White House tilts from 'cloud first' to 'cloud smart'

The White House is refreshing its cloud strategy, shifting its policy focus from "cloud first" to an agency-specific approach and laying out a series of actions to complete over the next 18 months.

Federal CIO Suzette Kent said that the new strategy is a successor to the almost eight-year-old "cloud first" guidance dating back to the Obama administration.

Cloud first, Kent told reporters at a Sept. 24 briefing, "was released at a time when cloud computing was still new." The new strategy, out for comment in draft form, "updates the original approach and closes some gaps in policies that allow for faster adoption as well as streamlining some of the activities" based on agency needs rather than "a one-size-fits-all."

Bill Hunt, a digital services expert at the Office of Management and Budget, hinted at the policy refresh earlier this year.

Agencies will be directed to take various actions to implement the strategy over the next 18 months, for which future guidance will be rolled out. The guidance covers three main focus areas in cloud adoption: security, procurement and workforce.

"One of my goals is to ensure that we're leveraging the best practices of industry and global companies," said Kent. "What we're doing here with cloud is important not only in that but in our cyber journey as well."

On security, the policy updates Trusted Internet Connections policy and looks to push agency Continuous Diagnostics and Mitigation programs – designed for agency-owned networks – into the cloud. The policy also looks to update the Federal Risk and Authorization Management Program by which cloud systems are rated for use by federal agencies.

"In the current landscape, requiring all agency network traffic to flow through a limited number of Trusted Internet Connections is no longer feasible as a one-size-fits-all strategy," the strategy states. "This design choice has hampered agencies' ability to acquire new technologies including commercial cloud solutions, which use a distributed network model and use virtual, rather than physical, controls of data."

The policy also notes that cloud migration must be paired with encryption and identity management, and specifically notes the Department of Homeland Security's CDM program "must continue to evolve in order to equip agencies with the monitoring tools and capabilities they need to understand their cyber risk in the cloud."

The policy also states that ways agencies can accelerate shared authorizations to operate and authority-to-operate processes "will be addressed in future guidance." Also on the horizon is an update to the High-Value Asset memorandum , which offers risk management guidance to agencies.

On procurement, the policy stresses government's bulk purchasing power as it pushes cost savings, faster procurement and increased standardization as goals. Specifically, it cites category management, service level agreements and security requirements for contractors as key focuses.

Officials want agencies to assess its workforce changes and future needs associated with greater technology adoption, and directs agency CIOs and chief human capital officers to work together and analyze where agencies have skills gaps. The guidance aligns with administration efforts to retrain current employees and to improve and streamline recruiting and hiring.

Tony Scott, the federal CIO under Obama from 2015 to 2017, called the overall policy direction "sound," and applauded the emphasis areas.

"These are often the bigger barrier to modernization than are technical issues," he said.

One area Scott said he would have liked to have seen was "some strong emphasis on moving from custom one-off software solutions (in the cloud or not) to use of more SaaS cloud-based solutions as a part of this Cloud Smart strategy."

"Failure to address this forcefully will result in the government making the same mistakes it has always made, only in the cloud this time," he said.

The public comment period is open until October 24.