Agencies share cloud strategies, sticking points
Connecting state and local government leaders
Most bottlenecks involve security or acquisition, several IT leaders agreed. And while there's no one-size-fits-all solution, there are lessons to be shared.
The Defense Information Systems Agency is aggressively pushing commercial cloud solutions as an option for Defense Department IT needs, but DISA does not work directly with either of the largest providers. For a variety of contracting and procurement reasons, the agency goes through existing systems integrator relationships to use the Amazon Web Services and Microsoft Azure platforms.
Such use of third-party contractors makes it difficult for DOD officials to directly reach out to cloud service providers when problems arise, DISA Cloud Portfolio Office Chief John Hale said at 1105 Media's cloud event on May 3. It's just one of the obstacles the agency must navigate to get DOD systems into the cloud.
“Security and acquisition are the two major things holding back the widespread adoption of commercial cloud capabilities within our department,” Hale said.
Acquisition officers, he said, "are faced with trying to buy commercial cloud capabilities with a model that was designed to buy bolts and pencils and paper. ... it just doesn't work."
To purchase the needed cloud services, Hale explained, DISA is "using ODCs [other direct cost purchases] on existing contracts. .... That’s how we’re getting around that. It’s a bad model."
“There is a better way to handle the acquisition piece," he said, "so we are trying to work with GSA to set a new policy.”
The General Services Administration recently stood up a Federal Cloud Center of Excellence, which is tackling the biggest barriers to cloud adoption: procurement, workforce education, standardized offerings and security concerns. A playbook for agencies will be out this summer, while recommendations to the Office of Management and Budget could inform future governmentwide cloud policies.
DISA is currently in the midst of migrating DOD’s email system onto the Office 365 platform -- again through a third-party contractor. And the agency has developed a decision framework for determining what sort of cloud makes sense for a given DOD application.
“For a lot of applications, off-prem commercial cloud is perfectly fine," Hale said. Others, however, need to be in private clouds housed on DOD-controlled premises. " There is no silver bullet," he noted, "so there is going to be a mix.”
Transportation Security Administration CIO Stephen Rice, who also spoke at the event, also stressed the importance of mission-driven discussions to determine just what sort of cloud solution makes sense for each application. Many non-IT agency leaders, he noted, are surprised to learn "that there's not just one cloud." But that revelation can also open the door for frank discussions about the cost, security and complexity tradeoffs of different approaches.
TSA is currently has four data centers, Rice said, and he predicted the agency would eventually consolidate down to two. “Each mission space is going to need to have a conversation, but I don’t see the department having a nirvana when it comes to cloud,” he said.
On the security side, several speakers said they frequently encounter the assumption that a cloud service can't possibly be as secure as an agency's own facility. Chad Sheridan, CIO of the Agriculture Department's Risk Management Agency, suggested a simple myth-busting strategy.
Just take the doubters to an Amazon or Microsoft or Google cloud facility, he, said. "Then go do a surprise visit to your own data center. Tell me what it looks like."
"We’ve done that, and we’ve opened some people’s eyes," Sheridan said.
Yet Rice, Hale and U.S. Immigration and Customs Enforcement Deputy CIO Capt. Craig Hodge, said the time it takes to get a cloud service provider through the security authorization process remains a serious challenge.
“The biggest challenge is waiting for the secure process to be completed,” said Hodge. “Right now, we have worked with our agency IT teams to get back feedback, and we are talking about implementing it through our transformation steering committee.”
All four executives, however, said their agencies were moving despite the obstacles.
"We have a myriad of applications lined up waiting to go to the cloud, and in general they all seem to be waiting on the same things," Hale said. Cost savings are one motivation, he said, but "the whole point about moving to cloud is that we get applications that are more mobile and more functional."
"At the end of the day," he continued, DOD "wants to have every warfighter directly connected to them," and cloud systems are the key making that possible.
Troy K. Schneider contributed to this report.