What Contractors Should Know about OMB's New Draft “Cloud Smart” Strategy

The Office of Management and Budget released a draft of its “Cloud Smart” strategy this week, providing the first new comprehensive guidance for federal agency cloud adoption since the publication of the “Cloud First” initiative back in fiscal year 2011. The new strategy takes a holistic approach to cloud adoption by combining consideration of security, procurement, and workforce policies in a single document, not dealing with these issues in isolation. The result, OMB hopes, is a draft strategy that provides agencies “with the tools needed to make informative technology decisions in accordance with their mission needs, and leverages private sector solutions to provide the best services to the American people.” What’s in Cloud Smart and what are the business implications for industry?

Security

A large portion of the Cloud Smart document discusses issues related to cloud and cybersecurity. Recommendations include the following:

• Move security controls from the network perimeter closer to the data itself.
• Improve the visibility of data, both on-premises and in the cloud.
• Establish agency-specific solutions to alleviate performance degradation issues related to Trusted Internet Connections (TIC) policies until those policies can be modified.
• Develop a governance model for cloud-hosted data that aligns with agency identity and credential management systems. Additionally, where a cloud solution is deployed by a vendor, put a Service Level Agreement in place that provides continuous monitoring of its data.
• Leverage cyber expertise in the FedRAMP program.

Implications

Certain cybersecurity challenges related to cloud rely on larger-scale policy shifts that are still to come (e.g., TIC), although agencies are increasingly getting around TIC by using waivers. Other recommendations focus on improving data security, not perimeter security, which are capabilities that industry partners already provide through automation and dashboards. Expect requirements increasing data visibility and monitoring to become more common. Vendors should offer intuitive and simple-to-use solutions.

Procurement

Changes in the way agencies procure cloud solutions could prove the most significant part of a new Cloud Smart strategy for vendors. Recommendations are as follows:

• Agencies should leverage the government’s bulk purchasing power and shared knowledge of good acquisition principles.
• Agencies should employ category management to improve buying practices that support Cloud Smart strategies, increase adoption of proven cloud vehicles, and develop new vehicles to address emerging demands.
• Ensure that contracts for procuring commercial items include clauses applicable to the acquisition of commercial items, or that are consistent with customary commercial practice.
• Ensure that contracts for High Value Assets, including those managed and operated in the cloud, ensure visibility into the security of the asset. Additionally, agencies should include requirements for developers, manufacturers, and vendors to employ systems security and privacy engineering concepts.

Implications

The terms “bulk purchasing power” and “commercial items” are flags here. OMB guidance, work at the General Services Administration, and the authorization of new procurement powers for the Department of Defense have been directed at making it easier for agencies to buy commercial items and services. It is too early to tell, but industry could be seeing the start of a government-wide push to use things like Commercial Solutions Offerings and Other Transaction Agreements for buying cloud. Additionally, the focus on category management is an important sign that OMB, through GSA, intends to push more cloud buying through so-called “Best-In-Class” contract vehicles like Alliant.

Workforce

The area of the document that outlines the most opportunity for vendors, OMB argues that federal employees need to be re-skilled to accommodate new technologies like cloud. In addition, OMB calls for faster and more extensive hiring of personnel with experience engineering and managing cloud approaches.

Implications

Agencies have always played catch-up finding personnel with the skill-sets necessary to adopt new technologies. These skill gaps provide opportunity for vendors, as they are the ones best positioned to offer skilled personnel on an expedited basis. Industry partners will also be needed to train government personnel in new cloud management capabilities.