Are you trying to use the cloud with the United States Federal Government, Civilian Agencies, or the Department of Defense? If so, then you’re going to start hearing people ask if the application or service you want to use is in “GovCloud.” While only Amazon Web Services (AWS) officially has an isolated cloud infrastructure called “GovCloud”, Microsoft has a similar isolated cloud Azure for Government and Google Cloud has a software-defined government cloud.
Other cloud service providers, such as Oracle, have also built their cloud infrastructure to support government cloud workloads.
For clarity, this article will continue to refer to the “GovCloud” agnostic of any cloud service provider.
Feel free to read through our extensive coverage of GovCloud technologies, regulations, and use cases, or skip to a specific section of interest using our Table of Contents.
Table of Contents
- GovCloud: Cloud with Government Compliance
- Who uses GovCloud?
- Why use GovCloud?
- Is GovCloud really more secure or beneficial for customers?
- Is GovCloud an outdated approach to the cloud for U.S. Government and DoD customers?
- OMB calls for Modernizing FedRAMP
- AI/ML and Generative AI support on GovCloud Regions
GovCloud: Cloud with Government Compliance
Informally, many in tech and government refer to any cloud service provider’s cloud environment for the government as “GovCloud.” Although the term originates from AWS, it has become a generic, ambiguous phrase for government cloud workloads and use.
A GovCloud is a cloud computing region specifically designed to meet US government agencies and their unique compliance and regulatory requirements. What are the requirements and frameworks? Let’s dive into that now.
FedRAMP: Low, Medium, High
The US Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).
DISA Impact Level 2, 4, 5, 6
The US Defense Information Systems Agency (DISA) manages the evaluation and authorization of cloud services for the US Department of Defense (DoD). DISA Cloud Service Support grants each cloud service provider a provisional authorization (PA) and, eventually, a full authorization for each Impact Level (IL). An assessment at Impact Level 4 (IL4) allows for the processing and storing Controlled Unclassified Information (CUI) in specific products on each cloud service provider. Impact Level 5 (IL5) inherits the authorization of 4 and includes National Security Systems (NSS).
Impact Level 6 (IL6) includes cloud workloads and data for up to Secret classification. While there is no official Impact Level higher than 6, many refer to Top Secret cloud workloads as “Impact Level 7”, which is reserved for the US Intelligence Community.
Who uses GovCloud?
A GovCloud environment is used across numerous US government agencies, the DoD, and other customers that must work within US government compliance boundaries. A few examples of customers that use GovCloud:
- U.S. Department of Defense (US Army, Air Force, Marines, Navy, Space Force, National Guard, Coast Guard)
- U.S. Department of Justice
- U.S. Department of Homeland Security
- U.S. Department of Veterans Affairs
- U.S. Department of Agriculture
- U.S. Department of Health and Human Services
- U.S. Department of the Treasury
- U.S. Department of Transportation
- U.S. Department of Energy
- U.S. Department of Education
Why use GovCloud?
If the US Federal Government or Department of Defense wants to use applications, services, and store data within the cloud, they must use a GovCloud or similarly configured compliant cloud environment. While the reasons requiring this largely are for meeting compliance and regulatory requirements, it is also because of the unique sensitivity that government applications and data inherently possess.
- Compliance and regulatory requirements: A GovCloud is designed to meet the compliance and regulatory requirements of US government agencies, including FedRAMP compliance, which requires strict security controls for the handling of sensitive data.
- Physical and network segregation: A GovCloud is physically and logically separated from other cloud regions, providing an additional security layer to protect sensitive data. As a result, GovCloud regions are finite in number and are a subset of the rest of the commercial cloud infrastructure from each cloud service provider. For example, if a CSP has 15 cloud regions within the United States, only 4 may be accredited for US government use (i.e., “GovCloud”). This number is purely for an example; for exact US government-accredited cloud regions, please visit each cloud service provider’s website.
- Data sovereignty: A GovCloud allows US government agencies to store their data within the United States, which is essential for compliance with data sovereignty regulations.
- Access controls: A GovCloud provides fine-grained access controls that allow organizations to control who can access their data and resources. Per DISA, personnel requirements also restrict access based on citizenship and security clearance level.
- Auditing and logging: GovCloud provides a wide range of auditing and logging features, which allows organizations to monitor and track access to their resources. While this is true for any cloud environment, it is essential due to government data retention and the ability to perform cyber forensics.
- Scalability and reliability: As with all cloud services, GovCloud is highly scalable and reliable compared to legacy on-premise datacenter infrastructure. This enables government customers to easily scale their cloud resources up or down as needed. This is particularly useful for government organizations that experience seasonal or cyclical workloads, such as tax season or emergency response operations.
Is GovCloud really more secure or beneficial for customers?
While GovCloud provides several security and compliance features designed to meet the needs of US government agencies and their partners, it is important to note that it does not guarantee increased security.
Here are a few reasons why the GovCloud model may not guarantee increased security:
- Configuration and management: Security is only as strong as the weakest link, and even with the added security features of a GovCloud, it is still the organization’s responsibility to configure and manage its resources properly. If security controls are not configured correctly or best practices for security management are not followed, the environment can still be vulnerable to attacks.
- Shared responsibility: Any cloud environment, especially GovCloud, is a shared responsibility model. This means that while AWS, Microsoft, or Google are responsible for the security of the cloud infrastructure, the organization is still responsible for the security of its own data and applications.
- Limited access to certain services: Due to the effort required to bring each cloud service or application through the accreditation process, a GovCloud region will have significantly fewer available services for customers than a standard commercial cloud. Each cloud service or application must go through FedRAMP or DISA Impact Level accreditation. If a cloud service is not within the compliance boundary, it either can’t be run within a GovCloud or requires using a different cloud infrastructure. This effectively limits the cloud options for government and DoD customers.
- Cost: A GovCloud environment is generally more expensive than a commercial cloud environment. This is due to the added security and compliance features that are inherited by a GovCloud environment. GovCloud workloads can add significant cost versus commercial cloud.
It is important to note that while a GovCloud environment may not guarantee increased security, it provides many security and compliance enhancements that can help customers meet the unique needs of US government agencies and their partners. However, it is ultimately the responsibility of the organization to properly configure and manage its resources to ensure security.
Is GovCloud an outdated approach to the cloud for U.S. Government and DoD customers?
It was considered innovative when AWS first introduced its GovCloud model in 2011. A purpose-built, physically isolated cloud infrastructure environment was the ultimate demonstration of customer obsession by AWS. However, as cloud adoption has skyrocketed ever since, there are several reasons why a dedicated, physically isolated GovCloud infrastructure model may be considered an outdated approach today:
- Limited services: GovCloud has limited services compared to other regions and may not offer the same functionality and flexibility as other regions. This can limit the options for government organizations looking to use the latest technology and services. Customers must wait significantly longer to adopt new technologies until they are within compliance and accreditation boundaries.
- Limited scalability: GovCloud is designed for US government agencies and their partners, which means that it may not be able to scale as quickly as other regions to meet the needs of a rapidly growing requirement. If a customer needs flexibility across multiple continents or intends to access data from various continents, they must route back to the continental U.S. (CONUS), where GovCloud infrastructure resides. Additionally, specific hardware such as graphical processing units (GPUs) or tensor processing units (TPUs) will be only a finite number within the designated GovCloud infrastructure regions.
- Limited access to other regions: Organizations using a GovCloud region may not have access to the same global network of regions as those that are using other regions. This could limit their ability to provide services in other countries or use services unavailable in the GovCloud region (i.e., using cloud services out of compliance).
- An outdated approach to security: GovCloud was designed to meet the compliance and regulatory requirements of US government agencies and their partners. Security threats and regulations have changed and evolved since it was first introduced. The notion of physical isolation as security by obscurity has been proven wrong again and again. Robust encryption standards have been developed that enable software-defined isolation that would provide equivalent, if not superior, security versus physical datacenter isolation.
- Cost: A GovCloud environment is generally more expensive than a commercial cloud environment. This is due to the added security and compliance features inherited by a GovCloud environment. GovCloud workloads can add significant cost versus commercial cloud.
Overall, while a physically isolated cloud infrastructure environment GovCloud model may have made a lot of sense in 2011, it is showing its age in 2024 due to the limitations in services, scalability, access to other regions, and an outdated approach to security.
OMB calls for Modernizing FedRAMP
A draft FedRAMP memo, “Modernizing FedRAMP,” was released in October 2023 for public comment by the Executive Office of the President, in conjunction with the Office of Management and Budget (OMB). The memo acknowledges the shortcomings and challenges of the FedRAMP process, such as redundancy, lack of speed and scale, and must adopt further security measures to meet modern-day cyber threats.
Most interestingly, the memo states that FedRAMP should leverage the shared infrastructure between the Federal government and U.S. private sector. From page 4:
Leverage shared infrastructure between the Federal Government and private sector. FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated infrastructure for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits most from the investment, security maintenance, and rapid feature development that commercial cloud providers must give to their core products to succeed in the marketplace. Commercial providers should similarly be incentivized to integrate into their core services any improved security practices that emerge from their engagement with FedRAMP, to the benefit of all customers.
It’s unclear whether this will be formally adopted across the U.S. government, DoD, its agencies, or cloud programs. But it calls into question the future of physically isolated, purpose-built datacenters for FedRAMP and DISA Impact Level compliant cloud workloads.
Leveraging commercial cloud infrastructure has many advantages versus isolated cloud regions, primarily access to cloud infrastructure at scale. AI and Generative AI workloads are incredibly resource-intensive, expensive, and GPU/TPU chips are in low supply and high demand. Leveraging commercial cloud infrastructure for AI workloads is a logical use case for changing FedRAMP or DISA restrictions.
AI/ML and Generative AI support on GovCloud Regions
The Department of Defense established a Generative AI task force, Task Force Lima, in 2023 specifically to explore the adoption of cutting-edge technologies across defense branches. For example, large language models (LLMs) provide the DoD with a rapid way to understand and extract essential summarization of archival data for future analysis. Other U.S. agencies could allow increased access to searchable documentation available to the public.
Strict security and compliance guidelines that the DoD and broader public sector rely on, FedRAMP and DISA Impact Levels, have remained a barrier to adopting AI and generative AI technologies for sensitive data or Controlled Unclassified Information (CUI).
- Microsoft announced in February 2024 that it has submitted its Azure OpenAI services for accreditation for FedRAMP High and DISA IL4 and IL5.
- AWS hosts Deep Learning AMIs on AWS GovCloud. Supported frameworks include TensorFlow, Caffe, Caffe2, Torch, and Keras. Any of these frameworks can support developing sophisticated, custom AI models.
- AWS announced in December 2023 that Amazon Bedrock is now available in the AWS GovCloud US-West region. Amazon Bedrock provides a broad set of capabilities to build generative AI applications.
- Google Cloud, as of February 2024, has several Vertex AI and Generative AI capabilities currently under JAB review for FedRAMP High accreditation.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.