OMB’s Cloud First and Cloud Smart policies put a stake in the ground for how agencies can change the way they deliver services to citizens.
| What: | OMB’s Cloud First and Cloud Smart policies |
| When: | Cloud First policy released in December 2010; Cloud Smart policy released in June 2019. |
| Why it matters: | The Office of Management and Budget’s two policies are linchpins to the modernization of federal agency services. The cloud now underpins nearly everything agencies do from improving customer experience to using artificial intelligence to analyzing data to drive decision making. |
The federal government’s move to the cloud didn’t start with the Office of Management and Budget’s December 2010 Cloud First policy or the February 2011 cloud strategy.
The idea of moving data and applications out of an organization’s data center and having it hosted by a third party can be traced back to the 1990s when the term alternative service provider (ASP) first started to appear in the federal lexicon.
But what Vivek Kundra, the Obama administration’s federal chief information officer, did with the Cloud First policy was put a stake in the ground and in the heart of federal data centers.
“What we’ve been doing is we’ve also been thinking about game changing approaches, as far as how we move the federal government toward the cloud. The data centers and the infrastructure investments that have been made over the last decades, unfortunately, are duplicative, and they lead CIOs across agencies to focus purely on infrastructure, rather than thinking about how they can deliver better services to the American People,” Kundra said during a speech at the May 2010 Cloud Computing Forum and Workshop sponsored by the National Institute of Standards and Technology.
Former federal CIO Vivek Kundra’s keynote at the Cloud Computing Forum & Workshop May 20, 2010. (Courtesy of NIST)
In that short sentence, Kundra foresaw the future. For nearly every agency, cloud services underpin and support agency missions from the back office to the tactical edge.
That day at NIST, Kundra also said the cloud was giving CIOs an opportunity to ask new questions about how they invest in technology.
“What are the right candidates, as far as applications are concerned, that could be moved to the cloud without violating the privacy of the American people or compromising national security in any way? That work is well underway, and the Federal CIO Council is focused on making sure that we’re unearthing the opportunities as we move toward the cloud computing platform,” he said.
Nearly 15 years since that speech and the resulting policies and strategies — including the evolution to Cloud Smart in 2019 — agencies view cloud services as a standard option on their technology modernization menu. While it’s clear now that not everything belongs in the cloud, CIOs and program managers follow a decision matrix based on experience, mission needs and a host of other factors.
“We have had good progress. We’ve closed data centers. We’ve moved to the cloud. We’ve got folks comfortable with this. The FedRAMP program matured, so that was all good,” said David Powner, the former director of IT management issues at the Government Accountability Office and now executive director for MITRE’s Center for Data Driven Policy, in an interview with Federal News Network. “When you look at modernizing our information technology infrastructure and moving to the cloud, we’re really improving citizen services, cybersecurity and the like. But there’s also much room for improvement. In fact, one of the big things that came out of the Center for Strategic and International Studies’ Commission on Federal Cloud Policy report is if you look at enabling technologies like artificial intelligence, that requires — from a processing point of view and from the data involved with that — cloud solutions. And really where we’re at when you start looking at enabling AI tools and those types of things, there’s still a lot we could do.”
Between 2010 and 2022, OMB said agencies have closed more than 736 data centers, which resulted in savings of more than $4.9 billion.
Spending and the use of cloud services also has skyrocketed. The CSIS commission estimated agencies spent about $17 billion on cloud services in fiscal 2024.
But closing data centers and calculating spending aren’t necessarily the only measures of the impact of the cloud policies over the last 15 years.
Powner said today agencies are more nimble, flexible and in a much better position to use emerging technologies.
“We weren’t talking about AI in a big way when all this got started, but we’re in a position to leverage AI models much more with these cloud solutions and the flexibility we have with processing and data storage and the like. So I think we’re really at a good point in time,” he said. “When you look at where we’re at today, to keep the momentum going, I do think an update to the Cloud Smart policy would be helpful. These thoughts about enhanced security, enhancing mission improvements, zero trust principles and so much more could be more implemented into what we do from a cloud point of view. I like the idea of updating policies — continue to make it an OMB initiative — and I also like the idea of having targets to measure progress.”
Suzette Kent, the former federal CIO during the first Trump administration and author of the Cloud Smart strategy, said the evolution of cloud services from first to smart was a recognition that initial considerations about the benefits of cloud services didn’t always come to fruition.
She said Cloud Smart showed agencies they needed to develop new processes and skillsets for buying, managing and using technology. She said the impetus to move to Cloud Smart from Cloud First was, in part, driven by understanding better the potential and pitfalls that cloud brought.
“What I didn’t see was there weren’t levers for what should I do to keep the policy evergreen, and that was a big part of our work with Cloud Smart. Although I’m a proponent of cloud, I absolutely agree it’s not the right answer for everything. Sometimes there’s reasons of security, sometimes there’s reasons of cost,” Kent said in an interview with Federal News Network. “It was about what are all the questions that should be asked to utilize the technology in the best mission purpose, but also efficient and fiscally sound. That’s what we tried to do. As we were doing that, that whole application rationalization piece came along with it too, because we realized a lot of people when they did Cloud First, they just moved stuff over there. They basically said, ‘I’m not going to run my servers and you’re going to run my servers.’ But guess what? This is still not a great app set up. I don’t use my data efficiently. We had to embed some additional expectations that you’re asking both business questions and those functional questions, and that you’re assessing the risk level of as a service.”
The move to Cloud Smart now has opened the door even broader for the next step in the journey.
Kent said agencies are looking today to take more of an “as-a-service” approach for everything from infrastructure to data to cybersecurity, and that that evolution shows what came from the acceptance of cloud.
“Everybody understands what those are and they have matured. That maturity led to two things. It led to the federal government saying, what else could we buy like this? It also led to vendors saying, ‘what else could we offer like this?’” she said. “We could lower the cost and because we did some of that through the cloud, the consumption model became something that was an industry tool at the time that we could use. We could also do other things that were important to serving the public and making effective use of taxpayer dollars. I also think we learned some things about security and we learned some things about expectations of behavior from vendors that some were good and some were bad. We got some clear lessons about the interconnectivity between many of those things, and not only government, but our critical sector industries.”
Powner added that cloud optimization is another area where future guidance and efforts is needed.
Like with data centers, agencies easily can spin up new cloud instances without understanding what options they have in current infrastructures leading to cloud sprawl.
“The big area is going to be optimization metrics tied to mission enhancements and really tackling the legacy challenge even more,” Powner said. “The other big area is just security overall with our cloud solutions. We need to automate the Federal Risk Authorization and Management program (FedRAMP) and make it quicker and less costly. But there’s some other things we could do with FedRAMP, like, how could we do much more on the front end with the certifications? Could we do more continuous testing or a continuous authority to operate? One of the things that came up with MITRE’s Cloud Safe Task Force is when there’s a FedRAMP-certified environment and they have a change to meet a security upgrade, the change management they need to go through is cumbersome and costly. Can we make change management quicker so agencies can get enhancements to their cloud environments quicker? There’s been a lot of discussions about what are the right security metrics.”
Join Federal News Network in celebrating our 25th anniversary as we recount 25 years of major federal moments that forever changed the government, and helped shape today’s federal workforce.
Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED
