Cloud Exchange 2024: OMB’s Drew Myklegard on fostering mature cloud capabilities

OMB’s deputy federal CIO says the government aims to ensure parity with the commercial sector by modernizing policies like the one for cloud security.

The federal Cloud Smart Strategy turns five years old this June, and it’s more relevant today than it was back in 2019 when the Office of Management and Budget released it.

Why is that? “There’s a comfort level, I think, that we have already. We have removed a lot of the barriers, and people are good at buying it now,” Drew Myklegard, deputy federal chief information officer at OMB, said during Federal News Network’s Cloud Exchange 2024.

The strategy focuses on three key pillars to make cloud adoption successful: security, procurement and workforce. OMB said at the time of its release that these elements “embody the interdisciplinary approach to IT modernization that the federal enterprise needs in order to provide improved return on its investments, enhanced security and higher quality services.”

Not only do those words ring true today, but agencies’ technology teams are also more educated about the what and the how to make their mission and back-office systems run in the cloud, Myklegard said.

He said OMB has no plans, at this point, to update the strategy — in part because of its relevance now more than ever.

“The things that we are always very attuned to are all the developers and whether they are using the most modern tools in very similar ways to the environments that you see in the commercial sector,” Myklegard said. “Our goal is to have a developer come from a commercial company and have a very similar experience within the government. That means how long it takes them to commit their first line of code or how quickly they can spin up an environment, how quickly they can scale. We’re trying to seek parity.”

Parity also means not having to even ask if an agency is in the cloud. Myklegard said the assumption is all agencies are and can use whatever tools are available to them.

OMB providing guardrails, top cover on cloud

Another way OMB works to ensure parity with the commercial sector is by modernizing specific policies like those around the cloud security program, FedRAMP, or giving agencies more comfort to apply artificial intelligence capabilities within cloud instances.

“OMB does a really good job in the areas of: ‘Here are the guardrails. Here’s the top cover.’ But when [agencies] are building a custom app in the cloud today, we’ve really put out the guardrails and we’ve put out the top cover so they’re able to use the best tools to fit their mission and use risk-based decision-making. We are making sure we haven’t tied their hands,” Myklegard said.

“What we see is the next innovation of our policies. A lot of times we’ll put out a strategy, or a lot of times we’ll use memos, or a lot of times we’ll use circulars. We like to use all of them to achieve the goal. But we’re also getting feedback from agencies about the things that are most helpful and the things that are barriers to them to succeeding. Those are the areas that we’re absolutely focused on.”

One recent example? Myklegard pointed to the update to the FedRAMP memo. He said it was clear agencies were moving quickly to use more software as a service (SaaS) applications. Therefore, he said, the security and other supporting policies needed to change.

The draft FedRAMP memo, released in October, reflects the demands agencies have on the program to approve more SaaS products. The FedRAMP Program Management Office followed the draft memo in March with a new roadmap. The roadmap recognizes the need for an accelerated path to bring in more SaaS products, Myklegard said.

“We have found that the agencies that are leaning in on SaaS products are doing a couple of things. One, they’re able to fulfill a lot of security requirements since those SaaS products don’t have a lot of the legacy challenges that our on-premise solutions have. You can adopt them very rapidly through acquisitions, get them secured by using most of the ones that are already FedRAMP-ed and then you’re just thinking about the controls that are pertinent and relevant to your office,” he said.

“As developers, internally, we have to manage roadmaps. We have technical debt. We’re fighting for dollars. We’re doing a lot of different things to make a product successful that most people don’t see. So if you’re able to offload a lot of that to an outside company but still influence the roadmap, it’s really the best of all worlds.”

Budget matters more than ever to cloud use, Saas

Myklegard, who worked for the Department of Veterans Affairs before coming to OMB, pointed to that department’s updated website, VA.gov, as an example of how an agency could reap the benefits of moving to SaaS. He said VA now is able to put their best developers and engineers on the project, and they don’t have to worry about the back-end infrastructure and can focus on providing veterans with the best services.

“Our main goal is great IT across the federal government, and so the way to get there is we just cannot build it. There’s no reason to try and build something that’s already in the commercial sector. So when a business line is trying to deliver on a policy and mission or some other need, you want to speed the time in which we can roll out programs and public benefits to those that need it the most,” he said. “We’ve seen that across the federal government. So not only are we smarter in tech, but we’re also smarter in all the things that are enabling that to be successful.”

Myklegard said two of the biggest factors driving this change is the focus from the top, whether OMB or Capitol Hill, and then the understanding of the budget side of why funding these technology programs matter more today than ever.

He said one way OMB measures the progress of IT modernization is through constant communications with agencies, from the Office of the Federal CIO as well as from OMB’s desk officers.

“Of course, we want to run by metrics. There’s a couple of areas that we really focus on there. One is the Federal Information Security Modernization Act. We bring in a lot of data through that, which is digested by our teams, and we make decisions at the leadership level where we should be investing, where we should help, be budgeting and making strategic investments at agencies,” Myklegard said.

“Then, we’re six months in on our Digital Experience memo. Once we get the memo out the door, as Federal CIO Claire Martorana likes to say, ‘The cement starts to harden,’ and the program starts to take form. We are looking at some very specific things around digital analytics programs, a couple key areas that we see over at the General Services Administration’s programs around customer experience.”

He added OMB also pays attention to feedback agencies receive from customers and citizens, particularly the high-impact service providers.

“We spend a lot of time focused on that data collection and that outreach. We really feel like it pays off when we go and work with our budget colleagues, or when we’re speaking with the Hill,” Myklegard said.

“On the budget side, we’re making decisions around where we invest while being in a constrained budget environment. This is a time when we need to be getting the most value out of our dollars in the programs. There are very intense conversations around, ‘How much are we going to put into this program? What should this program cost if they’re launching a new one? How soon can we expect time to value? Is there a way that we can limit our costs by not building a huge infrastructure and waiting for it to grow?’ Well, that’s cloud and you are building an app that you inherit a lot of the security that’s already there, so I’m reducing those costs versus having to build all that infrastructure myself.”

Discover more articles and videos now on Federal News Network’s Cloud Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories