Cloud Computing in the New White House IT Modernization Plan

Published: December 20, 2017

Federal Market AnalysisCloud ComputingCybersecurityEOPGSAInformation TechnologyInformation TechnologyPolicy and Legislation

The implications of federal IT modernization for cloud service providers.

Cloud computing in the federal government has come a long way. Remember only a few short years ago when concerns about the security of data in the cloud were cited as a primary impediment to agency adoption of the technology? Today those concerns seem to be forgotten, replaced instead with the mindset that migrating to commercial clouds will improve data security. Take for example language in the Report to the President on Federal IT Modernization published recently by the White House’s American Technology Council. Not only is the report silent on the subject of data security concerns as an impediment to agency cloud adoption, it states categorically that current policies and practices are hindering agency adoption of commercial cloud solutions that are more secure than current agency IT environments! For this reason, the ATC recommends that agencies initiate a full-scale push into commercial cloud services as a way of modernizing IT ecosystems and securing important data.

The major obstacle to agency cloud adoption outlined in the report is the existing implementation of enterprise cybersecurity tools. These tools and strategies physically consolidate network traffic “to and from federal information systems [which] hampers agencies’ ability to acquire new technologies like commercial cloud, which rely on a distributed network model and emphasize optimization of virtual rather than physical controls of data.”

Primary among the obstacles cited are Trusted Internet Connections (TIC), a legacy policy implemented by the George W. Bush administration in the years before cloud computing emerged as the next big thing. TICs have the effect of funneling agency transport networks through a very small number of portals to and from the internet. The intent of TIC policy was to reduce the number of avenues through which attackers could enter agency IT ecosystems, but the impact is constraining transport bandwidth and flexibility so much that decentralized computing architectures like cloud are rendered useless.

The solution to this challenge, continues the report, is to modernize the TIC and the National Cybersecurity Protection System (NCPS) Program to enable agency cloud migration. Achieving this goal entails updating “relevant network security policies and architectures to enable agencies to focus on both network and data-level security and privacy, while ensuring incident detection and prevention capabilities are modernized to address the latest threats.” Updating policies is the simple part of the equation. Updating agency architectures is going to take the investment of dollars and support of industry partners, therein presenting the business opportunity in this proposition.

Another part of the equation relies on improving “contract vehicles to enable agencies to acquire commercial cloud products.” This is probably the more challenging of the cloud adoption obstacles to remove because not only do federal acquisition regulations need to be changed to accommodate the purchase of cloud services as a utility, the entire budgetary process needs an overhaul. Congress took a significant step toward achieving this goal with passage of the Modernizing Government Technology Act as part of the FY 2018 NDAA, but details on how agencies can spend money on cloud using working capital funds remain to be worked out

Finally, here are some of the other important recommendations listed in the report. I’ve added some thoughts on the implications of each point where applicable:

  • Agencies urged to migrate to cloud email and collaboration suites that leverage the government's buying power. Implication – Practically every federal agency already uses some kind of cloud-based email. The innovation here is in the desire to “leverage the Government’s buying power.” Implied in this statement and elsewhere in the report is the desire that all agencies adopt the same cloud-based email system. Considering that Google’s Gmail and Microsoft’s Office365 solutions currently dominate the cloud email marketplace it seems one or the other will become the standard.
  • Reprioritizing funds from obsolete legacy IT systems to modern technologies, cloud solutions, and shared services. Implication – Easier said than done. This remains a big obstacle.
  • Using agile development practices and the best practices within GSA’s Unified Shared Services’ Modernization and Migration Management Framework, where appropriate. Implication – Again, easier said than done.
  • Accelerate network consolidation and optimization. Implication – Speeding up agency adoption of everything-over-IP hardware, probably means agencies will use the GSA’s new Enterprise Infrastructure Solutions contract vehicle even more than they had planned.
  • Directing the Office of Management and Budget and Department of Homeland Security to work with industry providers of Security Operations Centers-as-a-Service. Implication – Use of SOCaaS will require the TIC innovations discussed above and likely also involve the industry partners currently on the Continuous Data Monitoring (CDM) contract vehicle at DHS.

Happy holidays to all our Federal Market Analysis readers! We’ll see you in 2018.