Call it the HealthCare.gov effect, as cloud computing seems to have caught the attention of Capitol Hill.
When a dramatic failure happens, lawmakers spend a lot of time and energy trying to find out the reason for the failure — of course never looking in the mirror for the root cause of most problems. And then, members of Congress start to listen more intently to industry and agency experts.
The latest case in point is a second bill out for discussion that will make it easier for agencies to buy commercial cloud services.
The Senate IT working group, led by staff members of Sens. Tom Udall (D-N.M.) and Jerry Moran (R-Kan.) offices, have put out to industry a discussion draft to improve the cloud cybersecurity program known as the Federal Risk Authorization and Management program (FedRAMP), create a fund run by the General Services Administration to pay for agency cloud implementations and transitions, and requiring better agency inventories of legacy systems that could be candidates to move to the cloud.
“The timing is really good,” said Rich Beutel, a former Hill staff member who has been one of the driving forces behind the Federal IT Acquisition Reform Act (FITARA), and now president of Cyrrus Analytics LLC. “Everything in the bill is focused on giving the necessary tools to OMB to get agencies to transition and go to cloud. It’s about cybersecurity by design and we will never get to where we need to be unless we do these transitions. With the old legacy systems, you can’t shrink wrap cyber around them. I think the Chinese hacks and the OPM data breach is giving a strong tailwind to OMB’s desire to fulfill the power of its Cloud First policy because of its path forward for cyber and enhanced digital services.”
Beutel said much like the debacle during the development of the HealthCare.gov website helped push FITARA front and center, the OPM data breach and similar cyber attacks will do the same for cloud.
Industry is paying close attention. One industry expert, who requested anonymity to discuss the draft, said generally speaking contractors are supportive of the bill’s objective and the goals of the Senate IT working group.
“Right now there seems to be a lot of critical mass around this proposal, at least from the industry side,” the industry expert said. “The companies have been working with Senate principals for a longer period of time on these issues, some of which were in the original FITARA bill. Many in industry believe that there has not been sufficient movement around embracing the commercial cloud for a variety of reasons, including funding, security and about 10 other things in between making the topic worthy of attention and legislation.”
Rep. Will Hurd (R-Texas), chairman of the Oversight and Government Subcommittee on IT, also is paying close attention to the issue and whether Congress needs to lend a hand.
Sources say Senate lawmakers intend to introduce the cloud bill as a standalone piece of legislation toward the end of February, but their long-term objective is to fold the provisions into the 2017 Defense Authorization bill.
“No one is running around with hair on fire about the bill,” said the industry source. “I think there are things people have questions about, but I don’t think there is anything we can’t find a middle road on and come to consensus about. We’ve been working with this group now for over two years. Conversations have been going and we know this is a well-intentioned bill and moving in right direction.”
Beutel said the changes to FedRAMP and the cloud transition fund, which GSA would run, are the two provisions that would be most impactful.
On FedRAMP, Beutel said there are some ongoing challenges with getting vendors through the Joint Authorization Board (JAB) approval process. The JAB is run by the CIOs of GSA, and the departments of Defense and Homeland Security.
First off, the bill would promote reciprocity with existing international standards such as ANSI or ISO as long as they meet or exceed the federal cyber requirements.
Second, it would let the FedRAMP program management office charge vendors a fee for incomplete cloud security packages. Beutel said the program office has expressed concerns that industry is submitting inadequate documents causing delays and now a backlog that includes about eight contractors currently awaiting JAB approval.
Beutel said the idea for a transition fund is based partly on the money Congress allocated to DHS for the continuous diagnostics and mitigation (CDM) program and partly from a revolving fund at DoD for emergency shipping needs.
“There are several open issues, including one thing people are struggling with is whether the fund should be set up with initial appropriations like CDM? And if so how should it be replenished?” he said. “A better approach may be for agencies to keep cost savings from moving to cloud and contribute some or all of that back to the fund. That requires a lot of thinking about how to do it, particularly from a fiscal perspective and how should agencies get credit for cost savings. Or if it’s like other revolving capital funds, could there be a fee applied that helps replenish it?”
While the Senate IT working group continues to work through these and other questions about the bill, there is a huge push coming from OMB through FITARA as well. As agency CIOs implement the law, transitions to cloud will take front-and-center to swing the pendulum away from spending so much on the operations and maintenance (O&M) of legacy IT systems.