Public comment from Internet Association

[OMBPublicComments]

The unified voice of the internet economy / www.internetassociation.org October 24, 2018 To: Ms. Suzette Kent The Office of the Federal Chief Information Officer Office of Management and Budget, Executive Office of the President Internet Association Comments On The Draft Of Cloud Smart Strategy Internet Association (IA) represents over 40 of the world’s leading internet companies and supports policies that promote and enable internet innovation, including commercial cloud solutions. Our companies are global leaders in the drive to develop lower cost, more secure, and resilient cloud services to customers in both the private and public sectors. Internet Association welcomes the opportunity to provide input to the federal government’s draft Cloud Smart Strategy. We applaud the Federal Chief Information Officer’s effort to “streamline transformation and embrace modern capabilities” in cloud solutions. In general, we support the vision that the U.S. government needs to evolve its approach to information technology as part of day-to-day business at every agency. We agree that “Modernization is an ongoing commitment that is not sustained with single intervention once every decade. Rather, modernization is a constant state of change, and part of the day to day business of technology at every agency.” There are many good ideas included in the draft Cloud Smart Strategy, but the final goal of the effort and how it fits into previous efforts is unclear. In particular, the absence of explicit support for commercial cloud in the draft policy is concerning. IA member companies believe commercial cloud offerings provide the superior affordability, flexibility, and security that is required by the federal government’s modernization efforts. We encourage the government to revise the policy to specifically state the government will be moving to commercial cloud and to link this goal to pre-existing modernization and commercial cloud efforts. Without a clear direction to the agencies, the Office of Management and Budget (OMB) is missing an opportunity to extend and build on the policies that have come before it including the Twenty Five Point Implementation Plan to Reform Federal Information Technology Management (25 Point Plan), the Federal Cloud Computing Policy (Cloud First), the Federal Information Technology Acquisition Reform Act, the Modernizing Government Technology (MGT) Act, and the Report to the President on Federal IT Modernization . All of these policies promote commercial cloud as the vehicle for modernization and security. The absence of a clear preference for commercial cloud may at the very least confuse, and at the worst, send a signal to many agencies that they do not have to modernize their technology and move out of legacy and on-premise systems. With that in mind, we also suggest that the final policy reference the NIST definition of cloud computing – a widely accepted definition both in government and the private sector. There is no need for OMB to redefine cloud, particularly when a comprehensive and accepted definition already exists. The inclusion of the NIST definition would remove technology model bias from any final document (e.g., only mentioning hybrid and multi-cloud models), and support the objective of not creating a “one-size-fits-all approach to IT modernization.” IA firmly believes that commercial cloud is the best option to consider in modernizing the federal government’s information technology, taking consideration of the three key areas identified by the draft Cloud Smart Strategy: security, procurement, and workforce. We strongly support the draft’s 22 CIO Council Actions because we believe that they are designed and intended to remove barriers that exist today in federal commercial cloud adoption and look forward to participating in their implementation. With this in mind and accompanying our detailed comments below, we would like to work with the administration more closely on any policy 660 North Capitol St. NW, #200 • Washington, DC 20001 • www.internetassociation.org / 1 The unified voice of the internet economy / www.internetassociation.org proposals arising from this effort. In particular, we encourage the federal government to provide a public notice and comment period for the referenced 22 CIO Council Actions . Since most of the actions are already in progress, timely and direct involvement from industry stakeholders is imperative. Internet Association would welcome a meeting to discuss the 22 CIO Council Actions at the earliest convenience. Security One of the most important statements made in the draft policy is that “current security strategy…must evolve with the changing technology landscape.” Existing federal cyber security requirements were designed for the on-premises, perimeter security model. Such standards do not translate well to the cloud-based, defense-in-depth environment, and we agree with the strategy’s assertion that a risk-based approach will require security and protections at other defense layers. We stand ready to work with the government to design outcome-based solutions. Commercial cloud services provide this modern approach to security as a matter of course. The federal government could improve its security posture by leveraging these state-of-the-art services that, among other things, can rapidly push security updates across the entire network quickly and seamlessly – from data to the perimeter. The federal government needs to move to a risk-based approach focusing more on data sensitivity, classification, labeling, and security mechanisms for data at rest, in transit, and during processing. For the commercial cloud to operate normally and securely, it is important to create outcome-based, instead of process-based, security requirements. Process-based requirements consistently fail to keep pace with quickly-evolving cybersecurity threats and their innovative technical solutions. What’s more, it is important to ensure that any new requirements do not have the unintended effect of locking-in outdated technology. Outcome-based requirements have provided better longevity and flexibility as security needs change. We recommend removing terms like “driven by standards” and “controls” from this section of the document and replacing them with outcome-based solutions. Trusted Internet Connections and Continuous Data Protection and Awareness : We agree that the legacy Trusted Internet Connections (TIC) model with its limited number of physical gateways and the Continuous Diagnostics and Mitigation (CDM) program are not well adapted to today’s mobile and cloud environments. We understand and strongly support the need to dynamically protect data and provide network visibility. However, some of the existing requirements come from an antiquated security design approach and are not adapted to leading cloud-based defense and in-depth security architectures. To this end, we are pleased the government will be updating the TIC policy. We recommend the government establish clear guidelines permitting agencies to move away from the requirement to use physical network gateways as long as the underlying security objectives of the TIC policy are met using the alternative approaches. Further, the government should make clear that, instead of expecting edge inspection of encrypted traffic to offer adequate benefits to the agencies, they should leverage the embedded capabilities of commercial cloud providers themselves for additional insights into access, traffic patterns, authorizations, and anomalies. Commercial cloud vendors have massive sensor networks and artificial intelligence/machine learning powered tools to watch for and protect from unwanted activity today using intelligence that simply cannot be located in an edge-based network sensor. The insights from global enterprise commercial cloud providers and big data are delivering unparalleled views into the evolving threat landscape with millions of unique threat indicators that are collected worldwide. The government has the ability to tap into these sensor networks through APIs, log sharing, and dashboards to vastly improve the security posture of agencies leveraging cloud services, well beyond what TIC and CDM can deliver today. 660 North Capitol St. NW, #200 • Washington, DC 20001 • www.internetassociation.org / 2 The unified voice of the internet economy / www.internetassociation.org FedRAMP : We recognize that the FedRAMP process has had its challenges. As a first of its kind program in the world, it is expected that the process should evolve, especially given the evolving nature of cloud. As some of the major users of FedRAMP, IA member companies would like to help further improve FedRAMP (e.g., further streamlining and encouraging greater cross leveraging) and request that any modifications to that system come through a public notice with an appropriate period for comment and consultation where industry and other stakeholders can provide expertise and insights on how the program could evolve to keep pace with expected technology trends and innovation. Procurement Internet Association fully recognizes the need for consistent government-wide guidance or best practice for acquisition officials to use when moving to the commercial cloud. As mentioned in the draft strategy, the lack of consistency “has forced agencies to search across multiple sources to gain a basic understanding of the various types of cloud services sold in the commercial marketplace, the different offerings available on existing government-wide contracts, and the best way to evaluate which approach is best for a given requirement.” In practice, commercial cloud providers often find that there is a complete restart of sales, information, and acquisition process from beginning to end when an agency is ready to move to the cloud. There seems to be little to no economies of scale across government agencies, nor any real system of information sharing among agencies on these issues. Indeed, in prior filings and in consultations with the government, we have urged the government to convene cross-agency workshops to ensure consistent understanding of all existing cloud policy requirements for cloud services. As such, we are pleased to see the Cloud Smart Strategy include similar and targeted recommendations regarding more consistent best practices and government information sharing regarding the acquisition of commercial cloud products. We are eager to work with the government to provide input as to how this may best evolve and offer recommendations for “proven” best in class contract vehicles that exist today and offer recommendations for new ones. We also ask that commercial cloud providers be included for input when gathering best practices and that drafts of proposed updates to policies, guidance, rules, etc. be posted for public comment before being released. Agencies should update their terms, policies, guidebooks, and templates to current commercial cloud practices and have a practice to keep them up to date. Additionally, we believe that Cloud Smart should include an action for the Office of Federal Procurement Policy (OFPP) and the Office of the Federal Chief Information Officer (OFCIO) to undertake a review of the terms and conditions applied to contracts for commercial cloud services and identify those that should be removed. This is consistent with Section 839 of the FY19 NDAA, which requires the FAR Council to perform a review of determinations not to exempt commercial item and services contracts from additional clauses, and to review and recommend appropriate removal of contract clauses currently applicable to commercial item and services contracts. Finally, we believe the approach in the High Value Asset (HVA) memorandum should be rephrased to promote HVA migration to the cloud, not discourage it. The current wording implies that the cloud is inherently risky, which is untrue, particularly when compared to on-premise or legacy systems. HVA requirements should align with commercial best practices and avoid government-unique terms. In addition , we recommend that agencies complete a risk assessment between their on-premise solutions and a move to commercial cloud for HVAs, as well as any other federal workloads. This will build upon the Cloud First policy and help agencies to modernize by providing them with a roadmap for success. Workforce We understand that the federal information technology workforce is responsible for executing agency missions, delivering services to the public, and securing our nation’s critical systems and information. We agree that identifying the necessary skills and surveying for skills gaps is an important first step, and that reskilling and The unified voice of the internet economy / www.internetassociation.org retraining applies not just for IT staff but also for acquisition and finance staff as well as Business Decision Makers (BDMs). We also concur with the draft strategy that, at present, federal agencies generally don’t have the ability to provide all the needed technology training to their workforce. The draft strategy rightfully highlighted that “migration to cloud technologies may reduce needs for information technology hardware management but will likely increase the need for programming skills in the use of Infrastructure as Code” and that “agencies’ cloud strategies and policies should generally include a workforce development and planning component.” We believe that, in implementing such a program, public-private sector collaboration will be critical. As a first step to address this challenge, we agree with the strategy that the government should conduct a gap analysis to identify both technical and non-technical skill and position gaps – both in assessment of the skill level of the user community, as well as the skill level of acquiring procurement officers and CIOs. In addition, agencies should make full use of trainings and skills workshops offered by the IT industry, particularly by commercial cloud service providers, many of whom offer them for free or as part of their cloud services agreements. Internet Association and member companies are committed to working with agencies to address this skills gap, and we also recommend that the Office of Management and Budget (OMB) and the Office of Personnel Management (OPM) work together to identify government-wide programs and curriculum that enable federal IT career success. For instance, OMB has the opportunity to lead on initiatives that encourage workforce mobility across agencies. In addition to reskilling and proactive recruiting plans, the Administration should do more to increase the pipeline of those going into the IT field. The Administration should promote and invest even more in growing the pipeline of necessary IT skilled workers by focusing on K-12 computer science education as being critical for jobs, economic competitiveness, and national security. In summary, Internet Association appreciates the opportunity to provide feedback on the draft Cloud Smart Strategy, and would like to continue our support by seeking to collaborate to build technical capacities and policy tools in preparation of implementation of the strategy. The government cannot modernize its IT infrastructure without commercial clouds. We stand ready to collaborate with the Federal Chief Information Officer to move the Cloud Smart agenda ahead. Sincerely, Melika Carroll Senior Vice President, Global Government Affairs Internet Association

[johnaweiler]

IT-AAC endorses and supports these objective, evidenced based recommendations.