup, deploy innovative reactor and fuel technologies, and serve the critical supply chain needs of our government customers.” Sam Shakir, President of Environmental Services at Westinghouse Westinghouse Government Services, LLC (WGS) is a subsidiary of Westinghouse Electric Company, LLC. WGS delivers the company’s nuclear technologies and services for government programs, globally. The range of services and capabilities incorporate manufacturing of nuclear grade components and materials, operations of nuclear material processes and associated technologies, deactivation and decommissioning nuclear facilities and assets, treatment, management and disposition of nuclear materials, and delivery of advanced reactor technology. Paul will lead a world class team of experts that deliver projects in the United States that support the Department of Energy, the National Nuclear Security Administration and the Department of Defense and the Canadian National Laboratory. “We thank Bob for his significant contributions he has made to Westinghouse through his relentless energy and dedication to the company,” said Shakir. Westinghouse Electric Company is shaping the future of carbon-free energy by providing safe, innovative nuclear technologies to utilities globally. Westinghouse supplied the world’s first commercial pressurized water reactor in 1957 and the company’s technology is the basis for nearly one-half of the world's operating nuclear plants. For over 130 years, innovation makes Westinghouse the preferred partner for technologies covering the complete nuclear energy life cycle.

Read More