Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
It’s official: Agencies now must be cloud smart versus cloud first. The Office of Management and Budget today released the final version of the cloud smart strategy that aims to bring together a broader coalition of agency executives to push IT modernization faster and further.
“With today’s updated Cloud Smart Strategy, we are providing supporting guidance that addressed historical barriers and embodies an interdisciplinary approach to use of cloud capabilities in the IT modernization journey,” said Suzette Kent, the federal chief information officer, in a statement.
The final strategy comes nine months after OMB issued the draft version and reviewed more than 40 comments.
In the end, OMB made few significant changes to the strategy, retaining the focus across three pillars: security, acquisition and workforce.
“Cloud Smart operates on the principle that agencies should be equipped to evaluate their options based on their service and mission needs, technical requirements and existing policy limitations,” the strategy states. “Computing and technology decisions should also consider customer impact balanced against cost and cybersecurity risk management criteria. Additionally, agencies need to weigh the long-term inefficiencies of migrating applications as-is into cloud environments against the immediate financial costs of modernizing in advance or replacing them altogether.”
Over the last nine months since the draft strategy, OMB says it completed 9 of 22 action items, including the creation of a cloud information center in the General Services Administration and launching the federal reskilling academy.
OMB said agencies can drive more cloud adoption by:
Assessing the need for and usage of applications
Discarding obsolete, redundant, or overly resource-intensive applications.
“Decreased application management responsibilities will free agencies to focus on improving service delivery by optimizing their remaining applications,” the strategy states. “To support these rationalization efforts, the CIO Council will develop best practices and other resources.”
“The playbook is one of three interconnected policy strategies that all work together. The data center optimization initiative (DCOI), cloud smart and application rationalization [playbook] feed into, and off of, each other,” said a GSA spokesperson in response to questions from Federal News Network. “The application rationalization process supports optimization and/or closure of federal data centers, as agencies methodically parse through their enterprise IT portfolios and make informed business decisions on where to house applications and data. Agencies can determine whether the existing ‘as-is’ environment, or a proposed ‘to-be’ configuration is the best fit for their core mission, based on cost, business resiliency and service delivery. This rationalization process feeds directly into cloud smart decisions. As we streamline existing data centers, efficiency decreases, eventually leading to closure.”
The playbook defines six steps to help agencies identify and assess their application needs.
“This playbook is a practical guide for application rationalization and IT portfolio management under cloud smart,” the playbook states. “It is intended to help portfolio managers think through their agency’s approach to IT modernization. There is no one-size-fits-all application rationalization process, so agencies need to tailor their approach to fit mission, business, technology and security needs.”
Industry sources say OMB is expected to issue the final data center consolidation and optimization policy in the coming week. Kent issued the draft data center policy update in November.
Internet Association Director, cloud policy and counsel Alla Seiffert said in an email to Federal News Network the push for application rationalization is part of how cloud smart is incorporating private sector best practices.
“Rationalization is a way to guide agencies on a path to cloud maturity – with the goal being to get to proven, modern practices such as Dev/Sec/Ops,” Seiffert said. “Starting with rationalization will help agencies see that risk is something to be managed in partnership with industry. Increasing technical competency of program and acquisition folks will lead to better buying and deployment decisions.”
Flexible and adaptive
Mike Hettinger, founding principal of Hettinger Strategy Group, said all of these new policies and strategies will help agencies gain a fuller picture of how they plan to take advantage of emerging technologies.
“Cloud smart lays out a different vision for cloud than the prior policy, one where agencies are asked to look closely at how technology can enhance mission and service delivery and choose the right solution for their individual needs. Not everything can or should be hosted in a public cloud and the new policy seems to recognize that fact,” Hettinger said. “The new policy appears flexible and adaptive.”
One area where the flexibility is clear is around the Trusted Internet Connections (TIC) initiatives. OMB, agencies and industry recognized that the 2007 TIC policy made it more difficult for agencies to move to the cloud.
“These newer, less rigid approaches will be incorporated into updated TIC Reference Architectures to highlight use cases wherein security objectives can be met without routing all traffic through a prescribed set of physical access points,” the cloud smart strategy states. “The TIC Reference Architectures will also demonstrate how different use cases that do not require traffic to be routed through a TIC can address the requirements for government-wide intrusion detection and prevention efforts, such as the EINSTEIN Program while also incorporating DHS-designated controls, which have been designed to ensure a baseline level of security across the federal enterprise.”
OMB also is expected to finalize the TIC 3.0 policy in the coming weeks after issuing an updated draft in December.
SLAs for cloud
Another area where OMB is pushing the need to be flexible and adaptive is around the procurement of cloud services.
OMB says agencies should evaluate their business processes, update their business continuity and disaster recovery plans as part of their acquisition strategy and planning to move to the cloud.
The cloud smart strategy is promoting the idea that service level agreement clauses should either be consistent with statutory requirements and/or based on commercial best practices.
“An important element of acquiring cloud services is clarity in what services a cloud provider performs and at what level. Therefore, to facilitate effective risk management by way of their relationships with commercial cloud service providers, agencies should granularly articulate roles and responsibilities, establish clear performance metrics and implement remediation plans for non-compliance,” the strategy states. “Such governance, architecture and operational clarity would help ensure that services are performed as intended, and — when paired with the right SLA language — would offer agencies a way to mitigate risk while optimizing the performance and efficiency of their newly procured cloud-based solution.”
Finally, OMB spends a lot of time in the strategy focused on ensuring the federal workforce is prepared to work in a cloud-based environment.
Seiffert said the strategy broadens the view of cloud from “lift-and-shift” to a more continued discussion where they are weighing risks.
“The strategy frames government IT modernization not as a destination, but as a continued commitment to paying down technical debt and designing better service delivery. Moving to the cloud enables broader rationalization and rethinking of service delivery and application design,” she said. “The strategy contains helpful reminders about the importance of cross-functional teams in both buying and deploying FedRAMPed solutions. This underscores some important lessons learned from places like DHS’ Procurement Innovation Lab, GSA’s 18F, and the U.S. Digital Service.”