Federal agencies are moving full steam ahead with cloud adoption — backed by a suite of new policy changes aimed at removing cloud procurement, security and workforce barriers.
Recent updates include the June 24 release of the administration’s final Cloud Smart strategy, which outlines procurement, security and workforce as interrelated components of moving to cloud during this era of IT modernization. Cloud Smart differs from its nearly decade-old predecessor Cloud First by focusing on adopting cloud effectively rather than deploying the technology by any means possible. Cloud First mandated the move to cloud but did not provide specific guidance on how to accomplish it.
Within the same week of Cloud Smart’s release, the administration also published updates to its Data Center Optimization Initiative, which dovetails with Cloud Smart in many ways by setting priorities for closing federal data centers and ensuring remain facilities are running efficiently.
Cloud Smart was two years in the making and represents what administration officials think is one of the best documents they’ve put out because it was based on engagement with agency and industry, which occurred early and often, said Federal Deputy Chief Information Officer Margie Graves. Officials also took into account challenges agencies face with cloud adoption and what capabilities are available in the market today.
“We believe it [Cloud Smart] will help remove barriers that we identified in discussions with agencies,” Graves told attendees at the ATARC Cloud and Infrastructure Summit, less than 24 hours after publishing the final strategy.
The final version of Cloud Smart, which differs little from the draft, outlines 22 concrete actions that agencies are taking over the next 18 months to accelerate cloud adoption, including several which are in progress. Those include updating the Trusted Internet Connection (TIC) policy within the next six months to ensure program objectives can be achieved. The goal is also to “clarify potential alternative models,” such as cloud based-tools that can be used to secure and optimize agencies’ external network connections.
“You cannot have a single point of in and out” when there are large volumes of transactional data that agencies such as the Homeland Security Department have to process in milliseconds, whether at the border or in airports, Graves said.
Over the next year, the administration is also focused on accelerating the implementation of the Continuous Diagnostics and Mitigation (CDM) program, including the deployment of cloud monitoring tools and capabilities. The program is aimed at standardizing and elevating agencies’ ability to identify and remediate cyber vulnerabilities by understanding who and what is operating on their networks.
Draft Cloud Smart guidance was released in September 2018 for public comment. Since then, agencies have complete 14 of the 22 actions, including publishing an updated Identity, Credential, and Access Management (ICAM) Policy and setting requirements for protecting the government’s most critical or high-value assets.
Graves acknowledge that policy updates are coming out in rapid fashion and that pace is sure to inflict some level of stress on agencies, but these updates are intended to “provide practical application pathways” to improve security and cloud adoption and provide foundational capabilities for government agencies.
Abiding by the 80% Rule
As it relates to cloud adoption, other areas of focus for the administration include crafting better service level agreements that enable agencies to take advantage of common solutions provided by industry. “We don’t want to prescript solutions,” Graves said, adding that “we want to make sure that we are a customer that abides by the 80% rule.”
In other words, she doesn’t want to see agencies fall victim to massive customization efforts when they can adopt solutions that meet most of their needs. “We need to be in a position where we are actually adopting what is in the market,” she said.
But before agencies can fully embrace what is available today, they must understand what they currently have. Application rationalization provides that way forward for agencies (Check out the administration’s new Application Rationalization Playbook here). “The rationalization process will involve reducing an application portfolio by 1) assessing the need for and usage of applications; and 2) discarding obsolete, redundant, or overly resource-intensive applications,” according to Cloud Smart. “Decreased application management responsibilities will free agencies to focus on improving service delivery by optimizing their remaining applications.”
Reskilling, Hiring the Right Talent
In terms of accelerating IT modernization through improved security and cloud adoption, Graves made clear that “nothing happens without the right talent.”
She pointed to the administration’s new cyber reskilling academy as a means to develop a translatable process that agencies can use to develop the talent they need. The first cohort of participants recently complete the classroom training portion of the program, and the government is capturing lessons learned.
The expectation is that agencies will use their funding and hiring mechanisms to hire graduates of the three-month program, Gaves said. It’s not just about hiring cyber professionals, but also cloud architects and data scientists, which are all skillsets needed to effectively transition to cloud.
Ultimately, cloud adoption is about much more than simply lifting and shifting IT from one platform to another, she said. It gives agencies an opportunity to reimagine the way they deliver services in the digital age.