An analysis of the U.S. Federal Government (Fed) cloud strategy and implementation progress to date is an interesting exercise given the scale of the undertaking (the Fed’s IT budget peaked at $83B in 2013) the complexity of the requirements (e.g. securing classified information), the estimated size of the cloud spend (estimated between $1.4B and $7B per year) and the implementation details (e.g. the creation of the AWS GovCloud Region). The Fed cloud strategy and adoption details are publically available for study and comparison to private sector approaches.
The U.S. Fed began transitioning to cloud computing in 2009. In 2010 the Fed issued an IT “Cloud First” policy and then published the Federal Cloud Computing Strategy in 2011. The Cloud First policy has simple objectives and clearly mandates the use of the cloud specifically a directive to implement cloud-based solutions whenever a secure, reliable and cost-effective cloud option exists and begin reevaluating and modify individual IT budget strategies to include cloud computing.
The elements of the cloud strategy include:
- A mandate for agencies to use cloud computing
- A definition of cloud computing including characteristics and service models
- Cloud drivers and benefits
- Guidance on how to use the service models (IaaS, SaaS, PaaS)
- A decision framework for cloud migration including value, readiness and high-level best practices
- Planning goals and expected cost savings
The federal Cloud First Strategy is part of a broader reform of IT management that includes several cloud complementary initiatives including:
- Governance
- Commodity IT
- Program Management
- Information Security
- Datacenter Consolidation
To streamline cloud adoption in a constant fashion, the U.S. General Service Administration (GSA) established the Cloud Computing Services (CCS) Program Management Office (PMO) to help agencies comply with mandates and guidelines for moving to the cloud. The CCS provides templates for negotiated vendor contracts, cloud migration objectives and program plans.
Another initiative designed to speed cloud adoption is the Federal Risk and Authorization Management Program (FedRAMP). FedRamp provides a standard, centralized approach to assessing and authorizing Cloud Service Providers (CSPs). FedRAMP cloud service providers must pass the quality and security standards to be deemed FedRAMP compliant. Many CSPs now qualify as FedRAMP suppliers including AWS, IBM, Oracle and Microsoft.
Apps.gov was a GSA program that provided agencies with a SaaS marketplace. The marketplace however has been phased out. One criticism was that complex applications purchases where unlikely to be made through a storefront. While this program was unsuccessful, perhaps better suited to mobility, it is an intriguing approach to standardization and cloud self-service.
According to a Congressional Research Service (CRS) report, in September 2014 the Government Accountability Office (GAO) found the Fed IT cloud budget had only increased by 1%. Given the low cloud adoption rate the GAO recommended that IT investments be assessed for their suitability for the cloud and that implementation dates for cloud migration assessments be established.
A GSA study found the following barriers to cloud adoption:
- Meeting federal security requirements
- Cultural barriers
- Meeting network requirements
- Staff expertise including cloud acquisition
- Funding the implementation
The security concern is an interesting paradox since the CRS report acknowledges inherit security advantages of the cloud due to the economy of scale for cloud security investments, but notes a barrier to cloud adoption of lingering, cultural mistrust of cloud security. This attitude is also ubiquitous in the private sector even in the face of massive and pervasive security breaches of private data centers.
While Fed cloud adoption has been slow, some proof points such as the CIA $600M AWS project suggest progress. The classified project has a major milestone on February, 2015.
Doug Wolfe, the CIA’s chief information officer, said during an industry event on Wednesday (Feb. 25) that the AWS cloud has achieved “final operational capability.” Earlier this month, the CIA cloud vendor released details of its AWS GovCloud described as “an isolated AWS Region designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud….”
The InformationWeek article 5 Early Cloud Adopters In Federal Government lists the Department of the Interior (DOI) $10 billion plan to migrate its IT operations to the cloud. Department of Agriculture (USDA) has become a FedRAMP certified CSP itself and launched an IaaS offering, NASA established its own private cloud-computing data center in 2009 called Nebula, and the National Oceanic and Atmospheric Administration (NOAA) signed an $11.5 million for cloud-based unified messaging services.
These Fed early adopters along with the CIA cloud project, which could also help elevate security concerns, may well push the Fed cloud adoption over the tipping point. The ever increasing data volumes and reductions in IT data center budgets will continue to pressure government agencies to adopt cloud technologies. The cuts to the Feds IT budget, $2.4B in 2015, will effectively starve existing data centers and force consolidation and migration to the cloud over time.
The IT bureaucracy that supports federal agencies is obviously fragmented, risk adverse, and resistant to change. The Fed IT is likely more complicated than the environment most of us manage. Given that there is positive momentum and real dollar savings behind the Fed Cloud First Strategy, corollaries and related action items can be drawn within the public sector namely:
- Adopt a Cloud First mandate within a formal Cloud Strategy
- Include cloud adoption a part of a larger modernization and digital transformation IT strategy
- Categorize the application portfolio as candidates for cloud adoption based on innovation, risk and costs
- Standardize on cloud service providers, implementation and migration approaches
- Create a means to govern cloud provider adoption and self-service
- Force a budget shift from data center to cloud and modernization (starve the data center)
- Recognize and mitigate adoption barriers including standards and certification for cloud security.
Another step towards cloud adoption is to establish a Cloud future-state vision and a roadmap to get there in terms of people, process and technology. The vision should include the future-state IT architecture and also the impact and benefits to the business. Ultimately a cloud adoption can be tied back to the customer’s experience with the cooperate brand and can potentially revolutionize the business model.