4
CONSIDERATIONS
5
As part of the baseline assessment, Solution Architects should make considerations for IT security 6
including cyber security, identity, credentialing, and access management, certification and 7
accreditation (C&A), authority to operate (ATO) and trust boundaries, and network domain (e.g. 8
public, sensitive-but-unclassified, classified). Solution Architects should also evaluate the 9
resiliency requirements for the capability including disaster recovery, failover, and surge capacity. 10
Compliance requirements for Section 508 Accessibility and Privacy Impact Assessments (PIAs) are 11
crucial and support multiple open standards for geospatial information exchange and geospatial 12
search. The Baseline Assessment Matrix (Appendix E) provides a blueprint for assessing these 13
technical considerations during the capital planning and investment process. 14
It is important that Agencies consider the maturity of the investment and not just the technical 15
capability as part of the baseline assessment. Factors to consider are: 16
• Where is the investment in its lifecycle? Is the technology near end of life or still 1
emergent? 2
• What is the schedule for technology refresh? 3
• What is the concept of operations for operating and maintaining the investment? 4
• How are technical support services provisioned? Is training or help desk support 5
available? 6
• Does system have a completed certification and accreditation package or authority 7
to operate? 8
• Is the investment compliant with Agency enterprise architecture policy? 9
• Is the investment compliance with federal privacy and accessibility requirements? 10
6.7.1 CLOUD
11
The Federal Cloud Computing Strategy states that, “When evaluating options for new IT 12
deployments, OMB will require that agencies default to cloud-based solutions whenever a secure, 13
reliable, cost-effective cloud option exists.”132 The OMB also requires a Cloud Computing
14
Alternatives Evaluation133 for an agency’s capital planning submission specifying a cloud
15
alternative was evaluated for the investment or components/systems within the investment, per 16
the Cloud First policy. All investments should answer this question regardless of the overall 17
lifecycle stage of the investment, as operational investments may consider performing such an 18
evaluation during or as a result of an operational analysis. The evaluation should indicate one of 19
the following answers: 20
1. The agency evaluated a cloud alternative and chose a cloud alternative for some or all of 21
the investment. 22
2. The agency evaluated a cloud alternative but did not choose a cloud alternative for any of 23
the investment. 24
3. The agency did not evaluate a cloud alternative but plans to evaluate a cloud alternative 25
by the end of the Base Year. 26
4. The agency did not evaluate a cloud alternative and does not plan to evaluate a cloud 27
alternative by the end of the Base Year. 28
As part of that evaluation, the Solution Architect and Program Manager should develop an 29
operational requirements document (ORD) that is cross referenced against the Baseline 30
Assessment Matrix. These artifacts should serve as the basis of comparison for completing the 31
cloud computing alternative analysis. The evaluation process should be conducted in two phases. 32
132
Office of Management and Budget, Federal Cloud Computing Strategy, February 8, 2011.
The first phase should identify commercial and federal government candidates from a functional 1
and technical perspective and flag these for further evaluation. An application is considered viable 2
if it passes all the steps of the evaluation process as discussed in the following paragraphs. If 3
Phase 1 identified no viable solutions, the alternative analysis would have concluded at the end of 4
Phase 1 and the recommended alternative would be custom build-out or maintain the status-quo. 5
The second phase should perform a comparison of the costs, benefits, and risks associated with 6
each of the potential solutions identified in Phase 1 and the costs, benefits, and risks of custom 7
build-out or maintaining the status-quo. 8
6.7.1.1 PHASE 1 PROCESS
9The Phase 1 evaluation process contains several steps that serve as filters to either eliminate 10
solutions or pass them on for more detailed evaluation. Each step answers a particular set of 11
questions: 12
• Step 1 – Does the solution provide geospatial cloud services (i.e.; operational 13
requirements)? Does it appear to be a good choice for the Agency’s operating 14
environment? Only the solutions with “yes” responses are passed to Step 2. 15
• Step 2 – Does the solution feature appropriate technical capabilities? How does it 16
compare with other solutions? Only applications with the highest technical 17
capability scores are passed on to Step 3. 18
• Step 3 – Are technical capabilities present in a robust, flexible, and easy-to-use 19
fashion? Will the solution be difficult to integrate with the Agency’s operating 20
environment and existing geospatial software packages and systems? Only 21
applications that appear to have a high probability of success will be passed on to 22
Step 4. 23
• Step 4 – Is the solution proven technology currently used within the Agency or 24
other federal agencies? Consult technical experts about the suitability of the 25
solution to meet Agency operational requirements, how it compares with its 26
competitors, current user base, financial stability of the vendor, future viability of 27
the solution. 28
6.7.1.2 PHASE 2 PROCESS
29The Phase 2 evaluation process compares the most viable candidate identified in Phase 1 to a 30
custom-build-out or maintain status-quo approach in terms of cost, benefits, and risks. 31
• Step 1 – Costs. For custom build-out or maintaining status-quo, use Agency 32
infrastructure pricing, supplementary GSA software licensing and existing 33
FTE/Contractor rates. For viable alternatives, compute the cost by adjusting the 34
Agency cost factors for items that will be eliminated or changed to accommodate a 35
commercial solution. Add the costs to acquire the commercial solution. Compare 1
the two costs. 2
• Step 2 – Benefits. Identify a set of possible benefits. Ascertain the probability that 3
these benefits will occur with the commercial solution and with a custom-built 4
solution. Compare the two results. 5
• Step 3 – Risks. Identify the risks for both solutions, along with the probabilities that 6
the risks will occur and the impacts of those occurrences. Compare the two results. 7
• Step 4 – Compare costs, risks, and benefits. Recommend a solution. 8