APPLYING LESSONS LEARNED TO FEDERAL CLOUD COMPUTING

Four years after Cloud First, the level of cloud adoption varies widely across the federal

government. Recent reports from the Government Accountability Office (GAO) reveal major

disparities in progress even across some of the largest agencies. In hopes of uncovering the major challenges to federal cloud adoption today,

Government Business Council surveyed over 230 federal leaders within organizations that have implemented or are currently implementing cloud technologies as of December 2014. The lessons learned from these initial efforts will be

paramount to further progress as the federal government looks to more aggressively pursue efficiency gains from cloud computing.

Cloud Challenges Persist Despite Support for Further Progress

Mandates like the Federal Cloud Computing Strategy and individual agency modernization initiatives may have jumpstarted government cloud efforts, but implementation is still largely in preliminary phases. Despite endorsements from administration officials and employees alike, cloud computing investments still comprise less than two percent of FY 2014 IT budgets government-wide.1

These gaps in progress can be attributed to a wide

APPLYING LESSONS LEARNED TO

FEDERAL CLOUD COMPUTING

roadblocks to cloud have existed for several years without resolution and have been exacerbated by ongoing misconceptions or a lack of dedicated resources.

For instance, Department of Health and Human Services officials stated to a GAO investigator that while the agency has established streamlined

avenues for procurement in the past few years, it still lacks knowledgeable acquisition personnel to handle post-award management of cloud contracts. In addition, leaders within the Department of Homeland Security have also noted that moving more assets to the cloud requires reevaluating and configuring legacy systems to be compatible with new IT infrastructure, which requires additional staff resources.2

Federal leaders government-wide express similar concerns. When asked about obstacles to agency cloud adoption, survey respondents most commonly report a lack of in-house technical expertise, which has led to consequences both during

implementation but also later in the IT lifecycle. One

WHAT DO FEDERAL LEADERS THINK OF

THEIR AGENCIES’ PROGRESS IN

IMPLEMENTING CLOUD COMPUTING,

AND WHAT CAN AGENCIES DO TO

OVERCOME THEIR ONGOING OBSTACLES?

3

Level Agreements(SLAs)]”3 _{as an unanticipated}

challenge his or her agency experienced since moving to the cloud. Respondents attribute challenges like these to a lack of in-house IT expertise and established best practices, making it difficult for agencies to hold cloud vendors to promises made earlier in the acquisition process.4

The security and accountability of cloud systems also continue to stand in the way of cloud adoption efforts. According to GAO, agency officials heading cloud programs report difficulties in keeping up with federal security requirements like those issued by the National Institute of Standards and Technology, which are updated regularly and apply to all third-party provided services.5

Unfortunately, accountability and auditing related to such requirements remains problematic, in part due to unclearly defined roles or lack of experience managing the aforementioned SLAs. A recent audit of the Healthcare.gov website found that a lack of coordination and defined oversight

between Centers for Medicare & Medicaid Services officials and contractor staff resulted in a number of security and privacy weaknesses across the program’s cloud-based architecture.6

In addition, although 82 percent of survey

respondents cite that the security of their agency’s cloud systems has either met or exceeded their initial expectations, they remain concerned about entrusting data to third party providers and

4

moving data offsite.7 _{An estimated 77 percent of}

current federal spending on cloud solutions in FY 2014 were private cloud deployments,8 _{which were}

likely chosen on account of the fact that agencies typically seek greater control over their systems’ security posture and often opt for services deployed on-premise. As a result, agencies have been

reluctant to leverage capabilities offered by public or hybrid cloud deployments, which currently comprise a significantly lower percentage of cloud

investments. The advantage of public and hybrid cloud rests on the ability to expand IT resources on demand to accommodate usage fluctuations, offsite backup, and data recovery features that often draw decision makers to consider cloud technologies to begin with.

Existing budget realities may also make federal technology leaders more reluctant to justify or consider cloud systems, even despite widespread support from employees to invest in such

technologies. Office of Management and Budget guidance directs agencies to continually assess what IT systems can be migrated to or made compatible with the cloud, “regardless of investment type or life cycle stage.” However, GAO reports show that agencies have only done so with about one-third of their legacy systems.9 _{Furthermore, out of the legacy}

systems that were considered for replacement or integration with cloud solutions in FY 2014, 64 percent were replaced by non-cloud services.10

GBC’s survey showed that 74 percent of respondents believe their agencies should prioritize spending toward adopting cloud services, even if legacy systems have not yet reached the end of their lifecycles. One respondent told GBC: “Executives do not understand the total cost of ownership for their systems. In the legacy environment, applications are subsidized to varying degrees. Many do not

understand the benefits of rapid elasticity, and our financial management system has not caught up with modern technology.”11

“EXECUTIVES DO NOT UNDERSTAND THE

TOTAL COST OF OWNERSHIP OF THEIR

SYSTEMS…MANY DO NOT UNDERSTAND

THE BENEFITS OF RAPID ELASTICITY, AND

OUR FINANCIAL MANAGEMENT SYSTEM

HAS NOT CAUGHT UP WITH MODERN

TECHNOLOGY.”

Within agencies that have already begun implementing cloud services, 77 percent of respondents agree that their agencies’ efforts in cloud adoption so far have been worth the cost.12

And even though 75 percent of respondents say cost savings from their agency’s cloud efforts have met or exceeded initial expectations, this has yet to translate into an uptick in investments.13 _These

findings may signal the existence of

communication, opinion, and execution gaps within government between IT decision makers and administration leadership or federal

employees at large.

Recommendations Moving Forward

As agencies look to overcome existing obstacles to cloud adoption, they can apply a number of recommendations affirmed from the results of the survey:

Actively invest in modernizing legacy systems

Although agencies may be hesitant to commit to new spending amid budget austerity, OMB officials, GAO researchers, administration leadership, and federal employees agree that the potential benefits and efficiency gains from cloud especially in the long-term are worth investing in programs that can make legacy systems

interoperable with newer, virtualized systems.

Take advantage of more flexible emerging deployment models

Beyond the more commonly known public and private cloud deployment models, which can force agencies to weigh security concerns against the

benefits of usage elasticity or flexibility, agencies are beginning to take advantage of hybrid deployment models. Hybrid cloud combines public and private cloud, which can help agencies avoid making difficult compromises between control, flexibility, and performance. This flexibility can include the ability to host and manage data and applications onsite or offsite, depending on varying levels of sensitivity or computing requirements.

Create and disseminate best practices for acquisition and vendor management

As agencies invest more heavily in cloud services, establishing baseline standards and best practices early in the procurement process can reduce conflicts during the migration process or buyers’ remorse later down the line. For instance, agencies with a large number of existing mission-critical legacy systems should prioritize vendors that have the capability and compatibility to integrate and provide continual support for a wide range of applications until these systems can be fully modernized.

Leverage FedRAMP

As the federal government’s program granting authority to operate (ATO) certification to cloud service providers, the Federal Risk and

Authorization Management Program allows

agencies to select from cloud service providers that

EVEN THOUGH 75 PERCENT SAY COST

SAVINGS FROM THEIR AGENCY’S CLOUD

EFFORTS HAVE MET OR EXCEEDED

INITIAL EXPECTATIONS, THIS HAS YET

TO TRANSLATE INTO AN UPTICK IN

INVESTMENT.

₄

Government Business Council (GBC), the research arm of Government Executive Media Group, is dedicated to advancing the business of government through analysis and insight. GBC partners with industry to share best practices with top government decision-makers, understanding the deep value inherent in industry’s experience engaging and supporting federal agencies.

About Carpathia and VMware

VMware, the global leader in virtualization and cloud infrastructure, and Carpathia, a trusted cloud operator and leading provider of cloud services and managed hosting for government agencies and enterprises, have partnered to deliver

VMware vCloud® Government Service provided by CarpathiaTM_.

This service is the only enterprise-class hybrid cloud service that delivers the tried and tested VMware capabilities that most government organizations are using today, with the added security and compliance assurance of FedRAMP authorization.

Learn more at www.carpathia/partner-solutions/vmware.com.

4

7

have already been preapproved to operate based on a set of baseline standards. Although operational for over two years, many agencies are only beginning to fully utilize the program, which hopes to improve the trustworthiness, consistency, and transparency of government cloud service providers. Agencies can benefit from pursuing cloud services through the program, which the General Services Administration estimates saves an average of $250,000 per

authorization and has cut the review process down to as fast as one week for some agencies.14

While the challenges standing in the way of more effective federal cloud implementation may seem daunting, cloud initiatives have the support of a wide range of stakeholders within government. Indeed, the experiences of early cloud adopters reveal that, if deployed carefully, cloud can help agencies achieve cost savings while improving performance and providing new capabilities. By applying the lessons learned from the past four years, agency IT decision makers now have the opportunity to help move cloud forward.

3. Government Business Council. “Lessons Learned in Federal Cloud Adoption.” December 2014. (Methodology: GBC deployed a survey to a random sample of Government Executive, Nextgov, and

Defense One online and print subscribers on November 6, 2014. This report features the responses of

respondents who indicated that their agencies have already deployed and/or are currently in the process of deploying cloud services. The pool of 235 federal leaders covers over 27 defense and civilian agencies, and includes those ranking GS-11 through -15 grade levels and members of the Senior

Executive Service. N-values vary by question, reflecting only the responses of those familiar with the subject matter.)

4. Government Business Council, 2014.

5. United States Government Accountability Office. "GAO12756: Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned." July 2012.

http://www.gao.gov/products/GAO-12-756

6. United States Government Accountability Office. “GAO14730: Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls." September 2014.

http://www.gao.gov/products/GAO-14-730

7. Government Business Council, 2014.

8. IDC Government Insights. "Perspective: Growth and Slight Contraction – Government Cloud Spending by U.S. Federal Agency." July 2013. http://www.idc.com/getdoc.jsp?containerId=GI241746

9. Office of Management and Budget. "Guidance on Exhibits 53 and 300 Information Technology and EGovernment." 2012.

10. GAO14753, 2014.

11. Government Business Council, 2014. 12. Government Business Council, 2014. 13. Government Business Council, 2014.

14. General Services Administration FedRAMP. "Federal Risk and Authorization Management Program (FedRAMP) ISPAB Update." October 2014.

http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2014-10/oct22_fedramp_mgoodrich.pdf