The Defense Information Systems Agency has been pushing its mission partners toward “app rationalization,” urging them to figure out what they need to operate in the cloud, and either customize or rebuild those apps to take advantage of what the cloud has to offer.
Only then, DISA’s chief of cloud services John Hale said Thursday, will agencies see cost savings in moving to the cloud.
“If you lift and shift, if you move what you have in a legacy environment and you move it to the cloud, you’re going to be disappointed,” Hale said at an AFCEA DC luncheon in Arlington, Virginia. “You’re not going to see those cost savings that the vendors promised you. You’re not going to see that massive efficiency that you’re hoping to get.”
In conversations with mission partners, Hale said they’re looking to get out of the world of “commodity IT” and shift its personnel to mission-critical functions.
“The return on investment in infrastructure-as-a-service isn’t as high as what I think agencies and organizations want it to be,” Hale said. “Where we see the biggest bang for the buck for mission partners has really been about software-as-a-service.”
In the past, Hale said there’s been bias in the agency’s IT community that “if it wasn’t built here, it wasn’t good enough for the warfighter.”
But as the IT leaders who have perpetuated that culture retire, a new workforce has come in with a new perspective.
“As our workforce is getting younger, we’re seeing more and more demand to just simply buy commercial software-as-a-service or buy [commercial off-the-shelf capabilities], and just run it the way it is, and adopt our business processes to leverage those applications or those capabilities out-of-the-box,” Hale said. “So I think you’re seeing a shift in the department to go that way.”
Bill Marion, the Air Force’s deputy chief information officer, said the service, working alongside the Army, has also turned to enterprise-as-a-service in an effort “to commoditize IT services where it makes sense for the Air Force.”
Moving to the cloud, Marion said, will also provide a better user experience and transition the service’s in-demand cyber operators into mission defense team cyber operations.
“That’s the fundamental premise of cloud. It wasn’t purely a cost-savings discussion. It certainly had a lot of security implications, a lot of repeatability with respect to agile applications, and then ultimately, the retooling of our workforce,” Marion said.
The move toward SAAS, Marion said, also enables the Air Force to run the latest versions of software and to reduce the cyber hygiene burden on its personnel.
“We were spending so much time patching servers, making sure they were repeatable. That’s one thing you get out of cloud — that massive repeatability. What it then allowed us to do was refocus those same assets on data and application security,” he said.
Ashley Mahan, the acting director of FedRAMP’s secure cloud portfolio, said her office is exploring an “an agile-like or a modular-type” of authority to operate approach.
“Right now, it’s kind of all or nothing,” Mahan said. “You have to go through this process, and then you get the authorization.”
But working with the Department of Homeland Security’s dot-gov Cybersecurity Architecture Review program, Mahan said officials can better understand what introduces the most risk and address those concerns first.
“If we can make sure we’re have the certainty that those are handled at the beginning, perhaps that gives buys us a time to start using the product sooner rather than later,” she said.