Cloud Computing at the Department of Homeland Security

The Department of Homeland Security, formerly one of the most centralized users of cloud computing, with capabilities largely focused in its two enterprise data centers, is quickly becoming the poster child for rapid and decentralized cloud adoption. Back in 2018 the department announced two important initiatives, both of which have been bearing fruit. The first was DHS’s Cloud Steering Group (CSG), which CIO John Zangardi announced in July 2018. Composed of senior technology and management executives from across the department, the CSG coordinates paths to the cloud for group members, clarifies questions of regulatory and policy import, and develops metrics for the department’s migration to a hybrid cloud model. Three months later, Zangardi announced the formation of the DHS Cloud Factory, a Development and Security Operations organization tasked with increasing automation use, streamlining Authority to Operate certification, and addressing other technical issues of cloud importance. The lessons learned from these foundational entities can be instructive for other agencies feeling their way toward enterprise cloud adoption. They also indicate how, after many years of languishing, federal agencies like DHS are now rapidly accelerating their move to the cloud.

What does this mean for industry? For one thing it clarifies who is in charge of the department’s cloud adoption. Isolated program managers and division chiefs are no longer alone in guiding program-level decisions. For another thing, creating the CSG has also freed DHS components to develop their own strategies for cloud adoption. The Transportation Security Administration (TSA), for example, published a new cloud strategy in April 2019 that offers insight into how the agency will proceed with its migration. Here are some of the more important points and their implications:

TSA-approved Cloud Solutions and Services: The TSA notes that it will only use software solutions it has explicitly approved. Unfortunately, the strategy does not elaborate on which solutions are “TSA-approved” so contractors will need to glean that information from the agency’s new Cloud Team guiding the migration process. The implication here is clear. Do not propose proprietary solutions unless they have been approved.

SaaS and Hybrid Computing: Like the rest of DHS, the TSA is adopting a hybrid cloud model. That said, the agency states its intention to employ a Software-as-a-Service first model as its “primary approach to cloud implementation.” TSA’s primary reliance on SaaS solutions opens the door to a wider variety of small and mid-sized businesses offering cloud-based capabilities. The agency has long maintained a working relationship with Microsoft by using its Azure cloud infrastructure, so proposed capabilities should be compatible with Azure. TSA also requires that all SaaS capabilities are FedRAMP program certified.

Interoperability: Once the word that former Department of Defense CIO Terry Halvorsen said he never wanted to hear again, TSA is seeking to make its data as accessible across systems as possible. The agency is requiring therefore that solutions it will use must all be based on an open architecture. The days of proposing closed proprietary solutions at TSA are definitely over. All industry partners seeking to win bids for competed SaaS capabilities will need to ensure their solutions meet mandated interoperability requirements.