May was the three-year anniversary of President Joe Biden’s cybersecurity executive order.

At the same time, June was the five-year anniversary of the Office of Management and Budget’s cloud smart policy.

These two anniversaries mark important mileposts in agency digital transformation journeys.

The latest data from Deltek, a market research firm, found agencies could spend more than $8 billion on cloud services in fiscal 2025. That is up from over $5 billion in 2020.

As agencies spend more on cloud services and continue to have some applications and data on-premise, security in this hybrid cloud set up becomes even more important.

Agencies need tools and capabilities to monitor applications and data on-premise and in the cloud. They also need to understand the data to make faster and more accurate decisions.

At the same time as agencies are moving applications and data to the cloud and ensuring its security, they have to balance those efforts with improving the employee and customer experience.

Joe Lewis, the chief information security officer for the Centers for Disease Control and Prevention in the Department of Health and Human Services, said his agency is prioritizing the modernization of systems and workloads that serve emergency response and public health crises.

“CDC is full steam ahead on cloud migration and modernization. I think we have embraced the notion that we are going to have legacy workflows that have to reside on-premise, which means that we will perpetually live to some degree in some level of hybrid cloud,” Lewis said on the discussion Evolving Hybrid Cloud Strategies in Modern Agencies. “In that space, I feel like we are working to solve long-standing legacy technical debt problems as we modernize workloads and applications and things that historically were built in stovepipes into more enterprise level platforms that enable data sharing and visualization, and more importantly, the ability to make faster decisions around public health. It’s an exciting time. It’s probably some of the most agile work I’ve seen in my nearly 20 years in the federal space.”

At the same time the CDC is trying to modernize legacy technology, Lewis said changing organization culture is an equally important goal.

Moving to a hybrid cloud culture

He said getting employees to embrace new ways of doing business, specifically how technology can help solve more complex problems, is a key piece to the entire modernization effort.

CDC is not alone in facing this challenge. At the Transportation Security Administration, the pace of change isn’t always comfortable.

“At TSA, a real struggle of bringing people up to a certain level of saying, ‘here’s the next thing, here’s the next change,’ and that constant effort of continuous improvement has really been a real struggle of keeping everybody up to date,” said Dan Bane, the branch manager for secure infrastructure and vulnerability management in the Information Assurance and Cybersecurity Division for Information Technology at TSA in the Department of Homeland Security. “When you have large organizations bringing those people along with the IT changes that are happening so rapidly, it’s a real challenge for the organization.”

TSA has been on a modernization journey for several years, initially starting with infrastructure-as-a-service (IaaS) and transitioning to software-as-a-service (SaaS) most recently for business and mission critical functions.

“We’ve found that some of the expenses that we ran into with some of the SaaS and then also some of the complexities of the technical debt, we didn’t really have people that were really capable at deploying some of those technologies on a quick scale. Frequently the development teams were getting ahead of our security teams,” Bane said. “Our CIO Yemi Oshinnaiye has really helped us integrate a development secure operations DevSecOps approach. It’s not perfect, but we’re a lot better than we were.”

Bane’s team is working more closely now with the development teams, integrating security tools to help automate checks of code to ensure there is speed to production.

“It’s really an area where we are sitting down with an engineer and going through every setting and every activity, and then getting the monitoring capabilities for those different applications running back into our security operations center. It is a huge lift,” he said. “It really becomes an area where we are trying to standardize on a couple of different infrastructure and platforms that we try to build on top of those, instead of this service, that service, this service. Those things have taken a great deal of time, and have really impacted the IT operations’ ability to really deliver the mission capabilities of what we’re trying to do for the organization.”

Reducing tools, complexity

The need to address the culture change as part of the overall modernization journey is common among public and private sector organizations.

But one way is by reducing the number of tools any organization relies on, and then bringing them all together through a single pane of glass, said Brian Mikkelsen, the vice president and general manager for U.S. public sector at Datadog.

“Historically, you’ll have a network group, a [security operations center] group, an operations team, a development team and, then probably, all kinds of different interactions between those teams. But each of those teams have historically had their own tools. They’ll use one tool for the network; one tool for infrastructure observability; another for application performance monitoring (APM); and then something that connects perhaps legacy on-premise security and maybe another tool for cloud security,” Mikkelsen said. “A new way of thinking is built from having an end-to-end observability and security platform. One of the primary things we help customers with is tool reduction and bringing teams into a very common understanding of the health and security posture of their infrastructure and cloud architecture.”

He added by breaking down silos across disparate teams and creating a single source of truth, each of the teams have the same data and can address challenges as they arise.

Having the single source of truth also makes it easier for agencies to decide which applications can go to the cloud today, which ones will need some work, and which ones need to stay on-premise for the foreseeable future.

“What we’re doing is we’re helping federal agencies visualize and instrument their existing legacy platforms, which inherently allows them to baseline and create a roadmap for what they want to prioritize,” Mikkelsen said. “The first question I would ask is just simply, ‘whatever solutions we’re bringing to market, does this connect the dots?’ What I really mean by that is does it provide for tagging, for correlation and for automation? Or am I creating yet another silo? Or am I breaking down silos and bringing teams together? All of this connects to what we’re really trying to do, is these systems are capabilities that deliver experiences to our citizens, our employees, and so all this revolves around also citizen experience initiatives.”

Learning objectives:

• Overarching cloud strategies and where agencies stand today 
• Approaching security and compliance to PREM
• What are the meaningful priorities in the next 12-18 months