Cloudy with a chance of murky

Chuck Aaron, the Federal Communications Commission's deputy CIO for resilience, and Stan Kaczmarczyk, director of the General Services Administration's Cloud Computing Program Management Office, possess first-rate intelligences. At least, F. Scott Fitzgerald would think so.

The famed author's characterization that "the test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function" certainly applies to the dichotomies faced by managers of federal cloud services.During a Dec. 3 panel discussion on mitigating cloud risks, Aaron said implementing cloud services and applications requires IT managers to think in broad strokes while never losing sight of the details.

The FCC is in the midst of overhauling its IT operations and adding cloud capabilities. In the course of that work, Aaron said, agency officials are learning to think in terms of becoming data-centric rather than application-centric. And they are considering ways to hand over data center and Web services to cloud providers while still maintaining oversight of those providers and services.

He stressed that agencies should not believe that using a cloud service provider allows them to take a hands-off approach to IT operations. Even though he said the FCC should not be in the business of operating data centers, it should not allow cloud vendors free rein once a contract is signed.

Detailed service-level agreements (SLAs) are essential, he added.

"Cloud is murky," Aaron said. "Vendors are adept at showing cloud touch points in their presentations, [but] SLAs are important" in delineating what's being provided and how. Digging deeply into how the provider has constructed its services is also crucial. For instance, "if you choose to use [a proprietary] platform for your services, you've tied yourself" to that provider.

Kaczmarczyk said that earlier this year, GSA took an important step toward streamlining how agencies buy cloud services when it released a request for information on whether to give such services a separate Special Identification Number under Schedule 70. The proposed SIN would congregate cloud providers in a single searchable class on FedBizOpps so agency customers don't have to sift through the tens of thousands of products on that schedule.

GSA has extended the deadline for RFI comments to mid-January at industry leaders' request. Providing a cloud service SIN could be a "game changer" for agencies that have been cautious about switching to cloud services. Having a single number would also allow GSA to track cloud adoption more efficiently.

Robert Bohn, cloud computing technical program manager at the National Institute of Standards and Technology, pointed out that NIST unveiled the final version of the U.S. Government Cloud Computing Technology Roadmap in October. It lists 10 requirements for cloud adoption, each of which has a list of priority action plans and target completion dates. The road map was constructed with input from industry, academia and government.

Even with the cloud guidance from NIST and a possible new cloud category under Schedule 70, Bohn stressed the importance of paying attention to the nuts and bolts of contracting.

"SLAs are not the end-all, be-all" for federal IT, he said. Agencies must consider cloud services in the context of their everyday operations. For instance, managers should consider including an exit strategy that gradually decreases reliance on a cloud provider's infrastructure and ensures that agency IT operations are not in a difficult spot when the contract ends.

And when making arrangements with cloud service providers, "don't leave important areas unspecified," he said. "Don't assume things."