By: Anna Patsel-Powel and Rajiv Kadayam
During the emergence of the “cloud” in the late 2000s, the Federal government was grappling with information systems across agencies that were aging, slow, fragmented, not secure, and duplicative. Moving to the cloud had numerous benefits like greater agility and elastic scalability, better velocity, improved service delivery, and lower Total Cost of Ownership (TCO). The Office of Management and Budget (OMB) recognized that moving to the cloud would be the first step in reforming and modernizing their IT systems and created a policy in 2010 called Cloud First.
The Cloud First policy jumpstarted the process of moving to the cloud, but the trip has not been without barriers slowing down the process. Chief Information Officers (CIOs) are struggling with procurement and management challenges, and many are still concerned about the security of their data. It’s a challenge to understand who is responsible for what in the cloud. Also, there are no criteria for discerning what systems would do best in the cloud. For those applications that are a good cloud fit – how do you engineer them for the cloud? The Cloud First policy stated that agencies had to move to the cloud but provided no specific guidance on how to accomplish that goal.
In October 2018, the OMB released a Federal Cloud Computing Strategy, Cloud Smart– an update to Cloud First. The policy update tries to ensure that the technology fits an agency’s mission/outcomes, whereas the original Cloud First stressed the benefits of the cloud. The Cloud Smart strategy provides guidance surrounding security, procurement, and the necessary workforce skills to enable faster cloud adoption and implementation. We have delved into that guidance below with additional considerations for moving to the cloud.
Security
Cloud security is one of the most significant hurdles to overcome when moving to the cloud. Here are the top issues to be addressed:
- Trusted Internet Connections (TIC) was mandated in 2007 to optimize and standardize the security of individual external network connections currently in use by Federal agencies, including connections to the Internet. TIC was much more relevant when agencies maintained the majority of their systems within an agency-operated network. Smart Cloud makes the government revisit this mandate. Agencies are forced to go through a set of defined, trusted network points instead of the public Internet, which negatively impacts productivity and operational workloads in the cloud. This network structure creates a significant bottleneck that doesn’t scale. Today, TIC is affecting some agencies’ ability to expand network traffic.
- Identity and Credential, Access Management (ICAM) and encryption are becoming increasingly more important. Cloud-based systems open up a colossal highway of data being transported between networks, which will require greater data protection.
- Composable and reusable system security plans (SSP) for applications that share similar technology stacks need to be developed by agencies. An SSP is the main document of a security package in which a cloud solution provider (CSP) describes all the security controls in use on the information system and their implementation. An SSP can contain an overwhelming 253 security controls or more. Many agencies develop new SSPs for each application or ecosystem of applications from scratch, which is highly inefficient. If an agency successfully secured an Authorization to Operate (ATO) for System X with its own SSP, and they want to stand up System Y with the same technology, implementation, and security compliance verifications and requirement, then it’s advantageous to reuse the security design of System X and the accompanying security documentation and processes for System Y. Using this as a baseline, they can customize the SSP as needed to address specific differences in capabilities of System Y. Even though the two systems may differ in business capabilities and end users, this reusable security approach simplifies the accreditation and authorization (A&A) process and enables agencies to shift towards a continuous ATO model.
- Authorization to Operate (ATO) is required for CSPs. Currently, this effort for CSPs is a significant challenge and labor-intensive endeavor. The Federal Risk and Authorization Management Program (FedRAMP), a risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services, is trying to reduce the burden, but Federal agency processes continue to make obtaining an ATO tough.
Workforce
As cloud adoption grows, there will be major impacts to the Federal workforce in many different ways. Here are some tips for navigating the new terrain
- Identify potential skills gaps and provide additional training for those staff that lack the skills required for cloud enablement. Skills training is no longer a point-in-time effort, but a regular and frequent exercise. The Federal workforce needs to get smarter on how to manage systems in the cloud.
- Guide your workforce in what technologies they should focus on in their learning, whether it’s IaaS, PaaS, or SaaS or something else. Your workforce needs to gain competency in general concepts that go beyond specific vendor technology.
- Gain a deeper understanding of Agile through practice, cloud architecture, and DevOps practices. That knowledge will serve as a strong foundation, so your workforce can expand their learning into specific vendor platforms.
- Look at hiring strategies to close the skills gap. Hiring staff with the appropriate skills and experience is very competitive and will not be easy for agencies. Consider adding new benefits to lure in these unique technologists.
- Contract out services to help agencies strategize, migrate, and operate in the cloud.
Procurement
Since cloud computing is still relatively new, there has been little standardized guidance for procuring cloud products and services. With the plethora of various services and products offered in the marketplace, understanding and strategizing the best cloud strategy and security can be overwhelming and confusing. Cloud technologies are also continuously evolving, so keeping up can be difficult. Below are some tips for procuring cloud products/services:
- Train Federal acquisition staff continually on the expanding assortment of technology and the associated security capabilities with each option available.
- Use a Category Management approach to procure cloud services, and lay out in more detail governance, architecture, security, and operations’ roles/responsibilities in a Service Level Agreement.
- Do not use firm fix pricing (FFP), but instead have a NOT TO EXCEED amount on cloud costs, and continuously rationalize and optimize costs. Cloud, if not monitored regularly, can get expensive.
- Shift cloud computing expenses from a capital expense (incurred once in one year) to an operational expense (incurred in the ordinary course of running the organization). This procurement strategy helps agencies budget better their annual fixed costs
In Conclusion
According to an analysis from Bloomberg Government, defense and civilian agencies combined procured $6.5 billion of cloud services in fiscal year 2018, a 32 percent increase from fiscal year 2017. The Federal cloud market is growing every year, especially as the mandates and pressures grow to modernize Federal systems. Policies like Cloud Smart will only add to the acceleration of Federal cloud adoption.
Once agencies adopt cloud, they can set their modernization efforts to warp speed with augmented intelligence services that are now being offering by AWS, AZURE, and Google. CSPs are now offering deeper capabilities in machine learning like speech-to-text, natural language processing, and bots. The cloud exposes agencies to a new realm of opportunity, where they can build smart applications and data science capabilities to exploit hidden pieces of knowledge in large data sets. Stay tuned for an upcoming blog about augmented intelligence in government.
If you need help with your cloud initiatives, Pyramid Systems provides full life cycle cloud enablement services. Contact us today at info@PyramidSystems.com.
Copyright © 2019 Pyramid Systems, Inc.