Dave Nelson, the chief information officer of the Nuclear Regulatory Commission, said it just took one success and a little bit of time to get the NRC fully on board with cloud services.
The one success came from moving the NRC’s financial system to the cloud over the last few years. Nelson said the agency has saved 30 percent off of the cost of its infrastructure alone by moving its first major application to the cloud.
“We have several other projects we have been working on,” Nelson said on Ask the CIO. “We just finished migrating all of our organization’s email into Microsoft Office 365. Once again, it’s been very successful and helpful in the way it gives us a lot of additional storage for email as well as access and resilience. We discovered just how powerful that was in our most recent disaster recovery exercise, understanding if our headquarters were actually to be taken out of commission, we were in a place where we could really access our email from anywhere.”
Those small steps are opening up big doors for the NRC. Back in 2013, the NRC was ready to jump into the cloud, creating a strategy and even releasing a sources sought notice seeking infrastructure-as-a-service.
But for whatever reason, the change of CIOs or other leadership, the NRC remained using its on-premise data centers and creating a pseudo private cloud by virtualizing its servers.
Nelson said the NRC also is looking at putting its high performance computing capabilities in the cloud. He said the agency has tested how to spin up a lot of computing power very quickly, use it to run complex models and spin the servers back down when they are done.
“We are looking at some of our mission support type systems as well. We should have one of those major systems in the cloud before the end of the summer,” he said. “This particular migration was a little opportunistic. We were hosting this application in another agency’s data center and we were asked to leave. We took a look at what it would take to rehost it back in our own data center and what it would take to go ahead and move it to the cloud. We found it was actually easier to move it to the cloud. We had a date certain that we had to be out of this other agency’s data center so this was our opportunity to really show we could operate our mission support systems up in the cloud.”
Nelson, who came to NRC in 2016 from the Centers for Medicare and Medicaid Services, said there are certain applications that can’t be moved to the cloud today, but that may change in the future.
“The past agencies I’ve worked for, I’m a real promoter of cloud. I think it’s a great thing and I think it’s a CIO’s position to keep pushing that,” he said. “How do you show my customers how well this operates and what kind of savings are possible? How do I show the agency, how do I show my peers that this is the right direction for the agency? These are really good large applications that we can immediately see the benefits. I think everyone is seeing them personally, not just stories I have to tell.”
FedRAMP maturing, making move to cloud easier
The NRC plans speed up its move to the cloud by awarding a cloud broker technical facilitation service contract.
“It’s part of our larger set of acquisitions in Global Infrastructure and Development Acquisition (GLINDA). That task order has yet to be awarded,” he said. “What we’ve done is a little bit novel and that is using the same contractor who is responsible for managing our data center to also act as our cloud broker and manage our cloud services once they are here. There is a real disincentive to have two different contractors. Now the one that runs your data center and watches new applications go out the door will also manage our cloud services so having that be the same contractor will be a real help for us.”
Nelson said the reasons the NRC is making the move to the cloud is partly because of the maturity of the cloud security process known as FedRAMP to make the security and mission owners comfortable. It’s also because of the agency’s own focus on the security of its networks and data.
“At NRC, we have a much more robust cybersecurity program. There is a huge concentration on it here at the agency,” Nelson said. “We have matured our processes as you can see from even our Office of Inspector General Federal Information Security Management Act reports from a maturity level of around two all the way up to around four. We are one of the leading agencies in this area. This was done by relentless focus. We have a daily morning call on cybersecurity, and cloud is part of what we are discussing. It’s transparent across all the groups and we have a real awareness of everything that is going on in our environment from day-to-day. We understand how our patch maintenance is going on and we know what’s going on in our cloud services as well.”
One reason why the NRC is making progress on cybersecurity is Nelson disbanded having two different organizations that handle compliance and security operations. He said there is one organization with experts who focus on security operations and compliance, but holds everyone equally accountable for ensuring networks and data are secure.
“It’s much more of a team approach now. I think that’s critical. Now you can improve your policies. Now you can fill your vulnerabilities and mitigate them because everyone is on the same team,” he said.