OMB finalizes "Cloud Smart"

government cloud solutions

The Office of Management and Budget's finalized Cloud Smart strategy doesn't offer much new over the draft released for comment in September 2018. OMB is looking to retool security to provide flexibility for cloud access, improve the skills of the workforce when it comes to working with cloud and refine procurement methodology to accommodate the pay-as-you-go nature of commercial cloud computing

A key aspect of the plan involves agencies going through their application inventories and "discarding obsolete, redundant, or overly resource-intensive applications" to focus on applications that can be migrated to the cloud or at least are less expensive to maintain. The Cloud Smart update was accompanied by the public release of the Application Rationalization Playbook, which delves into how technology managers should evaluate their applications for cloud migration or retirement.

On security, one big push is to update the Trusted Internet Connection policy that governs outbound agency network traffic. For years the federal government has looked for ways to harmonize its seemingly contradictory TIC and cloud policies, seeking the organizational security benefits of limiting internet access points while also migrating IT infrastructure to the cloud, which leverages multiple access points.

The "once useful" TIC is now "inflexible and incompatible with many agencies' requirements," the cloud smart strategy says, and the maturity of the private cloud market as well as an expected increase in telework means the model originally laid out in 2007 will soon become obsolete to federal IT operations.

TIC has undergone a number of revisions, and officials at Department of Homeland Security who run the program have told Congress that setting security requirements and outcomes for cloud providers, rather than routing traffic through prescribed access points, is a better policy moving forward. According to the cloud smart strategy, DHS is piloting "newer, less rigid approaches" with a number of agencies that comply with this policy and could make it easier for programs like EINSTEIN to use the added computing power to detect and prevent intrusions.

An update to the policy, including alternative models to the TIC architecture, is due from DHS within six months.

On the procurement side, the strategy says federal agencies still lack a "basic understanding of the various types of cloud services" available on governmentwide contracts and in the private sector. Many are still purchasing cloud services as an add-on to other contracts, something that OMB worries could lead to haphazard security policies and a lack of awareness about cloud assets by broader staff.

The document offers a number of common tips for buying cloud products: agencies should leverage the bulk purchasing power of the federal government through common contract solutions, attach specific performance metrics and expectations to service-level agreements and pay special attention to how providers treat high-value assets.

Many of the plan's recommendations around the workforce draw from previous research and involve adapting federal HR policies to retain high-impact IT talent with cloud backgrounds, loosening hiring rules to attract new talent and retraining current feds to become tech and cloud-fluent through programs like OMB's Reskilling Academy.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.