The Office of Management and Budget has published its cloud computing strategy for public comment. Known as Cloud Smart, it is the first cloud policy update since the Cloud First policy was established by the Obama administration. Back then, cloud computing was still new but agencies today have a much better understanding of its benefits and challenges. A White House statement said Cloud Smart will offer a path to migrate to a safe and secure cloud network and the new strategy will support agencies to achieve additional savings, security, and will deliver faster services.
“To keep up with the country’s current pace of innovation, President Trump has placed a significant emphasis on modernizing the Federal government,” stated Suzette Kent, Federal Chief Information Officer. “By updating an outdated policy, Cloud Smart embraces best practices from both the federal government and the private sector, ensuring agencies have capability to leverage leading solutions to better serve agency mission, drive improved citizen services and increase cyber security.”
The new strategy focuses on three inter-related areas – security, procurement, and workforce – and aims to remove burdensome policy barriers.
The strategy notes that in order to realize the scalability, stability, security, and speed to market benefits of cloud infrastructure, agencies need to utilize modern agile development skills. Agencies additionally need to employ multidisciplinary practices that drive toward higher orders of automation and the use of logical controls. To better maximize return on investment, agencies should be able to compare potential service offerings and use best-in-class contracts to acquire them.
The strategy states agencies should review their information technology portfolios to determine modernization plans for existing tools. They are encouraged to perform and leverage a full system and application rationalization, and those that have not begun this process are encouraged to start immediately. As part of this effort, agencies should consider whether virtualization, containerization, and other modern practices can be leveraged to increase efficiency in agency-owned data centers and vendor offerings. In accordance with the Federal Information Technology Acquisition Reform Act, this process should be overseen by the Chief Information Officer at the agency level to help identify potential opportunities for enterprise-wide improvement.
According to the strategy, each agency should determine its own governance model for cloud-hosted data that aligns with their identity and credential management systems. Additionally, where a cloud solution is deployed by a vendor, a Service Level Agreement should be in place that provides the agency with continuous awareness of the confidentiality, security, and availability of its data.
Furthermore, agencies should be made aware if their data resides on third-party information systems, provided with access to log data, and notified promptly if a cyber-incident or other adverse event occurs. Agencies should consider having an agreement with all providers, be they federal or commercial, regarding access to and use of log data for their information security operations.
Cybersecurity requires public-private collaboration, therefore agencies and their partners should regularly engage in reciprocal information sharing in an effort to combat malicious cyber behavior.
Under Cloud Smart, a review and determination on contractual terms and conditions would be performed. Per the Federal Acquisition Regulations, contracts for procuring commercial items must include only those contract clauses required to implement provisions of law applicable to the acquisition of commercial items or determined to be consistent with customary commercial practice.
Current federal employees should be reskilled and retrained to address skills gaps, and additional recruitment should also be considered. The Bureau of Labor Statistics reports that cloud computing is a major factor in technology occupation growth, which is projected to expand 13 percent from 2016 to 2026. To this end, the strategy calls for agency leadership to “identify and promptly address bureaucratic barriers that hinder agencies from hiring talent in an expeditious manner.”
The Chief Information Officer Council and Chief Financial Officer Council will work with the Office of Management and Budget, the General Services Administration, the Department of Homeland Security, and other federal agencies to develop a work plan of actions and targeted policy updates delivered over the next eighteen months to move the Cloud Smart agenda ahead. This plan will be technology-neutral, and will consider vendor-based solutions, agency-hosted solutions, inter- and intra-agency shared services, multi-cloud, and hybrid solutions as appropriate. For agencies to remain effective in the future, these Cloud Smart actions will need to be iteratively reviewed and improved over time to keep up with the changing market and emerging technologies.