TSA’s Cloud Future Will Be A Hybrid of Agency-Approved Services


The agency released its Cloud Strategy 2.0, which calls for a mix of public and private cloud, but only from vendors pre-cleared by TSA.

As TSA makes its move to the cloud, the agency released its Cloud Strategy 2.0, an amalgam of policies from two administrations: the Obama-era Cloud First for all new IT applications and the Trump administration’s Cloud Smart for existing systems.

TSA’s cloud future will be hybrid, including a mix of commercial clouds and on-premise, agency-managed private clouds, according to the document. These environments will be linked together, with sensitive data stored in TSA-managed clouds while transactional data is kept in commercial environments, along with the associated apps.

The strategy outlines several principles for TSA’s cloud adoption, including: build a culture of experimentation and innovation, employ a software-as-a-service first model, systematically retire or replace legacy applications, enable a mobile workforce and more efficiently and effectively manage TSA data.

But the most significant principle requires TSA programs to only purchase agency-approved cloud services.

“TSA-approved cloud services are the only options IT will consider for any new software solutions, or when evaluating alternatives or revisions to current software solutions,” the document states.

This principle seems to be a deviation from the Homeland Security Department’s broader IT acquisition strategy, dubbed EAGLE Next Gen, which calls on components to avoid unique contracts and purchase from governmentwide acquisition contracts, or GWACs, such as those managed by the General Services Administration and National Institutes of Health. While the Next Gen strategy pushes components toward existing vehicles, it also acknowledges that some will have unique requirements that call for a separate contract.

Per TSA’s Cloud Strategy 2.0, the agency will go its own way on cloud services, though that could still mean using GWACs or other existing vehicles. The document does not provide details on TSA’s preferred procurement strategies.

In order to be cleared by TSA, a cloud product must meet three criteria:

  • Its security posture must be certified by the Federal Risk and Authorization Management Program, or FedRAMP.
  • It must have an open architecture in order to avoid lock-in to a closed set of vendors.
  • It must be capable of integrating with multiple clouds, platforms and infrastructures.

The implementation of this strategy will be led by TSA’s Digital Services Team, established in 2018 to lead such efforts. That team will also be supported by a new Cloud Team, which will “serve as a permanent operational and governing body that directs and guides all aspects of TSA cloud programs, from first implementation through ongoing operations, thereby serving as TSA's ‘cloud center of excellence,’” according to the strategy.

The strategy also calls for TSA to improve its IT workforce, including identifying gaps, making it easier to hire top talent and improving training and reskilling opportunities for current employees.

While TSA labeled a FedBizOpps post as a request for information, it is really more about informing industry of the agency’s intentions going forward.

“TSA encourages our industry partners to review this publication and consider the philosophies that are discussed herein when responding to future requirements that support the agency's cloud strategy,” the notice states.

The agency is not asking for any feedback on the strategy at this time.

TSA isn’t the only part of the Homeland Security Department moving further into the cloud. The department is preparing to shift its massive biometric database into the cloud and the Customs and Border Protection agency is looking for a vendor to help manage its move to a multi-cloud environment. These are just a few examples of Homeland Security’s wholesale move to the cloud, led by the department’s new Cloud Steering Group.