OMB finalizes "Cloud Smart"

The Office of Management and Budget's finalized Cloud Smart strategy doesn't offer much new over the draft released for comment in September 2018. OMB is looking to retool security to provide flexibility for cloud access, improve the skills of the workforce when it comes to working with cloud and refine procurement methodology to accommodate the pay-as-you-go nature of commercial cloud computing

A key aspect of the plan involves agencies going through their application inventories and "discarding obsolete, redundant, or overly resource-intensive applications" to focus on applications that can be migrated to the cloud or at least are less expensive to maintain. The Cloud Smart update was accompanied by the public release of the Application Rationalization Playbook, which delves into how technology managers should evaluate their applications for cloud migration or retirement.

On security, one big push is to update the Trusted Internet Connection policy that governs outbound agency network traffic. For years the federal government has looked for ways to harmonize its seemingly contradictory TIC and cloud policies, seeking the organizational security benefits of limiting internet access points while also migrating IT infrastructure to the cloud, which leverages multiple access points.

The "once useful" TIC is now "inflexible and incompatible with many agencies' requirements," the cloud smart strategy says, and the maturity of the private cloud market as well as an expected increase in telework means the model originally laid out in 2007 will soon become obsolete to federal IT operations.

TIC has undergone a number of revisions, and officials at Department of Homeland Security who run the program have told Congress that setting security requirements and outcomes for cloud providers, rather than routing traffic through prescribed access points, is a better policy moving forward. According to the cloud smart strategy, DHS is piloting "newer, less rigid approaches" with a number of agencies that comply with this policy and could make it easier for programs like EINSTEIN to use the added computing power to detect and prevent intrusions.

An update to the policy, including alternative models to the TIC architecture, is due from DHS within six months.

On the procurement side, the strategy says federal agencies still lack a "basic understanding of the various types of cloud services" available on governmentwide contracts and in the private sector. Many are still purchasing cloud services as an add-on to other contracts, something that OMB worries could lead to haphazard security policies and a lack of awareness about cloud assets by broader staff.

The document offers a number of common tips for buying cloud products: agencies should leverage the bulk purchasing power of the federal government through common contract solutions, attach specific performance metrics and expectations to service-level agreements and pay special attention to how providers treat high-value assets.

Many of the plan's recommendations around the workforce draw from previous research and involve adapting federal HR policies to retain high-impact IT talent with cloud backgrounds, loosening hiring rules to attract new talent and retraining current feds to become tech and cloud-fluent through programs like OMB's Reskilling Academy.