Better standards, more sharing seen as keys to cloud adoption

While the Federal Risk and Authorization Management Program is helping agencies gain faster access to cloud services, additional standardization and data sharing could make the process much easier, government officials said at a Sept. 26 event hosted by the Cloud Computing Center of Excellence and the Cloud Computing Acquisition Forum.

"FedRAMP has been a big help with scaling down the number of controls that we need to evaluate, but the information is not consistent on various controls between" different cloud service providers, Andrea Simpson, chief information security officer at the Corporation for National and Community Service, said.

Simpson is looking for a way to evaluate common security concerns under documentation that is consistent among CSPs.

Former Federal Communications Commission CIO David Bray raised a similar point, saying that it would be far more useful if agencies would share not just their FedRAMP authorities to operate, but details on the actual control sets that were tested. Agency authority-to-operate standards are "too high level," he said, for another agency's CIO to fully trust that they fully address his or her project's needs.

Tony Cossa, director of cloud strategy and policy at the Department of Agriculture's CIO office, said it would be helpful for government and industry to come together to create frameworks to review cloud services. The Cloud Acquisition Professional's Cloud Adoption Survival Tips, Lessons and Experiences Guide is the first attempt by government officials to work together to help agencies procure cloud services.

The "Combined Cloud Computing Conversation" event also looked at drafts of publications, including a dictionary of cloud computing terms and two separate common contracting issues and procurement guides for the civilian and defense agencies.

Rob Wuhrman, enterprise solutions architect at the General Services Administration's Unified Shared Services Management, said he sees the guides as part of an effort to help agencies think about cloud adoption in an agile manner. With an IT service such as email that every agency uses, agencies should be able to benefit from an "a la carte marketplace" to get preapproved services from a few software-as-a-service providers at a lower cost.

The mission for each agency is "important, and we need to get it right," Wuhrman said. "Part of getting it right it is having the infrastructure, tools and the capacity to understand those missions. Cloud has the ability for continuous modernization, which can help us."

The CASTLE Guide is a working document, and more input from various stakeholders and agency leadership is in the works. Wuhrman sees the guide as particularly helpful for smaller agencies that may not have the resources to evaluate cloud resources.

"We want to help reduce the friction points and help agencies where it could take months to evaluate services," Wuhrman said. "We think that we can reduce the time that it takes for approvals from over a year to months or days."

For Department of Defense, the CASTLE Guide already is proving helpful for lawyers and acquisition officers to put appropriate language into their cloud services contracts, said Jodi Cramer, senior air staff counsel for information law in the Administrative Law Directorate in the Air Force's Office of Judge Advocate General.

Due to the breadth of defense missions, Cramer said it is hard for agencies to share resources. "You need to have multiple contracts for different financial systems and multiple vendors and options for different agencies," she said of the challenges in creating a shared services ecosystem across government.

In terms of next steps, Richard Blake, GSA's deputy assistant commissioner leading the Common Acquisition Platform program office within the Office of Systems Management, sees addressing the money questions as key.

 "We need to develop some type of contract that deals with the cloud specifically so we can look at time and materials as part of the scope," he said.

And if agency budgets for fiscal year 2018 are as expected, Bray said, innovation in the cloud space could be forced upon agencies to conserve resources.

"Innovation can be driven by resource-scarce environments," he said. "And I think skillful CIOs and other IT leaders will go to their heads of departments and make a business case, saying, 'If you want to actually do more in this austere environment, you'll only get there if we move off these legacy systems.'"

This article originally appeared in GCN.