GSA, Contractors on Cloud Computing Challenges, Successes and OpportunitiesMarch 6, 2012
The federal government’s move to the cloud is fact, not fad, and agencies and contractors are anxious to go further. However, challenges remain, and panelists and participants agreed at GovWin’s Virtual Roundtable Webinar: The Federal Government, Contractors & the Cloud: Challenges & Opportunities — while technology challenges exist, many significant hurdles come from culture and policy.
Federal Cloud Implementation: Where Are We?
Hosted by GovWin and led by Senior Community Manager Michael Hackmer, the event began with Stanley Kaczmarczyk, FAS/ITS Director of the Cloud Computing Service, General Services Administration (GSA), summarizing agencies’ current cloud projects. Of the 78 identified, approximately half involved software-as-a-service (SaaS) projects, with the remaining covering infrastructure platform work…
With agencies pursuing their own cloud solutions, Kaczmarczyk said that GSA was working hard to enable cloud projects with Blanket Purchase Agreements (BPAs) and contract vehicles to enable them to move in a timely and logical way, citing the three task orders active against the GSA’s infrastructure-as-a-service (IaaS) BPA, and the agency’s evaluation of email-as-a-service (EaaS), which expected in the spring.
With agencies anxious to implement cloud, working from their large pipeline of procurements in development or GSA’s offerings, Kaczmarczyk predicted that by this summer, "We should be seeing a lot of action in both the infrastructure and email-as-a-service vehicles."
Progress Led by Private Clouds
Kevin Plexico, Vice President, Federal Information Solutions, Deltek, characterized cloud efforts to date as "foundational." Beyond the need to identify security requirements and establish service level agreements (SLAs) for use throughout the government, he noted that there was enormous inertial resistance to cloud implementations, especially when looking at public cloud scenarios. He counseled observers to look at private cloud activity, predicting it will take another 12-18 months before many agencies really accelerate into the implementation phase.
George “Mel” Hurley, Director, Information Assurance Solutions, Wyle, agreed that movement into private clouds, being closer to what agencies know, were good stepping stones for agencies as they shift their paradigms, a sentiment with which Steven A. Coles, Vice President, Sales, VMware, concurred, noting that agencies tend to move initially to private clouds for more mission-critical applications, with non-mission critical applications moving to the public cloud.
The Business Case for Cloud
Cloud migration is accelerating, simply because the desire for cost savings is strong in the face of budget cuts. However, Russ Langford, Managing Director, EMC Consulting, cautioned that even though GSA’s efforts would allow agencies to make a trusted first step into the cloud via email, the biggest opportunities for cost savings lay beyond that. Agencies, he said, don’t have budget line items for "transformation to the cloud," making their challenge building the budget case for the up-front costs that would enable those savings over the next five years.
Kevin Plexico agreed, noting that agencies’ progress thus far has largely been in small, low-risk projects, whereas bigger projects would require more planning, standards and policies to allow major, multi-million or -billion dollar investments to move forward. However, he noted that cloud’s prospects remain strong, since even though, "Congress doesn’t pay attention to cloud — they pay attention to cost, and how you’re going to improve cost."
Mel Hurley pointed out that major policy changes, including cloud-friendly reference models in the rewritten federal enterprise architecture, should make it easier to fund cloud projects and demonstrates the serious, continuing commitment to cloud, to which Stan Kaczmarczyk agreed, noting that the business case for cloud is still very compelling, as the federal government recognizes it spends more on operations and maintenance of its legacy systems than does the private sector.
Security Challenges and Solutions
In a theme that would recur through out the session, Hurley pointed out the important cultural shifts needed to shift to the cloud, noting that cloud requires a change in how agencies and contractors "do" systems, versus how they do them in data centers.
A major factor is trust, and the standards are key in establishing trust. The most important standards, panelists agreed, relate to security, and the security standards in Federal Risk and Authorization Management Program (FedRAMP), according to Hurley, "allows trust across the board" that the services agencies share are equivalent to what they would do themselves. Implemented properly, "Inherently, cloud should be more secure," which requires securing and hardening components, as well as getting to the point where agencies know, "everytime somebody hits us, we know what they did to us. Then you can manage your risk from there."
Beyond standards, Langford said, agencies and contractors must understand the characteristics of an agency’s workload, such as the privacy requirements in the healthcare and finance realms, to be able to understand what they need from a trust perspective.
Defining the security challenge is multifold. Plexico noted that internet security is not fixed, and Kaczmarczyk said the security boundary needs to be defined, with SLAs on security, response plans and continuous monitoring programs, in addition to complying fully with the requirements of the Federal Information Security Management Act (FISMA).
Langford summed up by saying, "Trust equates to security plus compliance plus regulatory."
Private, Public and Community Clouds
Revisiting how agencies have adopted different cloud models, Langford found that agency CIOs look to private or hybrid clouds first, and then some government-to-government and community cloud services. Coles said that some agencies will develop their own clouds because they just "don’t want to share their rice bowls," though Kaczmarczyk felt that community cloud is a "sweet spot" for the government.
Coles said that many hurdles apply primarily to the public cloud, and agencies can still start moving internally to private clouds while policies and governance are developed. He stressed, though, that for agencies, "Standards are critical. The government needs to know that they should be able to get their information and data back. You can’t send something to Hotel California and not get your info and data back."
According to Kaczmarczyk, a philosophical debate continues at GSA and agencies looking at the cloud: Is cloud different enough to require more, cloud-specific vehicles, or do you continue to direct agencies to use existing vehicles like GSA Schedule 70 or governmentwide acquisition contracts (GWACs) like Alliant? He believes that, from a marketing standpoint, special vehicles are good, since people like the idea that they’ve pre-competed cloud solutions. However, he remains open to any and all possibilities, as long as agencies demand them and are educated about all the available options.
Plexico noted that the data reflects a wide range of vehicles in use, including GSA’s email via Alliant, Interior’s standalone Request for Proposals (RFP) for email-as-a-service, and Homeland Security’s EAGLE for private cloud work inside the agency. He believes that public cloud projects are leaning more toward standardized offerings with more structured pricing. Similarly, private and community cloud projects lend themselves to task orders under the vehicles currently held by the agencies’ established infrastructure providers.
Hurley felt that acquisition strategies for the private cloud have to also buy the ability for elasticity of the cloud, which the public cloud already owns. Regardless, he said, "vehicles must not take 18 months to get a petabyte of space."
Strategies for Contractors
For companies looking to work with agencies on cloud projects, some things, like understanding the customer’s needs, won’t change much from traditional service models. There are other parallels, seen by Kevin Plexico, between cloud development and the software service world, where implementing primes will partner with software providers (including Amazon, Salesforce and Microsoft) for the underlying technology. Cloud implementations still require configuration and training, akin to classical services. And as Kaczmarczyk noted, a lesson learned from infrastructure as a service is that agencies will often have to get migration services.
However, there are still many differences which require both agencies and contractors to adapt. Plexico also noted challenges in the acquisition process, returning to Interior’s experience with email, where a vendor protested after it felt it had been locked out by the requirements.
Hurley pointed out that cloud requires a set of shared responsibilities between government and contractors, where previously the domains were separated and well defined. The key, he said, is to understand just what is different.
Nothing Succeeds Like Success
Asked to provide examples of successful federal cloud projects, Kaczmarczyk reported that he was very happy with his GSA cloud-based email, saying "it’s worked remarkably well" and will save the agency 50 percent over the next five years. Russ Langford offered that NASA’s Nebula Cloud Computing Platform, which provides computing resources for analytics to the scientific community, and Steven Coles labeled the Department of Homeland Security’s public cloud efforts a success, along with the Department of Agriculture’s move from 26 email systems to one.
Overcoming Cultural Barriers
Offering advice on how to help organizations reorient their cultures to the cloud, Hurley said that security should be a modifier, not an inhibitor, to agency’s cloud adoption, which requires a change in thinking to risk management which can be phrased, "Is the need being met, in as secure a manner as possible?"
Coles counseled that progress moves in slow jumps that add over time, echoing statements by others that cloud is an iterative process, and while there may not be a rigidly defined goal line, success may be measured, according to Plexico, as where cloud efforts evolve to a point where the problems are substantially solved.
Langford urged technologists to "Really consider the tranformation from the as-is to the to-be, beyond the technical aspects."
In order to succeed, government has to understand the industry perspective through education and dialog, and both must truly analyze the work being done to determine the right cloud models.
Closing out the panel, Kaczmarczyk reiterated the GSA’s commitment to cloud and desire to work up front with industry as it works to improve the acquisition and IT security processes behind cloud, as well as improving the understanding of the technology, even as panelists agree that cloud solutions, already pervasive in people’s personal lives, will be used in ways that we can’t yet anticipate.