When the Obama administration's CIO declared that the government would move to a cloud-first policy for its technology procurements, it was sending a clear message that agencies would be expected to modernize their IT shops.
But five years later, that transition still seems like it's in its early stages, according to Mark Kneidinger, director of the Federal Network Resilience Division at the Department of Homeland Security.
"In 2015 many agencies are still using cloud computing similar to 2010," Kneidinger observed during a recent field hearing members of the House Oversight and Government Reform Committee held in San Antonio.
Many of the applications that agencies have shifted to the cloud might be considered commodity IT, such as email or collaboration tools that CIOs sometime describe as the low-hanging fruit — functions that can be moved to the cloud with relative ease and minimal disruption.
But agencies have been far slower to migrate more elaborate, mission-oriented systems, and legacy IT remains in widespread use throughout the government.
Rep. Will Hurd (R-Texas), the chair of the oversight committee's subcommittee on IT, notes the government's estimate that of the roughly $80 billion the government spends on technology each year, 80 percent goes to the maintenance of legacy systems.
"Legacy systems are expensive to maintain and often make sensitive information vulnerable to cyberattacks," Hurd says. "The Labor Department has a 30-year-old system developed by people who are now all dead. They had to resort to looking for old parts on eBay."
He recalls the recent hack of the Office of Personnel Management, a massive breach that compromised the records of more than 21 million current, former and prospective government employees and contractors, which was widely suspected to be the work of Chinese. Hurd suggests that OPM's reliance on aging technology left the agency vulnerable to attackers.
"The chief information officer of the Office of Personnel Management actually came before our committee and argued that the antiquated COBOL mainframe IT system at OPM was a cybersecurity asset," Hurd says. "The Chinese government disagreed."
Security remains top obstacle for federal CIOs
There are any number of barriers that have kept government CIOs from a broader adoption of cloud technology, including budget and contracting considerations, the decentralized nature of technology across departments, agencies, sub-agencies and bureaus, and the cultural resistance to a new model of IT. But one of the most enduring obstacles has been the lingering concerns about the security of the cloud. And despite the establishment of a formal review standard for cloud technologies in the form of FedRAMP, Kneidinger notes that security issues persist.
"There continues to be a lack of consensus by the agencies with their cloud service providers as to how effectively to measure, monitor and evaluate security in a cloud environment," he says.
Sign up for Computerworld eNewsletters.