search

ombegov / cloud.cio.gov

Federal Cloud Computing Strategy Website
Other
13 stars 6 forks source link

Public comment from ITAPS #33

Open OMBPublicComments opened 5 years ago

OMBPublicComments commented 5 years ago

Follow us on Twitter @ITAlliancePS | Learn more at itaps.itic.org IT Alliance for Public Sector | 1101 K St. NW, Suite 610 | Washington, DC 20005

October 24, 2018 Ms. Suzette Kuhlow Kent Administrator and Federal Chief Information Officer Office of E-Government and Information Technology Office of Management and Budget Executive Office of the President 1650 Pennsylvania Avenue, NW Washington, DC 20502

Dear Ms. Kent: On behalf of the leading providers of information and communications technology (ICT) hardware, software, services, and solutions to the public sector that are members of the IT Alliance for Public Sector (ITAPS),1 we appreciate the opportunity to provide comments on the draft 2018 Federal Cloud Computing Strategy known as “Cloud Smart.” Cloud computing technology and options have evolved significantly since “Cloud First” was introduced nearly a decade ago, and agencies are now realizing the optimal value that is realized from agency wide digital transformation versus a simple re-platforming to cloud. ITAPS shares the Administration’s interest in modernizing government information technology through adopting cloud and other innovative technologies that will enhance government services, increase security, and improve federal efficiency. We commend OMB’s focus on security, procurement, and workforce and the accompanying twenty-two CIO Council Actions. However, we believe that the strategy can be much improved by aligning the message that the narrative portion of the draft strategy will send to agencies with the actions themselves. We believe that the current narrative is disconnected from those actions and offer recommendations below for how to create a more consistent message to agencies that emphasizes the drive towards modernization. I. Cloud at a Glance We believe that Cloud Smart can be improved by articulating a strong vision statement including the mission and business outcomes, which OMB believes agencies can achieve through cloud adoption; and the manner in which OMB and the agencies can measure progress in achieving those outcomes. The areas OMB focuses on in this policy (security, procurement, and workforce) are critical, but the policy narrative would be ultimately be more effective if it were linked to activities OMB, GSA, the CIO Council, etc. are taking to measure mission and business outcomes. We also recommend connecting Cloud Smart directly to the President Management Agenda, Report to the President on Federal IT Modernization, and the MGT 1 About ITAPS. ITAPS, a division of the Information Technology Industry Council (ITI), is an alliance of leading technology companies building and integrating the latest innovative technologies for the public-sector market. With a focus on the federal, state, and local levels of government, as well as on educational institutions, ITAPS advocates for improved procurement policies and practices, while identifying business development opportunities and sharing market intelligence with our industry participants. Visit itaps.itic.org to learn more. Follow us on Twitter @ITAlliancePS. Act. The Report to the President on Federal IT Modernization is a ready-built vision statement that will send a clear and consistent message to agencies. Also, while we appreciate efforts to update existing policies to bring them more in line with today’s technology, we believe that the draft does not accurately characterize Cloud First. Cloud First created a vision and reason for agencies to move to the Cloud, but it did not mandate that movement. The only thing it mandated was an evaluation of off-premise solutions when ones existed. Rescinding or dismissing that that policy as ineffective could put federal modernization back decades. Instead, we recommend building on that policy, in addition to FITARA, MGT Act, and especially the Report to the President on Federal IT Modernization to avoid sending mixed messages to the agencies. If OMB wants agencies to move to cloud expeditiously for optimally suited workloads, we recommend that they should state it plainly in Cloud Smart. Re-defining Cloud Computing We are concerned about the draft policy’s suggestion about redefining cloud. There is no need for the government to be redefining cloud, as the NIST definition of cloud already exists and is widely accepted by industry both domestically and internationally. We also recommend consistency with the Report to the President on Federal IT Modernization: move government to the cloud, not move cloud to government. Modernization and Maturity We welcome OMB's acknowledgement that cloud migration is a journey and that, along that pathway, different solutions may make sense at different points in time. However, there is very little guidance provided about the importance of an agency creating a strategy or plan for its cloud adoption in Cloud Smart. Cloud transformation should not be just about moving applications to a different environment. Instead, government should use cloud implementations to digitally transform processes, including the way that agency employees, citizens, other agencies, industry, and other governments interact. Cloud technology adoption requires that agencies prioritize mission, migration planning, sustainment, and organizational maturity to realize the full benefit of these services including implementing security into the lifecycle processes of cloud, app migration, application development, etc. For example, if certain legacy applications are too difficult or expensive to "lift and shift," an agency may consider whether other options, like modernizing the application (e.g., deploying in containers) while on-prem make sense in the near term. At the same time, OMB should provide a clear statement of the need to continually migrate towards commercial cloud services in Cloud Smart, even if early steps cannot take the agency there. Agencies need to move to commercial clouds, but their evaluation and adoption process needs to be overhauled. Certified systems should just be accepted without everyone doing their own review, asking the same questions or (sometimes) expecting to be part of the review and approval process for assertion changes. Without such a clear direction, OMB will likely be viewed as pulling back from cloud and modernizations efforts. This is not what we believe OMB wants to do given this Administration’s position on commercial cloud with the passage of the MGT Act as well as with the Report to the President on Federal IT Modernization. II. Security We request that private industry be included for input when gathering best practices and that drafts of proposed updates to policies, guidance, rules, etc. be posted for public comment before being released. We also recommend that the Administration should continue to switch to focusing on objectives and outcomes over processes and procedures. Trusted Internet Connection (TIC) We support the Administration ‘s commitment to reform the Trusted Internet Connections policy to enable modernization. The TIC has stifled agencies cloud modernization efforts and is no longer feasible. Current program architecture provides inadequate capability for network infrastructure security. These programs must also incorporate new security technology evolutions and the flexibility to identify, test and adopt those innovations. Without such policy upgrades, modernization cannot happen. The Administration should move away from the kind of perimeter-based security approach that TIC represents. In so doing, OMB appropriately signals that it will be key to identify security outcomes that should be met by TIC alternatives rather than prescribing new processes that will -- just like the existing TIC policy -- become quickly obsolete. OMB and DHS should also ensure that TIC outcomes are not defined in a way that favor certain providers’ solutions over others. The legacy TIC model emphasizes perimeter-based network security protections and does not account for today’s mobile and cloud environment. Antiquated perimeters have given way to a zero-trust model of security enforcement points within and throughout modernized infrastructure down to the endpoint. Agencies should leverage first the monitoring tools included by cloud providers. Instead of expecting edge inspection of encrypted traffic to offer an adequate benefit to the agencies, the government should leverage the embedded capabilities of the cloud providers themselves for additional insights into access, traffic patterns, authorizations, and anomalies. Cloud vendors have massive sensor networks and Artificial Intelligence/Machine Learning-powered tools to watch for and protect against unwanted activity today using intelligence that simply cannot be centrally located in an edge-based network sensor. The insights from the global enterprise cloud providers and big data are delivering unparalleled views into the evolving threat landscape with millions of unique threat indicators that are collected worldwide. At the same time, Cloud Smart should recognize that cloud vendors are typically responsible solely for the security of their cloud infrastructure, while data owners must continue to implement security tools across all environments, including networks, endpoints, on-premise data centers, multi-cloud infrastructure, and within a single public or private cloud service provider. Accounting for this shared responsibility means including security requirements and resources for both data owners and cloud providers in cloud deployments, which provides needed clarity for all. Security requirements that promote seamless integration are particularly important in multi-cloud deployments. The government can tap into a variety of these sensor networks through APIs, log sharing, and dashboards to vastly improve the security posture of agencies leveraging cloud services, well beyond what TIC and CDM can deliver today. Otherwise, this legacy approach could stifle innovation – there’s more than one way to solve TIC. We look forward to providing more detailed input into the new TIC policy’s development over the next few months. Continuous Data Protection and Awareness OMB can and should provide guidance to agencies that lack financial and personnel resources. While there are some circumstances in which prescriptive guidance hinders agencies efforts, for some agencies that lack the financial and personnel resources to move forward, some amount of guidance is necessary and will be essential for these agencies to achieve the Cloud Smart goals. By stating that “each agency should determine its own governance model for cloud-hosted data that aligns with their identity and credential management systems,” the field created is too wide open and slows down the process as agencies have to get smart on governance models and then go about implementing instead of having a solid proven set of guidelines to begin their process. FedRAMP We commend the draft policy’s commitment to modernizing the FedRAMP program – something industry has long called for. We welcome OMB's signal that the program has to be made less complex and more risk-based in order to grow the marketplace for cloud offerings. There are several areas where improvements could be made. For example, the requirements could be reoriented to be more outcome- and risk-based, given the pace at which technology advances. We request ample opportunity to provide industry’s input into the reform efforts to ensure that changes to the program are fully understood and can be effectively implemented. The FedRAMP and ATO processes must continue to be streamlined and made more efficient such as encouraging greater cross leveraging. The accreditation process must be sped up. Additionally, we recommend removing the word “large” from the section as FedRAMP does not have size requirements, and change “providers” to “services” since the program certifies individual services and not just cloud service providers. In addition, we suggest removing or better articulating what is meant by “common criteria.” Common criteria have a specific meaning in the security industry and we do not believe that it is OMB’s intention. We are not sure what is meant by this and would recommend adding FIPS 140-2 as another broken process that should be addressed during FedRAMP modernization. While there is active work to improve FIPS 140, it should be included in the FedRAMP review process. Additionally, OMB needs specific guidance for defining system accreditation. Currently, accreditation boundaries for systems in the cloud are not codified and are slowing down ATOs and go live dates, adding complexity, and increasing costs. Some agencies believe they need to include elements and controls that are outside their boundary and turn SAAS into IAAS or force a private cloud when a public one would be more quickly achieved and much more economical. Further defining with specific guidance on where the boundaries should be drawn would help many of these situations. OMB needs to provide guidance to agencies on how to handle spillage and cyber responses within cloud-based systems would help those agencies struggling to migrate and accelerate their cloud adoption. For instance, the spillage guidance needs to address where sensitive information (e.g. classified information, export-controlled information) is inadvertently placed on information systems that not authorized to process such information on cloud-based systems. Some agencies do not move to the cloud because their cyber response procedures do not align to cloud-based systems. Instead of updating those procedures, agencies may keep systems on premise much longer than warranted simply because it checks a compliance box. That kind of thinking is short-sighted, and OMB has an opportunity with Cloud Smart to help set the guidelines and expectations for agencies to prioritize security over compliance. Action 7 calls for OMB and GSA to: 1) expedite authorization of low risk SaaS offering through the effective implementation of FedRAMP Tailored; and 2) work to revise FedRAMP and FedRAMP Tailored as necessary to expand adoption. We favor expanding the baseline to a mix of Low and Moderate impact offerings (e.g., Low-Moderate-Moderate rather than just Low-Low-Low for confidentiality, integrity and availability (C-I-A)) to enable many more use cases). III. Procurement Access to commercial cloud computing is attractive to federal agencies because it can quickly deliver modern IT capability, improve the delivery of constituent services, provide on-demand access to a shared pool of scalable computing resources, consolidate the need for capital expenditures for data centers, reduce duplicative system, and provide enterprise-level security. Commercial cloud offers government an opportunity to get closer to commercial buying practices in a way that legacy technology simply could not offer in decades past. The pay-as-you-go model with rapid application and service enhancement constantly provides government access to new tools and services. We believe government should get the best value for taxpayer dollars, and commercial best practices can offer a window into a more streamlined procurement process aligned to the technology it seeks to procure. We also recommend that OMB update procurement rules to enable new security solutions to be plugged in on a rapid basis into cloud environments. As more security is managed by the cloud and as new updates become available, it is vital to ensure contracting officials have the ability to provide mission owners with effective, innovative tools. This includes utilizing existing operational test-beds in defense and civilian agencies to ensure tools are effective, rather than relying on outdated sheets, and holding agency heads accountable for enterprise-wide security as directed in EO 13800. Ultimately, the risk structure for contract officers must better map to enterprise risk, incentivizing effective performance rather than minimizing protest risk, which often leads to less effective lowest cost, technically acceptable bids. Updating this risk calculus starts at the top by reinforcing agency head accountability. Furthermore, we request that private industry be included for input when gathering best practices and that drafts of proposed updates to policies, guidance, rules, etc. be posted for public comment before being released. Additionally, OMB needs to clarify when different impact levels are required. Agencies often spend more money than they need to by contracting for higher impact levels (IL) than is warranted. Guidelines around when and if IL high is needed versus IL moderate would avoid agencies incurring costs associated with High when moderate is more appropriate. Category Management We welcome the government’s interest in leveraging its buying power through category management initiatives, but we suggest more dialogue with industry to determine which contract vehicles exist today, and perhaps what new ones will need to be created in the future, that will be considered “proven.” Commercial cloud offers agencies the ability to embrace new models of doing business that could apply beyond infrastructure to cloud-based services like software (and perhaps aid implementation of the MEGABYTE Act). Our members would also like clarification on how the proposed category risk management is different from the GSA’s Cloud SIN. Service Level Agreements OMB needs to develop and issue guidance for renewing commercial service level agreements. Agencies need actual guidance on evaluating, and negotiating if needed, commercial service level agreements (SLAs) with standardized, common language, so each agency isn’t reinventing the wheel and asking for very expensive and/or unachievable targets – often the government SLA are written by non-technical contracting personnel and are either unachievable or very expensive. Guidelines on SLAs common with cloud providers that are cost reasonable would help keep agency costs down and therefore speed up adoption. Section 839 of the FY2019 NDAA requires the FAR Council to perform a review of determinations not to exempt commercial item and service contracts from additional clauses, and to review contract clauses currently applicable to commercial item and services contracts and make recommendations on those that should be removed. We recommend that, as part of this policy, in advance of the one-year deadline, OFPP and OFCIO specifically undertake a review of the terms and conditions applied to contracts for cloud services and identify those that should be removed. Security Requirements for Contracts We recommend that a risk assessment be included as guidance in these actions. This section reads that agencies should be very careful before moving HVA to the cloud, but we do not believe that that is the Administration’s intention (see Report to the President on Federal IT Modernization). In fact, a risk- ITAPS Cloud Smart Strategy Response Page 7 assessment between on-premise and commercial cloud solutions should be the starting point to determine HVA, and frankly all federal workload, migrations. IV. Workforce We commend the government for exploring the ways that government and industry can work together to address the skills gap. To that end, the inventory that the draft Cloud Smart report proposes will be critical to identifying exactly what kind of skilling needs there are and what kinds of remedial efforts could be most effective. Conducting an analysis of best practices to date would also be helpful. The section of the draft appears to leave the workforce development plan up to agencies, but we recommend a governmentwide approach may be better for workforce mobility and consistency of applied practices. We recommend that OMB and OPM work together to lead on initiatives that encourage career mobility across government and between sectors. Identifying necessary skills and surveying for skills gaps is an important first step; and we also agree reskilling and retraining applies not just for IT staff but also acquisition and finance staff as well as business decision makers/mission leaders. Agencies should make full use of trainings and skills workshops offered by the IT industry, particularly by cloud service providers, many of whom offer them for free or as part of a cloud agreement. Training needs to be ongoing, annual training with certification and, recertification as technology and acquisition needs will change rapidly. The Administration should also promote and invest more in growing the pipeline of necessary IT skilled workers by focusing on K-12 computer science education as being critical for jobs, economic competitiveness, and national security.

Thank you again for requesting our input on these important matters, and for your consideration of our comments. Should you have questions, please contact Pamela Richardson Walker at pwalker@itic.org. Respectfully submitted, A.R. "Trey" Hodgkins, III, CAE Senior Vice President, Public Sector

johnaweiler commented 5 years ago

We at the IT-AAC support and endorse the ITAPS recommendations.