In order to get more government agencies to transition to the cloud, agency experts said that the procurement process has to become easier and clearer.
David Bray, the outgoing chief information officer at the Federal Communications Commission (FCC), said there is less than 10 percent cloud adoption across the Federal government.
“Until you make procurement easier than procuring things on-prem, don’t be surprised when people don’t go there,” Bray said at the Combined Cloud Computing Conversation on Sept. 26.
Bray said that a viable option to cloud acquisition is considering an “a la carte” cloud marketplace, where agencies could pay by use for Software-as-a-Service (SaaS) applications. The Cloud Center of Excellence, an interagency group of technology leaders, hosted by the General Services Administration, has been working on a CASTLE cloud acquisition guide, and a framework for the “a la carte” marketplace.
Rob Wuhrman, enterprise solutions architect within Unified Shared Services Management (USSM) at the Office of Government-Wide Policy at GSA, headed up the “a la carte” strategy for the Cloud Center of Excellence. Wuhrman is working on a sample interagency agreement to buy cloud services together and pick and choose the services that each agency needs from the cloud providers. Wuhrman said that he wants agencies to be able to research what’s available in the marketplace in one location and make educated decisions on what solution is best.
“Do all agencies need to do market research on the same kinds of commodities?” Wuhrman said.
Once the cloud acquisition guide and interagency agreement are released, Wuhrman said that he hopes to present them to government and industry leaders as a framework to conduct procurement. The CIO Council is also working on a document that explains fundamental capabilities that agencies expect from SaaS applications for industry to reference.
Agency leaders also expressed the need for cloud procurement experts to spend time with different agencies to help them get to the cloud.
“If 18F and USDS really want to show their value, they would rotate in and out of agencies to help them move to the cloud,” Bray said.
The cloud acquisition guide is meant to be a map for agencies to figure out where they are in the cloud procurement process and find out where they need to go.
“Wherever they are in their journey, wherever they are in the process of moving to the cloud, they could use some help,” said Richard Blake, deputy assistant commissioner for the Common Acquisition Platform program office at the Office of Systems and Management at GSA.
Blake said that the future for the Cloud Center of Excellence could be to send teams out to agencies to help them transition to the cloud.
“Focus on knowledge acquisition first,” said Syed Azeem, senior IT project manager at the Department of Labor. “Try to leverage the work that’s already been done. Stand on the shoulders of giants.”
Despite the convergence of cloud knowledge, agencies still struggle with security concerns when moving to the cloud.
Andrea Simpson, chief information security officer for the Corporation for National and Community Service (CNCS), said that when the cloud-first strategy first came out, she had to understand the security concerns of a new environment. Simpson said that now that vendors have to go through the FedRAMP process, she is confident that they meet certain security standards.
Simpson said that the challenge that she still sees is deciding what security controls are the responsibility of the vendor versus the responsibility of the government in a cloud service provider environment.
“Yes, they can do it better, but that doesn’t take away the government’s responsibility for oversight,” Simpson said. “FedRAMP has definitely been a big help in terms of scaling down the controls.”
One way that the Cloud Center of Excellence has attempted to tackle this issue is to include all the government’s cloud service regulations in the cloud acquisition guide for industry to use as a reference, and for government agencies to include in their contract language.
“When you give a company all your data, there’s a lot of liability there,” said Jodi Cramer, senior air staff counsel for Information Law, Administrative Law Directorate, at the Office of the Judge Advocate Counsel at the Department of Defense. “Unfortunately, a lot of laws are old and we have to figure out how to enforce those laws in a cloud environment. We’re not just trying to be mean.”
Cramer said that she has received pushback from vendors on the physical access requirement for law enforcement. Cramer explained to vendors that law enforcement won’t “show up on their doorstep at 2 a.m.” Instead, law enforcement will make appointments or consent to send third parties if they want to conduct audits on the systems.
“If you’re concerned about the cloud,” Bray said, “I would say, if you’re doing your own data centers right now, you’re a cloud to a third party.”