Federal agencies — ranging from the Defense and State departments to the National Institutes of Health — are having second thoughts about moving government secrets and essential functions to the Web in the face of a growing number of cyberattacks from online assailants. The agencies worry that a White House policy instituted late last year requiring them to move services to cloud computing — a policy dubbed “cloud first” — puts their concerns over cybersecurity second. “We’re sitting back and waiting since we are a security agency,” said Cynthia Cassil, director of systems integration for the State Department’s chief information officer. “We don’t want to be one of the early adopters. We want to be a follower — but we do want to comply with OMB [Office of Management and Budget] and put our toes out in the water.” Agencies have been under White House orders since December to consider Web-based cloud computing before other technology solutions that rely on more costly hardware. Former White House Chief Information Officer Vivek Kundra tasked each agency with identifying three services to move to the cloud — one within 12 months and the other two within 18 months. At the time, Kundra stressed that while security needs may vary by agency, many would see their strict security requirements satisfied in the cloud. In a recent op-ed in The New York Times, Kundra, who left the government for a position at Harvard in August, argued that cloud computing is often more secure than existing government technology because cloud service providers like Google, unlike many federal agencies, are able to attract and retain a talented pool of cybersecurity personnel. Some agencies, however, are not yet sold. Many agencies tasked with handling classified data and information, such as State and Defense, are holding off on migrating functions and data to cloud systems owned by outside vendors, such as Google and Amazon, known as the “public cloud.” In addition, other agencies that handle large volumes of data on citizens — including Health and Human Services — are also taking their time to evaluate security implications. “You have to look beyond the marketing material,” said Robert Rosen, chief information officer for the National Institute of Arthritis, Musculoskeletal and Skin Diseases at NIH. The agency is in charge of safeguarding sensitive patient data. “If [a cloud provider] can’t meet the security requirements, there’s no point in continuing the discussion.” While Rosen isn’t opposed to moving some agency functions to cloud computing, he is skeptical of vendors that tout the cloud as a panacea that can prevent hacker infiltrations into sensitive systems. “It is no different than any other technological solution,” he said.