Moving out smartly on cloud and modernization

Hopefully your summer reading list included the Office of Management and Budget's recently released Federal Cloud Computing Strategy, sub-titled "From Cloud First to Cloud Smart." Kudos are in order for Federal CIO Suzette Kent, Federal Deputy CIO Margie Graves and the rest of the OMB team for a (forgive the pun) smart policy that recognizes significant shifts in the market and refocuses federal agencies on priorities that will have direct mission benefit. And even if you didn't get to it while relaxing on the beach, it's worth reading now for its emphasis on new approaches for applications, security, procurement and the workforce -- efforts that will matter far more than past practices of counting data centers.

It's been nine years since OMB issued their Cloud First policy, which in internet time is essentially forever! While initial efforts to move to infrastructure-as-a-service were a good first step, they were just the opening ante on the value proposition of the cloud. Fortunately, the new Cloud Smart policy recognizes that mission outcomes matter most, and I'm excited by a number of ideas in the policy.

First, there's the focus on application rationalization. Even if progress has been made in moving to the cloud, there are still thousands of legacy systems and applications at federal agencies to be addressed. The term of art is "application rationalization" -- recognizing that while every legacy application doesn't need to be tossed out, without a focused plan to address all of these systems, agencies will still have IT budgets skewed to sustaining the old rather than implementing the new. And with the opportunity to now buy "applications as a service," agencies can further optimize performance and manage costs by dynamically managing allocation of machine resources, with pricing based on actual amount of resources consumed by an application when in use.

Merely counting data center reductions doesn't ensure improved outcomes, nor, depending on the size of the facility closed, necessarily result in significant savings. IT Modernization is so much more than infrastructure-as-a-service, and a relentless focus on which legacy applications must be retired, replaced or refreshed is a key focus of the Cloud Smart policy.

Just as compelling as the case for IT modernization is the cybersecurity imperative. The OMB policy highlights the changing nature of cybersecurity in a world where more services are provided by the private sector. As an example, Trusted Internet Connections (TIC) was a great initiative when then-Federal CIO Karen Evans and I championed it over a decade ago. Agencies with thousands of Internet access points and no monitoring were just asking for trouble. However, in a world where off-premise cloud solutions are becoming more the norm, this enclave-based security model was due for a significant overhaul to help encourage cloud adoption rather than serve as a knothole to be overcome.

Even more important is the policy's focus on data layer security. A new area of thought that deserves our attention is Zero Trust Networks. In the era of cloud, rather than focusing security on the perimeter of a network (and allowing open access to those within the network), zero trust presumes no one in the network can be trusted and focuses on strong identity management, continuous authentication and authorization, and data level security. This approach is needed to move from risk aversion to risk management, as well as to accelerate rather than impede the adoption of commercial best practices. If you'd like to read more about zero trust, check out the recent report on Zero Trust Cybersecurity Current Trends that was developed by federal and industry cybersecurity leaders at the request of the Federal CIO Council and is available on the ACT-IAC website.

The cloud smart policy also offers insights on procurement and the workforce. Just as cybersecurity efforts are adopting a risk-based approach, our acquisition efforts must similarly move away from approaches that are imagined to minimize risk but that in reality stifle innovation and speed to market. It's not new news, but it is worth repeating that there are flexibilities in the FAR not taken advantage of often enough, and that service level agreements are crucial, when focused on the smaller set of outcome-based measures that matter.

Finally, issues around reskilling our existing workforce and being an employer of choice in attracting and retaining the workforce of the future must be faced as the "future of work" will be radically different in a world of artificial intelligence, big data and 5G.

To paraphrase a quote often attributed to John Wayne, IT modernization is tough, and it's tougher if you're stupid. The Cloud Smart policy offers some thoughtful ideas on moving away from counting boxes to measuring meaningful results.