October 24, 2018
Ms. Suzette Kent
Federal Chief Information Officer
Office of Management and Budget, Executive Office of the President
1650 Pennsylvania Avenue NW
Washington, DC 20502
Re: Amazon Web Services (AWS) Response to the Draft Federal Cloud Computing Strategy, “Cloud Smart”
Delivered via ofcio@omb.eop.gov
Ms. Kent:
Thank you for the opportunity to engage with you and your office and share our commercial sector best practices with our government customers and policymakers. At Amazon, we believe first and foremost in customer obsession, and we bring that same commitment to our government service. The potential for a strategic policy that envisions a modern government that prioritizes security and puts citizens and mission first is very appealing and natural approach for us. We respectfully submit the following comments to the draft “Federal Cloud Computing Strategy” (“Cloud Smart”).
We believe that policy should be aspirational and provide proper incentives to help attain a vision and desired outcomes. We commend the inclusion of CIO Council Actions and believe that these initiatives will greatly reduce barriers to cloud adoption across government (e. g., TIC and FedRAMP reform). These actions correctly focus on security, procurement, and workforce challenges and tackle them head on and comprehensively, recognizing the interdependence of these key components. We welcome the opportunity to provide AWS' perspectives on implementing these actions in each of the follow-on activities. The draft policy's CIO Council Actions act as the incentives in the strategy, removing barriers and streamlining existing initiatives with centralized oversight. With that said, we recommend the Administration create a stronger vision articulating why the Cloud Smart strategy moves the federal government closer to achieving its objectives.
Fortunately, that vision already exists in the Report to the President on Federal IT Modernization (“the IT Modernization Report”). Directly aligning the Cloud Smart Strategy to the IT Modernization Report will rightly emphasize a clear vision for a modernized government that focuses on security and delivery of better citizen services. The IT Modernization Report's “Executive Summary” and the “Future State and Objectives” sections send a clear message to agencies by articulating why progress is critical to our nation's security and prosperity, and the Cloud Smart strategy can have that same impact if it also includes a vision for a modernized government with robust technology capabilities that support it.
We offer the following recommendations to the draft, and stand ready to clarify or assist so that they may be included in the final policy.
Introduction Narrative and I. Cloud at a Glance
Reaffirm the government's desire to move to the cloud through a description of intended future state and objectives aligned to the Report to the President on IT Modernization. AWS strongly supports the Administration’s commitment to bring more innovation into government, modernize federal IT systems, and help agencies leverage commercial technologies and best practices, including migration to commercial cloud infrastructure. By embracing commercial cloud, the government can deliver value in the form of faster, more efficient citizen services, enhance cybersecurity protections for our country’s most critical assets, and accelerate continued learning for current and future technology professionals. The Twenty Five Point Implementation Plan to Reform Federal Information Technology Management (25 Point Plan), the Federal Cloud Computing Policy (Cloud First), the Federal Information Technology Acquisition Reform Act, the Modernizing Government Technology Act, and the IT Modernization Report all encourage agencies to move to the cloud. Cloud Smart should build upon, not rescind, these policies to provide a consistent and comprehensive message to agencies that cloud offers significant advantages. OMB should consider actions that ensure agency modernization success, and pathways for “cloud native” applications.
Reaffirm the Administration's desire to leverage commercial technologies, specifically commercial cloud. The MGT Act and the Report to the President on Federal IT Modernization, initiatives championed by this Administration, encourage and direct agencies to move to commercial cloud. As these policies have accurately stated, commercial cloud offers unparalleled security, scalability, managed risk, and innovation at scale compared to on-premise or legacy systems. In order to accomplish the goals of the MGT Act and the Report to the President on Federal IT Modernization, Cloud Smart should reaffirm the Administration's desire to “bring the government to the cloud” not “bring the cloud to government” as outlined in the IT Modernization Report.
Recommit to existing, industry-supported definition of cloud and promote mission-driven outcomes. We strongly support the NIST definition of cloud computing (Special Publication 800-145) and do not believe a new definition of cloud is necessary to achieve the perceived objectives of the draft policy (see “(Re)-Defining Cloud Computing section). We agree that the policy should direct agencies to use the procurement strategies that best meet their mission objectives. However, directing procurements based on specific models like “multi-cloud” or “hybrid” cloud may force agencies into acquiring services that do not meet mission outcomes, or add unnecessary operational complexities. We suggest removing references to multi-cloud and hybrid cloud throughout the document unless the other procurement and technologies models are also equitably included.
Articulate the manner in which OMB and agencies will address risk reduction and measure progress. The draft strategy correctly focuses on critical areas for improvement, but the policy itself would be improved by more directly linking the activities OMB, GSA, the CIO Council, etc. are taking to measure mission and business outcomes, including risk reduction. Including key performance indicators (KPIs) will ensure the success of the agencies' ability to realize the full potential of cloud migrations and thus improve the effectiveness of the policy.
II. Security
Aid agencies modernization efforts by developing a risk-assessment plan for comparing security resiliency between on-premise and commercial cloud workloads. The benefits of commercial cloud should be clearly communicated to agencies while they are evaluating migration and modernization efforts. The strategy should offer agencies a roadmap for moving to the cloud that includes an evaluation of the risks associated with keeping workloads on premise or in legacy systems. This risk assessment plan should apply to all federal workloads, with a priority on High Value Assets (HVAs).
Promote outcome-based security requirements. To better align to industry best practices in cloud security, we recommend removing terms like “driven by standards” and “controls” from this section of the document, and replacing them with outcome-based requirements. Controls-based security requirements inhibit the ability for commercial cloud providers to innovate on behalf of our customers and counter cybersecurity threats. Instead, we recommend the strategy focus on outcome-based requirements. This approach can also streamline programs with similar security objectives such as FedRAMP Continuous Monitoring and DHS's Continuous Diagnostics and Mitigation program.
Encourage TIC modernization to also apply to other government data flow control tools. Cloud Smart rightly discusses the need for TIC modernization, and we commend the activities designed to explore alternatives to the current model. We look forward to participating in the CIO Council Action Four to discuss updating the current policy. We encourage the Cloud Smart initiatives to also cite similar ongoing efforts to adapt the Department of Defense Cloud Access Point (CAP) and the Internet Access Point (IAP) programs for modernized network boundary security that can applied consistently across the federal government based on information and system impact level.
Clarify that FedRAMP certification applies to all cloud-based services. We commend the activities in the CIO Council Actions related to FedRAMP modernization that emphasize the need for rapid federal-wide certification reciprocity, and look forward to participating in follow-on conversations to share our experience with the program and offer recommendations for modernization. We recommend the Security section of the draft correct the current language that program only applies to large cloud providers when it actually applies to all cloud-based services despite size.
III. Procurement
Encourage the use of cloud-based software catalogues to drive technological and procurement innovation. We commend the Administration's clear focus on identifying best in class procurement vehicles and best practices to aid agencies' ability to gain easier access to more secure services offered on the cloud. As part of the Cloud Smart strategy, agencies should also evaluate and rationalize the software portfolio that will be required both to conduct the migrations and to operate in a commercial cloud environment. In addition to data center and IT consolidation, FITARA directs agencies to modernize and optimize software-driven initiatives that can be accelerated with cloud services. OMB & GSA’s directives on category management have the potential to change the way government buys software, revolutionizing a $6B a year economy. Category management initiatives have stated objectives to take advantage of government-wide volume discounts, to reduce unnecessary software duplication, and increase software reporting transparency of existing agreements. This is where dynamic software service catalogues built natively on the cloud can help government maximize the benefits of category management.
Review contract terms and conditions that currently apply to commercial cloud contracts and identify ones that can be removed. To fully leverage commercial technology and rapidly deploy it in government, the Administration should continue its deregulatory agenda and apply it to cloud-based services acquisition, whether infrastructure or applications. In particular, OFCIO, OFPP, and the recommended cloud category team should identify and recommend the removal of unnecessary regulations for cloud procurements as part of the effort required by Section 836 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019.
Partner with Congress to align fiscal law to the pace of innovation to accelerate modernization. One of the benefits of commercial cloud computing is the ability to pay only for the services that are consumed. Pay-as-you-go models offer government the opportunity to balance risk and cost and fail fast, which is a fundamentally different resourcing strategy than traditional government procurement models offer today, but still perfectly allowable under the Federal Acquisition Regulation and existing law. AWS is a strong supporter of the implementation of the MGT Act because it provides agency leaders funding flexibility through the Technology Modernization Fund and the working capital funds. Traditional budget and appropriations processes should continue to explore and embrace new models of commerce.
IV. Workforce
Leverage commercial sector training tools and resources where possible. We wholeheartedly embrace the statement in the draft policy that reads, “It is incumbent upon Federal agencies to ensure that their current and future workforce is prepared to support Federal cloud environments.” The best way to do that is to provide federal employees direct access to the same training available to the commercial sector. For instance, programs offered in the private sector like AWS Educate, a cloud skills training and certification program offered to the public, could help government employees re-train and expand their current cloud knowledge. Instead of creating a new, government-unique curriculum, we encourage OMB to offer a variety of existing private sector training tools to employees across the government and remove any perceived or real barriers to sharing that content.
Position OMB as a centralized resource for employees across agencies. Employees appreciate opportunities for mobility and ways to accelerate their careers in both the private and public sectors. To enable government workforce mobility, the Cloud Smart strategy should centralize guidance for cloud workforce development. Agencies can and will provide individual guidance, but consistent application across government is critical for employee and modernization success.
Encourage participation in government/industry exchange programs. With the pace of industry-led innovation and impact-driven government missions, these programs allow employees from both sectors to share best practices, gain a better understanding of each other's information technology practices and challenges, and partner to address these challenges. The ultimate objective is to create partnerships that accelerate our nation's technological edge by offering employees career development opportunities across sectors.
We thank you for the opportunity to share our feedback with you on the draft policy, and are ready to assist in its continued development. Please do not hesitate to reach out with any questions.
Respectfully,
David Levy
Vice President, AWS Federal
October 24, 2018 Ms. Suzette Kent Federal Chief Information Officer Office of Management and Budget, Executive Office of the President 1650 Pennsylvania Avenue NW Washington, DC 20502
Re: Amazon Web Services (AWS) Response to the Draft Federal Cloud Computing Strategy, “Cloud Smart”
Delivered via ofcio@omb.eop.gov
Ms. Kent: Thank you for the opportunity to engage with you and your office and share our commercial sector best practices with our government customers and policymakers. At Amazon, we believe first and foremost in customer obsession, and we bring that same commitment to our government service. The potential for a strategic policy that envisions a modern government that prioritizes security and puts citizens and mission first is very appealing and natural approach for us. We respectfully submit the following comments to the draft “Federal Cloud Computing Strategy” (“Cloud Smart”). We believe that policy should be aspirational and provide proper incentives to help attain a vision and desired outcomes. We commend the inclusion of CIO Council Actions and believe that these initiatives will greatly reduce barriers to cloud adoption across government (e. g., TIC and FedRAMP reform). These actions correctly focus on security, procurement, and workforce challenges and tackle them head on and comprehensively, recognizing the interdependence of these key components. We welcome the opportunity to provide AWS' perspectives on implementing these actions in each of the follow-on activities. The draft policy's CIO Council Actions act as the incentives in the strategy, removing barriers and streamlining existing initiatives with centralized oversight. With that said, we recommend the Administration create a stronger vision articulating why the Cloud Smart strategy moves the federal government closer to achieving its objectives. Fortunately, that vision already exists in the Report to the President on Federal IT Modernization (“the IT Modernization Report”). Directly aligning the Cloud Smart Strategy to the IT Modernization Report will rightly emphasize a clear vision for a modernized government that focuses on security and delivery of better citizen services. The IT Modernization Report's “Executive Summary” and the “Future State and Objectives” sections send a clear message to agencies by articulating why progress is critical to our nation's security and prosperity, and the Cloud Smart strategy can have that same impact if it also includes a vision for a modernized government with robust technology capabilities that support it.
We offer the following recommendations to the draft, and stand ready to clarify or assist so that they may be included in the final policy. Introduction Narrative and I. Cloud at a Glance
Reaffirm the government's desire to move to the cloud through a description of intended future state and objectives aligned to the Report to the President on IT Modernization. AWS strongly supports the Administration’s commitment to bring more innovation into government, modernize federal IT systems, and help agencies leverage commercial technologies and best practices, including migration to commercial cloud infrastructure. By embracing commercial cloud, the government can deliver value in the form of faster, more efficient citizen services, enhance cybersecurity protections for our country’s most critical assets, and accelerate continued learning for current and future technology professionals. The Twenty Five Point Implementation Plan to Reform Federal Information Technology Management (25 Point Plan), the Federal Cloud Computing Policy (Cloud First), the Federal Information Technology Acquisition Reform Act, the Modernizing Government Technology Act, and the IT Modernization Report all encourage agencies to move to the cloud. Cloud Smart should build upon, not rescind, these policies to provide a consistent and comprehensive message to agencies that cloud offers significant advantages. OMB should consider actions that ensure agency modernization success, and pathways for “cloud native” applications.
Reaffirm the Administration's desire to leverage commercial technologies, specifically commercial cloud. The MGT Act and the Report to the President on Federal IT Modernization, initiatives championed by this Administration, encourage and direct agencies to move to commercial cloud. As these policies have accurately stated, commercial cloud offers unparalleled security, scalability, managed risk, and innovation at scale compared to on-premise or legacy systems. In order to accomplish the goals of the MGT Act and the Report to the President on Federal IT Modernization, Cloud Smart should reaffirm the Administration's desire to “bring the government to the cloud” not “bring the cloud to government” as outlined in the IT Modernization Report.
Recommit to existing, industry-supported definition of cloud and promote mission-driven outcomes. We strongly support the NIST definition of cloud computing (Special Publication 800-145) and do not believe a new definition of cloud is necessary to achieve the perceived objectives of the draft policy (see “(Re)-Defining Cloud Computing section). We agree that the policy should direct agencies to use the procurement strategies that best meet their mission objectives. However, directing procurements based on specific models like “multi-cloud” or “hybrid” cloud may force agencies into acquiring services that do not meet mission outcomes, or add unnecessary operational complexities. We suggest removing references to multi-cloud and hybrid cloud throughout the document unless the other procurement and technologies models are also equitably included.
Articulate the manner in which OMB and agencies will address risk reduction and measure progress. The draft strategy correctly focuses on critical areas for improvement, but the policy itself would be improved by more directly linking the activities OMB, GSA, the CIO Council, etc. are taking to measure mission and business outcomes, including risk reduction. Including key performance indicators (KPIs) will ensure the success of the agencies' ability to realize the full potential of cloud migrations and thus improve the effectiveness of the policy. II. Security
Aid agencies modernization efforts by developing a risk-assessment plan for comparing security resiliency between on-premise and commercial cloud workloads. The benefits of commercial cloud should be clearly communicated to agencies while they are evaluating migration and modernization efforts. The strategy should offer agencies a roadmap for moving to the cloud that includes an evaluation of the risks associated with keeping workloads on premise or in legacy systems. This risk assessment plan should apply to all federal workloads, with a priority on High Value Assets (HVAs).
Promote outcome-based security requirements. To better align to industry best practices in cloud security, we recommend removing terms like “driven by standards” and “controls” from this section of the document, and replacing them with outcome-based requirements. Controls-based security requirements inhibit the ability for commercial cloud providers to innovate on behalf of our customers and counter cybersecurity threats. Instead, we recommend the strategy focus on outcome-based requirements. This approach can also streamline programs with similar security objectives such as FedRAMP Continuous Monitoring and DHS's Continuous Diagnostics and Mitigation program.
Encourage TIC modernization to also apply to other government data flow control tools. Cloud Smart rightly discusses the need for TIC modernization, and we commend the activities designed to explore alternatives to the current model. We look forward to participating in the CIO Council Action Four to discuss updating the current policy. We encourage the Cloud Smart initiatives to also cite similar ongoing efforts to adapt the Department of Defense Cloud Access Point (CAP) and the Internet Access Point (IAP) programs for modernized network boundary security that can applied consistently across the federal government based on information and system impact level.
Clarify that FedRAMP certification applies to all cloud-based services. We commend the activities in the CIO Council Actions related to FedRAMP modernization that emphasize the need for rapid federal-wide certification reciprocity, and look forward to participating in follow-on conversations to share our experience with the program and offer recommendations for modernization. We recommend the Security section of the draft correct the current language that program only applies to large cloud providers when it actually applies to all cloud-based services despite size.
III. Procurement
IV. Workforce