The Trump administration on Sept. 24 unveiled its federal cloud computing strategy, dubbed “Cloud Smart,” the long-awaited sequel to the Obama administration’s “Cloud First” strategy, issued in 2010.
According to the report, Cloud Smart “focuses on equipping agencies with the tools needed to make informative technology decisions in accordance with their mission needs, and leverages private sector solutions to provide the best services to the American people.”
Cloud First came at a time when cloud computing was still a relatively new technology. Bloomberg Government estimates that the federal cloud services market has grown fivefold since 2010, from about $1.3 billion to a projected $6.5 billion in fiscal 2018. While Cloud First was an important step, the report states, it resulted in an arguably cautious approach to cloud adoption.
Cloud Smart – which integrates cloud security, procurement, and workforce strategies – aims to help agencies take the next step. Below are Bloomberg Government’s top three takeaways about how the report will impact government contractors.
1. FEDERAL CYBERSECURITY POLICIES MUST EVOLVE.
Cloud Smart builds on the case first made in the 2017 Report to the President on IT Modernization that certain governmentwide information security policies have become an impediment to cloud adoption and must be revised. For example, defenses like the Trusted Internet Connections (TIC) program, which focuses on shrinking the number of approved access points onto federal networks, is no longer sustainable in its current form, because agencies need to take advantage of cloud and mobile capabilities that reside outside the perimeter.
Instead, agencies will need to place greater emphasis on governmentwide intrusion detection and prevention systems, such as the EINSTEIN program, and tools like cloud access security brokerage (CASB) that rely on virtual and logical — rather than physical — control of data. The Department of Homeland Security now has six months to update TIC reference architectures. This may involve close collaboration with Verizon Communications Inc. and AT&T Inc., the two contractors on Enterprise Infrastructure Solutions (EIS), which will replace Networx as the delivery vehicle for TIC in fiscal 2019.
Even the Federal Risk and Authorization Management Program, or FedRAMP, a body designed to accelerate cloud adoption by providing a standardized risk assessment process, has become sluggish as the agency-specific authorizations required to stand up a new cloud solution proliferate. The strategy authorizes the General Services Administration and Office of Management and Budget to study the authority to operate (ATO) process and develop solutions to make it more standardized, more streamlined, more iterative, and less duplicative.
Shortening the time it takes for companies to receive ATO is expected to reduce the costs of FedRAMP certification, reduce the barriers to entering the federal cloud market, attract more competitors, and expand the options available to federal agencies.
2. CATEGORY MANAGEMENT IS COMING TO THE CLOUD.
Improving the performance of IT purchasing through category management has long been a priority for federal agencies. Now that focus will be applied to cloud acquisition. The strategy calls on the GSA’s IT category manager to work with OMB to centralize information and best practices in cloud procurement in a common portal. In addition, GSA will create a Cloud Solutions Category Team (CSCT) made up of experienced acquisition and technology management staff to develop governmentwide standards.
Over the next 18 months the CSCT will “evaluate and recommend a set of governmentwide contract vehicles” that will enable agencies to “maximize the government’s purchasing power, help agencies operate more efficiently, and expand collection and sharing of governmentwide buying data,” according to the strategy. It’s not clear how many contracts will be added to the list, but good bets are governmentwide IT contracts already designated as Best-in-Class, including Schedule IT-70 and Alliant, as well as other large IT vehicles such as 8(a) STARS, Chief Information Officer – Solutions and Products 3, and the newly announced Information Technology Enterprise Solutions – 3S.
To help agencies buy and manage cloud services, GSA and OMB are seeking input from industry on best practices in cloud service level agreements (SLAs). The Defense Department also released a separate request for information on Aug. 10 seeking guidance on SLAs.
3. CLOUD AND CYBERSECURITY SKILLS ARE IN DEMAND.
Cloud Smart recognizes that limited experience and training in cloud services has constrained adoption. In response, OMB will prioritize addressing gaps in cloud and cybersecurity skills at the very top of its “most-wanted” list outlined in the President’s Management Agenda. Agency chief information officers and chief human resource officers will retrain current IT and acquisition professionals to address gaps, and redouble their recruiting efforts.
However, the overall implication of Cloud Smart’s limited workforce is that, at least in the short term, federal agencies will continue to rely heavily on contractors to guide their IT modernizations. Contract personnel will be instrumental throughout all facets of the cloud migration process, from strategic planning to more technical activities, including re-writing and re-platforming legacy applications.
Interested parties may submit public comments to OMB’s Office of the Federal Chief Information Officer until Oct. 24. In all, expect fiscal 2019 to be a big year for the federal cloud services market.