In the Report to the President on Federal IT Modernization, released publicly in 2017 in accordance with Executive Order 13800, the Office of Management and Budget (OMB) pledged to update the Government’s legacy Federal Cloud Computing Strategy (“Cloud First”). Fulfilling this promise, the Administration has developed a new strategy to accelerate agency adoption of cloud-based solutions: Cloud Smart.
Developed nearly a decade after its predecessor, Cloud Smart equips agencies with actionable information and recommendations gleaned from some of the country’s most impactful public and private sector use cases. Beyond Cloud First, which granted agencies broad authority to adopt cloud-based solutions, Cloud Smart offers practical implementation guidance for government missions to fully actualize the promise and potential of cloud-based technologies while ensuring thoughtful execution that incorporates practical realities.
The new strategy is founded on three key pillars of successful cloud adoption: security, procurement, and workforce. Collectively, these elements embody the interdisciplinary approach to IT modernization that the Federal enterprise needs in order to provide improved return on its investments, enhanced security, and higher quality services to the American people.
The Chief Information Officers Council (CIO Council) has developed a list of action items to execute the Cloud Smart strategy. These actions will constitute a work plan aimed at creating and updating programs, policies, and resources that the whole of government will use to advance the Cloud Smart agenda.
Additionally, all federal agencies will rationalize their application portfolios to drive Federal cloud adoption. The rationalization process will involve reducing an application portfolio by (1) assessing the need for and usage of applications; and (2) discarding obsolete, redundant, or overly resource-intensive applications. Decreased application management responsibilities will free agencies to focus on improving service delivery by optimizing their remaining applications.
To support these rationalization efforts, the CIO Council will develop best practices and other resources. Furthermore, while the initial Cloud Smart work plan will be executed over an eighteen-month period, its actions will be refreshed continuously as needed to keep up with the changing cloud market and emerging technologies.
Cloud at a Glance
The term “cloud” is often used broadly in the Federal Government for any technology solution provided by an outside vendor. The National Institute of Standards and Technology (NIST) defined several cloud deployment models as progressive increases in management by vendors, from Infrastructure as a Service (IaaS) where vendors provide the infrastructure and hardware, to Platform as a Service (PaaS) where vendors provide a managed environment for a customer’s application, to Software as a Service (SaaS) where vendors provide a fully managed application and customers need only supply their data.
In practice, many major vendor offerings no longer have such well-defined boundaries. Notwithstanding the term’s common usage, the term “cloud” is most accurately applied to those solutions that exhibit five essential characteristics of cloud computing, as defined by NIST: on-demand service, broad network access, resource pooling, rapid elasticity, and measured service.
These characteristics and the solutions that exhibit them are provider-agnostic – meaning anyone can develop and deploy a cloud solution, whether an outside vendor or a federal agency. Industry has moved to a more finely differentiated set of capabilities offered at different system layers, making possible nearly any combination of various components managed by either a vendor, a government agency, or a mix of both.
Industries that are leading in technology innovation have also demonstrated that hybrid and multi-cloud environments can be effective and efficient for managing workloads. As a result, the Cloud Smart Strategy encourages agencies to think of cloud as an array of solutions that offer many capabilities and management options to enhance mission and service delivery.
Furthermore, Cloud Smart operates on the principle that agencies should be equipped to evaluate their options based on their service and mission needs, technical requirements, and existing policy limitations. Computing and technology decisions should also consider customer impact balanced against cost and cybersecurity risk management criteria. Additionally, agencies need to weigh the long-term inefficiencies of migrating applications as-is into cloud environments against the immediate financial costs of modernizing in advance or replacing them altogether.
Cloud adoption strategies that successfully meet the intent of Cloud Smart should not be developed around the question of who owns which resources or what anticipated cost savings exist. Instead, agencies should assess their requirements and seek the environments and solutions, cloud or otherwise, that best enable them to achieve their mission goals while being good stewards of taxpayer resources.
Modernization and Maturity
To realize the full benefit of cloud technology, agencies must cultivate an organizational mindset of constant improvement and learning. Modernization is not a commitment that is sustained solely by interventions once every decade. Rather, modernization is a constant state of change and part of the day-to-day business of technology at every agency. Critical to fostering this mindset of constant improvement is agency leadership’s prioritization of the training and education of their staff, detailed and comprehensive migration planning, and a focus on balancing solution sustainability with the incorporation of new capabilities into agency operating environments. To that end, agencies will need to iteratively improve policies, technical guidance, and business requirements to match changing needs, drive positive outcomes, and prevent their IT portfolio from becoming obsolete.
Agencies should conduct regular evaluations of customer experience and user needs to ensure that their solutions successfully foster efficiency, accessibility, and privacy. Additionally, agencies should regularly rationalize and update their applications, migrating as needed, to reduce the risk of large-scale failure, better allocate their resources, and provide staff with adequate time to become familiar with contemporary product management techniques. Agencies must also track their growth in areas where decisions about technology intersect other disciplines. Namely, serious consideration and investment should be dedicated to the three key pillars of successful cloud adoption: security, procurement, and workforce.
… To realize not only the security benefits of cloud infrastructure, but also its benefits related to scalability and speed-to-market, agencies should utilize mature agile development practices, including DevSecOps. The use of automated and assistive technologies such as artificial intelligence and machine learning can help agencies to further improve security. Agencies should also review their IT portfolios regularly to determine modernization plans for existing tools and compare potential service offerings designated as Best In Class (BIC) solutions for maximized return on investment.
Furthermore, providing staff with training and other educational resources is essential to fostering maturity in the areas of privacy, security, and procurement. Agency IT staff should become familiar with lean product management, agile development, continuous delivery, and automated infrastructure at the team and program level as part of any modernization plan. Additionally, non-IT staff supporting privacy, security, and procurement should receive training in the multiple core disciplines outlined above. Sustained progress in these areas of staff training is foundational to the successful implementation of new cloud efforts.
Consistent with the requirements of the Federal Information Technology Acquisition Reform Act, the agency CIO should oversee modernization processes to help find opportunities for enterprise-wide improvement. Additional involvement of the Chief Financial Officer can help properly budget for planning, evaluation, and technology adoption. CIOs should also incorporate feedback from business units and end users affected by modernization projects to minimize disruption to mission delivery.
Read the full policy and implementation guidance at https://cloud.cio.gov/strategy/