Cloud computing has become virtually synonymous with IT modernization throughout the Federal government. But the government’s cloud record has been anything but consistent and predictable, making the effort to measure progress and plan for IT modernization efforts called for by Congress and the Trump administration nearly impossible.
These two challenges—modernization of Federal IT systems and the need to move to more cost-effective and agile cloud architectures—will likely go down as two of the biggest frustrations of former Federal Chief Information Officer Tony Scott, who pushed hard and valiantly to steer the ship of government in these directions.
But Scott, along with the help of the Federal CIO Council, left the incoming Trump administration with an invaluable treasure trove of insights into the State of Federal Information Technology in a report released just one day before President Donald Trump took office. In candid interviews with Scott and dozens of CIOs, deputy CIOs, chief information security officers, and numerous Federal IT managers, the 155-page report characterizes 2017 as a “crossroads” for Federal IT policy, oversight, and modernization, particularly in the area of cloud computing.
Federal agencies are projected to spend more than $2 billion on cloud computing services out of a total of $80 billion in IT spending in FY 2016. “However, while agencies see value in adopting cloud-based solutions they continue to face challenges in doing so,” the report acknowledges. “Longstanding Federal procurement policies, geared towards long-term, large-scale investments, do not always support the more incremental, agile acquisition model (e.g., only buy additional capacity when it is needed) offered by cloud providers.”
CIOs also reported significant instances of confusion about Federal cloud policies and the impact those policies have on cloud service providers. “For example, the implementation of Trusted Internet Connections (TIC) requires the usage of specific government and commercial access providers, with validation checks provided by the Department of Homeland Security. A number of agencies stated that it was unclear as to whether their cloud-based providers were TIC-compliant, and the issue was further complicated by uncertainty over which policy should take precedence,” the report states.
“Additionally, the risk of vendor lock-in and concerns around multi-tenancy and data sovereignty continue to be issues,” according to CIO input to the report.
Security remains a central issue for CIOs as they contemplate moving Federal data to the cloud. And when it comes to Federal cloud security, the 800-pound gorilla sitting in CIO offices across the government is the Federal Risk and Authorization Management Program (FedRAMP), established by OMB in 2011 to provide a standardized approach across agencies for conducting security assessments, authorizations, and continuous monitoring of commercial cloud solutions.
But Federal cloud adoption rates continue to suffer. As a part of 2016 PortfolioStat, OMB set a governmentwide target of 15 percent for cloud computing adoptions. “Currently no agencies meet that level,” the CIO Council report states. “OMB also looked at FedRAMP utilization as a proxy for success adopting cloud computing solutions, but until the 2016 launch of the FedRAMP Dashboard, it was difficult to evaluate the level of agency re-use of FedRAMP packages for additional cloud provider authorizations.”
MeriTalk has documented the many trials and tribulations of the FedRAMP assessment process, including the high cost and lengthy procedures involved in obtaining a FedRAMP certification, as well as the lack of transparency in the program and the failure of agencies to share authorizations. Despite a concerted effort by the FedRAMP program office to streamline the certification process, the CIO Council report reveals that many of the same challenges continue to frustrate CIOs.
In a startling conclusion, the CIO Council report stated, “FedRAMP has not accelerated safe adoption of new cloud services.”
CIOs reported frustrations with the program’s inability to deliver on the central promise of assess once and use many times across government. In addition to not being able to find other agencies’ authorization packages for cloud services for potential reuse, there are still serious frustrations about unrealized cost savings and the need to conduct separate authorizations.
“Even once FedRAMP has issued an approval, I still need to do my own [certification & accreditation]–where is the cost savings?” one Federal CIO said. “Others indicated that FedRAMP takes so long to authorize a provider that it is not in the agency’s interest to participate. Further, even if a FedRAMP authorization is in place, the agency must conduct its own complete ATO,” the report states.
To learn more about effective cloud computing strategies, join MeriTalk on Feb. 8 at the Rayburn House Office Building for a Cloud Computing Caucus Advisory Group Hillversation. Hear from Federal and state agencies on their cloud strategies and how government can navigate the journey to the cloud. Click here for more information.