The Honorable Suzette Kent
US Federal Chief Information Officer
Office of Management and Budget
725 17th Street Northwest
Washington, DC 20503
Via email to: ofcio@omb.eop.gov
RE: Adobe comments on the Draft Federal Cloud Smart Strategy
Dear Ms. Kent,
On behalf of Adobe, thank you for the opportunity to submit written comments on the proposed
Federal Cloud Smart strategy, released by the Office of Management and Budget for public comment on
September 24, 2018. We greatly appreciate the Administration’s ongoing focus on cloud computing and
the importance of leveraging innovative technology to deliver better citizen service.
Adobe is a leader in digital experience and digital media solutions to governments and industry around
the globe. Together with our customers and partners, Adobe is changing the world through digital
experiences.
We commend OMB and its agency partners for this effort to update the seven-year-old Cloud First
strategy, recognizing that both technology and the government's approach to cloud computing has
evolved since the policy was first issued. We encourage OMB to continue to push agencies to move
appropriate applications to the cloud so that the cost and security benefits of newer, modern
technology can be realized with an eye toward “the why” – improving service to U.S. citizens and others
that interact with the federal government.
By moving to cloud-based software-as-a-service (SaaS) platforms and other innovative technologies, the
government has an opportunity to modernize existing legacy infrastructure, reduce the time to
deployment, decrease the cost of service delivery, and improve customer and citizen services. These
opportunities should not be missed. Without looking too hard one can see that the more workflows we
can “digitize”, the more we can reduce the cost of government. This theme should be front and center
in the government’s Cloud Smart strategy.
I. Redefining Cloud: Government Must Harness New Capabilities to Improve Service Delivery
With the expected increases in cloud spending and the use of cloud services across government, the
new cloud smart policy should go beyond the redefinition of cloud to how government can harness new
capabilities to improve the delivery of service. Government continues to lag behind the private sector in
customer service, persistently ranking near the bottom of many customer service ratings. To stay ahead
of the curve, the private sector has embraced the customer experience as an integral part of a
corporation’s brand. The government must take on a similar approach, improving both the front end –
making websites and government forms smart, intuitive and mobile friendly – and the back end to
ensure that government systems provide state of the art web management tools.
Tracking TCO: There are many factors that the government should consider when determining its
approach to cloud, not the least of which is effectively calculating the total cost of ownership (TCO).
While cost should not be the only driver of an agency’s decision to move to cloud, TCO is something that
should be factored into decision-making. As part of the OMB guidance, implementing the Cloud Smart
strategy along with the new data center consolidation and optimization policy, we encourage you to
define metrics around total cost of ownership that allow an agency to effectively consider all
expenditures (e.g. including data center or server hardware and labor) and the risk of downtime due to
the inability to scale with an on-premise or data center-based solution versus the cost of a cloud-based
solution. It is by ensuring a proper comparison and metrics that agencies will truly be able to determine
the cost effectiveness of cloud solutions.
II. Procurement: A Better Way to Purchase Cloud
Many of today’s acquisition regulations continue to reflect an “old world order” in which on-premise
data centers and agency-owned - operated and - developed applications ruled the day. To effectively
move agencies to cloud, government must change the thinking about how to acquire cloud and other
innovative technologies, with a strong focus on leveraging commercial technology.
Today’s cloud marketplace is significantly different than the traditional Information Technology
marketplace that government has experienced over the last 20 years, and the push to modernize and
move agencies off legacy technology has never been stronger. Therefore, government should make a
concerted effort to make purchasing secure, commercial SaaS easier.
The proposed focus on consolidating information about cloud best practices to assist agencies in better
understanding available technologies, cloud procurement and a host of other critical topics via a GSAhosted
“cloud information center” is an important step forward. As a starting point, we encourage the
Administration to focus on pre-negotiated, best-in-class contracts, like those vendors who have already
participated in GSA’s FITARA schedule enhancement category management program, as well as other
technologies that have been pre-vetted in some manner -- such as having FedRAMP and FedRAMP
Tailored certifications. Doing this will cut through the fog, allowing agencies to identify the solutions
they need, with a level of trust to know that what they are choosing has been, in essence, “preapproved.”
FedRAMP Tailored, which we will also discuss as part of the security framework, can serve
as a valuable tool to accelerate government’s adoption of secure SaaS solutions and its use by agencies
looking to acquire cloud should be encourage through this strategy.
In addition, the category management program has helped agencies develop and potentially leverage
trusted supplier relationships and foster communication between vendors and government. The
category management program can help improve government buying practices, help increase the
adoption of cloud-based technologies, rationalize technology spend and improve the overall buying
power of the federal government.
We also support the development of cloud-specific contract vehicles, beginning with those solutions
that have been pre-vetted, such as through the category management schedule program, or that have
achieved FedRAMP certification, and we encourage the strategy to reflect that preference.
III. Ensuring Cloud Security
As the draft strategy rightly points out, the evolution of the federal government’s cybersecurity policies
and capabilities is essential to successful IT modernization. As agencies contemplate their moves to the
cloud, security must be front and center in their minds, and the federal government must ensure that
the programs it has put in place – CDM, FedRAMP and the HVA policy – are up to the task.
Accelerate the deployment of CDM: The CDM program must evolve to rely more on cloud-based tools
and technologies and less on the human element to ensure government agencies have access to realtime
data with which they can make decisions. The updated CDM policy, proposed within one year of
the release of the final strategy, must reflect an increased focus on leveraging cloud technologies and
securing assets in the cloud.
FedRAMP: The FedRAMP program is a critical tool that enables agencies to move securely to cloud
computing at the high, moderate and low (FedRAMP tailored) levels. In order for the program to be
successful, agencies must be able to acquire and leverage FedRAMP-certified solutions quickly and in a
consistent manner. To date, the concept of “approve once, use many times” has not lived up to its
fullest potential. Therefore, the strategy, which rightly encourages GSA to expedite the authorization of
low risk applications via the FedRAMP Tailored program, should pay equal attention to the need to
encourage agencies to adopt FedRAMP - certified solutions at the moderate level as part of a secure
acquisition strategy, while ensuring the program has adequate resources to fulfill its critical mission and
help expedite agency cloud migrations.
Data Protection via an Updated High Value Asset Policy: The constant threat of cyber breaches requires
that the federal government focus an increasing amount of attention on new and innovative ways to
address cybersecurity. Cloud plays a significant role in this. There are commercially available data-level
protection technologies out there that can help address our cyber security challenges. These
technologies, which include digital rights management (DRM), attribute-based access control (ABAC),
and others, must work together to help the federal government build its best cyber defense. This
layering approach is critical to stopping data breaches and ensuring that if information is hacked, it is
rendered useless to those not authorized to view it. Similarly, digital signatures thwart fraudulent
information attacks with automated integrity and authenticity checks on sensitive documents. The
Cloud Smart policy calls out the need for improved data management and visibility, better service-level
agreements, information sharing and a new policy on risk-based approaches to protecting high-value
assets. This thoughtful approach should be expanded to include a more comprehensive approach to
data and document protection.
We remain encouraged by the federal government’s efforts to continue to leverage cloud and other
innovative technologies that will help bring the U.S. Government into the 21st Century, and we look
forward to working with you toward finalizing and implementing this strategy and the 22 associated CIO
action items.
October 24, 2018
The Honorable Suzette Kent US Federal Chief Information Officer Office of Management and Budget 725 17th Street Northwest Washington, DC 20503 Via email to: ofcio@omb.eop.gov
RE: Adobe comments on the Draft Federal Cloud Smart Strategy
Dear Ms. Kent, On behalf of Adobe, thank you for the opportunity to submit written comments on the proposed Federal Cloud Smart strategy, released by the Office of Management and Budget for public comment on September 24, 2018. We greatly appreciate the Administration’s ongoing focus on cloud computing and the importance of leveraging innovative technology to deliver better citizen service. Adobe is a leader in digital experience and digital media solutions to governments and industry around the globe. Together with our customers and partners, Adobe is changing the world through digital experiences. We commend OMB and its agency partners for this effort to update the seven-year-old Cloud First strategy, recognizing that both technology and the government's approach to cloud computing has evolved since the policy was first issued. We encourage OMB to continue to push agencies to move appropriate applications to the cloud so that the cost and security benefits of newer, modern technology can be realized with an eye toward “the why” – improving service to U.S. citizens and others that interact with the federal government. By moving to cloud-based software-as-a-service (SaaS) platforms and other innovative technologies, the government has an opportunity to modernize existing legacy infrastructure, reduce the time to deployment, decrease the cost of service delivery, and improve customer and citizen services. These opportunities should not be missed. Without looking too hard one can see that the more workflows we can “digitize”, the more we can reduce the cost of government. This theme should be front and center in the government’s Cloud Smart strategy. I. Redefining Cloud: Government Must Harness New Capabilities to Improve Service Delivery With the expected increases in cloud spending and the use of cloud services across government, the new cloud smart policy should go beyond the redefinition of cloud to how government can harness new capabilities to improve the delivery of service. Government continues to lag behind the private sector in customer service, persistently ranking near the bottom of many customer service ratings. To stay ahead of the curve, the private sector has embraced the customer experience as an integral part of a corporation’s brand. The government must take on a similar approach, improving both the front end – making websites and government forms smart, intuitive and mobile friendly – and the back end to ensure that government systems provide state of the art web management tools. Tracking TCO: There are many factors that the government should consider when determining its approach to cloud, not the least of which is effectively calculating the total cost of ownership (TCO). While cost should not be the only driver of an agency’s decision to move to cloud, TCO is something that should be factored into decision-making. As part of the OMB guidance, implementing the Cloud Smart strategy along with the new data center consolidation and optimization policy, we encourage you to define metrics around total cost of ownership that allow an agency to effectively consider all expenditures (e.g. including data center or server hardware and labor) and the risk of downtime due to the inability to scale with an on-premise or data center-based solution versus the cost of a cloud-based solution. It is by ensuring a proper comparison and metrics that agencies will truly be able to determine the cost effectiveness of cloud solutions. II. Procurement: A Better Way to Purchase Cloud Many of today’s acquisition regulations continue to reflect an “old world order” in which on-premise data centers and agency-owned - operated and - developed applications ruled the day. To effectively move agencies to cloud, government must change the thinking about how to acquire cloud and other innovative technologies, with a strong focus on leveraging commercial technology. Today’s cloud marketplace is significantly different than the traditional Information Technology marketplace that government has experienced over the last 20 years, and the push to modernize and move agencies off legacy technology has never been stronger. Therefore, government should make a concerted effort to make purchasing secure, commercial SaaS easier. The proposed focus on consolidating information about cloud best practices to assist agencies in better understanding available technologies, cloud procurement and a host of other critical topics via a GSAhosted “cloud information center” is an important step forward. As a starting point, we encourage the Administration to focus on pre-negotiated, best-in-class contracts, like those vendors who have already participated in GSA’s FITARA schedule enhancement category management program, as well as other technologies that have been pre-vetted in some manner -- such as having FedRAMP and FedRAMP Tailored certifications. Doing this will cut through the fog, allowing agencies to identify the solutions they need, with a level of trust to know that what they are choosing has been, in essence, “preapproved.” FedRAMP Tailored, which we will also discuss as part of the security framework, can serve as a valuable tool to accelerate government’s adoption of secure SaaS solutions and its use by agencies looking to acquire cloud should be encourage through this strategy. In addition, the category management program has helped agencies develop and potentially leverage trusted supplier relationships and foster communication between vendors and government. The category management program can help improve government buying practices, help increase the adoption of cloud-based technologies, rationalize technology spend and improve the overall buying power of the federal government. We also support the development of cloud-specific contract vehicles, beginning with those solutions that have been pre-vetted, such as through the category management schedule program, or that have achieved FedRAMP certification, and we encourage the strategy to reflect that preference. III. Ensuring Cloud Security As the draft strategy rightly points out, the evolution of the federal government’s cybersecurity policies and capabilities is essential to successful IT modernization. As agencies contemplate their moves to the cloud, security must be front and center in their minds, and the federal government must ensure that the programs it has put in place – CDM, FedRAMP and the HVA policy – are up to the task. Accelerate the deployment of CDM: The CDM program must evolve to rely more on cloud-based tools and technologies and less on the human element to ensure government agencies have access to realtime data with which they can make decisions. The updated CDM policy, proposed within one year of the release of the final strategy, must reflect an increased focus on leveraging cloud technologies and securing assets in the cloud. FedRAMP: The FedRAMP program is a critical tool that enables agencies to move securely to cloud computing at the high, moderate and low (FedRAMP tailored) levels. In order for the program to be successful, agencies must be able to acquire and leverage FedRAMP-certified solutions quickly and in a consistent manner. To date, the concept of “approve once, use many times” has not lived up to its fullest potential. Therefore, the strategy, which rightly encourages GSA to expedite the authorization of low risk applications via the FedRAMP Tailored program, should pay equal attention to the need to encourage agencies to adopt FedRAMP - certified solutions at the moderate level as part of a secure acquisition strategy, while ensuring the program has adequate resources to fulfill its critical mission and help expedite agency cloud migrations. Data Protection via an Updated High Value Asset Policy: The constant threat of cyber breaches requires that the federal government focus an increasing amount of attention on new and innovative ways to address cybersecurity. Cloud plays a significant role in this. There are commercially available data-level protection technologies out there that can help address our cyber security challenges. These technologies, which include digital rights management (DRM), attribute-based access control (ABAC), and others, must work together to help the federal government build its best cyber defense. This layering approach is critical to stopping data breaches and ensuring that if information is hacked, it is rendered useless to those not authorized to view it. Similarly, digital signatures thwart fraudulent information attacks with automated integrity and authenticity checks on sensitive documents. The Cloud Smart policy calls out the need for improved data management and visibility, better service-level agreements, information sharing and a new policy on risk-based approaches to protecting high-value assets. This thoughtful approach should be expanded to include a more comprehensive approach to data and document protection. We remain encouraged by the federal government’s efforts to continue to leverage cloud and other innovative technologies that will help bring the U.S. Government into the 21st Century, and we look forward to working with you toward finalizing and implementing this strategy and the 22 associated CIO action items.