Public comment from The Alliance for Digital Innovation

[OMBPublicComments]

Comments on Cloud Smart Policy October 24, 2018 Ms. Suzette Kent, Federal Chief Information Officer Office of Management and Budget Executive Office of the President

Jonathan Alboum CTO, Public Sector, Veritas Imran Akram CEO, NuAxis Innovations Keith Alexander Founder and CEO, IronNet Cybersecurity Craig Atkinson CEO, JHC Technology, Inc. Teresa Carlson VP of Worldwide Public Sector, Amazon Web Services Casey Coleman SVP, Government Solutions, Salesforce Gary DePreta Area VP, Defense, Intelligence and Aerospace, Splunk Tiffanny Gates President and CEO, Novetta Ryan Gillis VP, Cybersecurity Strategy & Global Policy, Palo Alto Networks Steve Kovac VP of Global Government and Compliance, ZScaler Aaron Newman Founder and CEO, CloudCheckr Luanne Pavco General Manager, Slalom Consulting Jeff Powell CEO, Strongbridge Bill Rowen VP, Federal Sales, VMware Mark Testoni President and CEO, SAP NS2 Sri Vasireddy Managing Partner, REAN Cloud Doug Wolfe Founder and CEO, BlackLynx John B. Wood CEO and Chairman, Telos Corporation

Re: Alliance for Digital Innovation (ADI) comments on the draft Cloud Smart policy

Dear Ms. Kent: On behalf of the Alliance for Digital Innovation (ADI), thank you for the opportunity to comment upon the recent issuance of the draft Cloud Smart policy. We commend OMB for its continuing commitment to improving the safety, security, and capability of digital government services. Who we are ADI is a coalition of cloud-native companies who are committed to modernizing government, improving security, and delivering digital services to citizens through commercial innovation. Our members include large, medium, and small companies focused on commercial solutions to the most intractable problems of government IT. Our members possess strong technical skills and IT expertise that reflect a broad swathe of capabilities within the tech community. We are driven by the belief that commercial innovation is the quickest and most efficient means by which government can deliver 21st Century digital services to the American people. Our views on Cloud Smart ADI appreciates OMB’s revitalization of the original Cloud First policy. Cloud First had lost significant momentum in terms of agency implementation early on, so we commend the new focus upon “getting cloud right” within the federal government. However, we strongly caution against any repeal of Cloud First. OMB and Cloud Smart can play a critical role in implementing and achieving the goals originally laid out in Cloud First, and we believe Cloud Smart should build upon those goals. They are still relevant and desirable today, but with even higher stakes for security and reliability. We strongly support OMB’s renewed emphasis of the role of cloud-based technologies - a view that encompasses the true potential of an all-digital government and an enhanced citizen customer experience, while continuing the essential focus upon cybersecurity. This renewed focus requires that government agencies open up to commercial services and commercial innovations - and Cloud Smart should strongly say so. The final Cloud Smart policy should acknowledge that the weight and momentum of IT innovation has shifted from government to the commercial sector. Research and development are now done primarily in the private sector, and if government truly wants access to the latest capabilities in providing digital government, it must foster directive policies that accelerate government’s adoption and deployment of commercial innovation. ADI strongly recommends that the final policy emphasize the need for commercial cloud to achieve the Administration’s IT modernization goals set out in the Report to the President on Federal IT Modernization. It would also be helpful if OMB defined for agencies what a desired “cloud endstate” should look like within government. Calls for platform and technology neutrality seem to have taken precedence over cloud-native development, a policy strategy which has been championed in the United Kingdom. The vision for the final Cloud Smart policy should align directly with the stated goals and objectives of the Report to the President on IT Modernization. Such an alignment would bring the draft Cloud Smart policy and the IT Modernization Report closer together and offer agencies a consistent message from the Administration on expectations. In addition, the first section of the draft Cloud Smart policy could be viewed by federal agencies as “taking the foot off the gas” regarding the need for agencies to drive timely cloud migrations throughout government. The Cloud Smart narrative suggests that moving to cloud is risky, but with no basis for comparison to the alternative. In fact, just the opposite is likely to occur. Cybersecurity concerns are significantly ameliorated with commercial cloud solutions. Commercial cloud providers outspend government by multiples in their efforts to secure cloud platforms. Those investments provide strong cybersecurity for cloud infrastructure, while recognizing that data owners must continue to implement security tools across all environments (integrating networks, endpoints, on-premise data centers, and cloud infrastructure). Accounting for this shared responsibility provides a holistic security foundation and provides additional clarity in cloud deployment actions. Cloud Smart should include steps OMB will take to share important and stretch goals for agency adoption of commercial cloud and key metrics for evaluation. It should also include a recommended risk-assessment plan that agencies can adopt to compare risk between staying on premise and moving to commercial cloud. NIST defines many of the key characteristics of cloud computing technology, and the ability for the government to buy just what it needs, just when it needs it, is a key value of cloud-based modernization. We also believe that the heading in the draft policy, “(Re)Defining Cloud Computing” is unnecessary, confusing, and should be removed. NIST’s definition of cloud computing sufficiently covers various cloud models and attributes. In conclusion, ADI recommends that this first section of the draft Cloud Smart policy emphasize and describe the need for agencies to accelerate their cloud migrations through the embrace of commercial innovation and commercial services. A detailed “end-state” of cloud enabled digital services leveraging commercial technologies should be articulated in the final policy to stem the loss of agency momentum and deviations from the intent of the Cloud First policy. ADI Comments on Security: The security section of the proposed policy is focused on three primary programs – TIC, CDM and FedRAMP. ADI concurs that each of these three programs needs significant modernization. Not only does current program architecture advantage legacy vendors, it provides inadequate capability for network infrastructure security. Forward movement on these programs must account for new technology evolutions and include flexibility to drive innovation. Regarding the TIC program, new commercial technologies widely used in the private sector have leapfrogged the 10- year old approach set forth by the current TIC architecture. The Cloud Smart policy correctly reinforces alternatives to the 2007 TIC policy, which are currently being piloted at numerous federal agencies. ADI supports this refocus- the original TIC policy was formulated many years ago and proposes a perimeter-based philosophy of cybersecurity that may have made sense when issued, but now is basically obsolete. The new reality is that antiquated perimeters have given way to a zero-trust model of security enforcement points within and throughout modernized infrastructure down to the endpoint. ADI strongly supports the deployment of commercial cloud monitoring tools and capabilities and the Cloud Smart policy is correct in addressing these. CDM is an important program that will greatly enhance existing network scrutiny and protection. While the program, in our view, began with a rocky start, more recent program reforms and new contract vehicles have bought the program to a better foundation going forward. ADI comments on Procurement: The draft Cloud Smart strategy encourages agencies to use a variety of approaches to leverage the federal government’s strengths in bulk purchasing power, including category management to improve buying practices that support the Cloud Smart strategy, increase adoption of proven cloud contract vehicles and lead to the development of new vehicles to address emerging demands. We support these objectives and look forward to opportunities to share our perceptions of best practices across government. The development of Commercial Solutions Offering and the work of the DHS Procurement Innovation Lab stand as forward-leaning and innovative approaches to acquire technology at the speed innovation. In addition, incentives for contract officials should better align to mission need, by focusing on quickly putting the best performing tools in the hands of mission operators. Operational testing is a strong approach to ensuring effective security deployments and provides agency heads (accountable for enterprise security under EO 13800) with confidence in their toolset. These approaches should be scaled and expanded to all federal agencies to accelerate cloud deployment. ADI comments on Workforce: ADI commends OMB in focusing upon these critical workforce and upskilling issues. We support the recently announced GEAR initiative and the many individual actions that are tasking agencies to focus upon these areas. We also note the recent comments by new OPM Administrator Margaret Weichert in her announcement to drive special temporary hiring authorities for IT professionals. We believe that this is a good first step to address the “skills gap” that is a consistent issue for government and a key challenge to solving our cybersecurity challenges. ADI members welcome the continued opportunity to meet with government workforce officials to describe their own IT workforce training, and we look forward to sharing best practices with them.

Conclusion The draft Cloud Smart policy has the potential to be the foundational cloud policy document to guide the current Administration’s IT modernization goals if it builds on past policies and aligns to the Administration’s stance on IT modernization and commercial cloud. We believe that the CIO Council Action will significantly aid progress to this end, but we strongly suggest amending the draft Cloud Smart introduction and summary to promote IT modernization and commercial cloud. Absent that guidance, agencies may continue sustaining vulnerable legacy systems. If OMB uses the Cloud Smart policy opportunity as guidance to agencies, it will accelerate IT modernization across government. Best wishes,

Richard A. Beutel Executive Director The Alliance for Digital Innovation 1001 N. 19th Street Suite 1200 Arlington, Virginia 22209

[johnaweiler]

AWS's new lobby, ADI, does not address the needs for open systems, open standards nor vendor lock-in. As AWS is the only IaaS vendor making up ADI, its recommendations and organization structure have the intent of undermining more objective, open communities dedicated to transparent, standards based decision making. Be very careful.