Progress in U.S. Government Information Technology by Michael Erbschloe - HTML preview

Cloud Computing

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The Cloud Computing model offers the promise of massive cost savings combined with increased IT agility. It is considered critical that government and industry begin adoption of this technology in response to difficult economic constraints. However, cloud computing technology challenges many traditional approaches to datacenter and enterprise application design and management. Cloud computing is currently being used; however, security, interoperability, and portability are cited as major barriers to broader adoption.

The National Institute of Standards and Technology (NIST) has defined cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Essential characteristics are:

• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
• Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
• Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
• Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Cloud computing service models include:

• Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
• Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
• Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Cloud computing deployment models include:

• Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
• Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
• Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
• Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Cloud computing enables the sharing, storage, and accessibility of data via the Internet, rather than through individual, limited-access hard drives. It is an evolution toward the renting of integrated services as needed without the high risk and capital costs of development and infrastructure. The adoption of cloud computing offers many benefits to Veterans, their families and dependents, VA personnel, and VA partners. Using cloud, Veterans and their families will have access to VA services on any device, anywhere, and at any time. They will experience improved mission services and capabilities, and will be able to access information seamlessly, globally, securely, cost effectively, and reliably.

VA has been pursuing various IT infrastructure evolution initiatives for some time. The adoption of utility cloud computing models has numerous advantages. Fundamentally, the capability supports rapid delivery of VA business capabilities. Thus, it provides agile, scalable, and reliable infrastructure needed to keep pace with an explosive growth of information and the increased variety and uses of VA’s strategic information assets. VA’s efforts to this end align with the Office of Management and Budget (OMB)’s 25 Point Implementation Plan to Reform Federal Information Technology Management. (December 9, 2010) and the priority of the current VA Chief Information Officer (CIO) to adopt cloud computing.

By definition, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST SP 800-145) VA has several cloud initiatives already in use that correspond to the Service Models identified above:

• Infrastructure as a Service (IaaS) capabilities are available after implementing the Adaptive Cloud Environment (ACE). IaaS includes support for on-demand, self-service provisioning, broad network access, resource pooling, rapid elasticity, and measured service.
• After expanding the internal Platform as a Service (PaaS) offerings, VA continues to investigate the viability of using external Software as a Service (SaaS) providers to deliver Email as a Service.
• Additionally, externally hosted providers and cloud implementers (e.g. Terremark, Century Link) were adopted to host some of VA’s mission critical VA IT systems such as Veterans Benefits Management System (VBMS), My HealtheVet, and Customer Relationship Management Unified Desktop (CRM-UD).

VA has developed an implementable enterprise cloud strategy to realize the greatest benefits of cloud computing across VA and to prevent the potential risk of diverging approaches or overlapping efforts. The strategy is consistent with the CIO’s vision and aligned with VA policies. The purpose of the strategy is to deliver more responsive IT services at lower cost to the Department and to promote adoption of the following concepts:

• Cloud first Policy. Systems are to use cloud computing unless specific criteria are met that demonstrate the solution is not yet cloud ready.
• VA Cloud Broker and Central Cloud Consumer. An Enterprise Cloud Services Broker (ECSB) solution has been established to support business and technical governance and overall migration to cloud service. The ECSB also provides a gateway to centralized intermediation, aggregation, and arbitrage of cloud services.
• Cloud Service Contract Vehicles. A contract vehicle will be established to acquire cloud services on a consumption-based model that supports elasticity and incrementally funded contracts.
• Public/Community/Private Cloud Criteria. The use of FedRAMP-approved public and community cloud solutions will be allowed for systems that are classified up to Federal Information Security Modernization Act of 2014 (FISMA) Moderate and promote use of VA private cloud solutions for FISMA High systems.
• Cloud Pilots. Pilots will be conducted to support iterative implementation of the Cloud Strategy, quantify benefits using key performance indicators, and reduce potential risks. Needed changes in procedures, programs, and technical standards to accelerate cloud services migration will be instituted through a lessons-learned process.
• Cloud Computing Enterprise Design Patterns. Guiding principles, best practice approaches, and constraints will be established for acquiring cloud services and incorporating them as reusable enterprise capabilities.

Enterprise Design Patterns (EDPs) are developed by the Office of Technology Strategies (TS) in coordination with internal and external subject matter experts (SME) and stakeholders. Enterprise Design Patterns are incorporated into the Design, Engineering, & Architecture (DE&A) Compliance and provide reusable, enterprise-level capabilities guidance. They provide a standardized framework of capabilities and constraining principles to aid all integrated project teams (IPT) in the development, acquisition, and/or implementation of IT systems and services. Each signed Enterprise Design Pattern is listed below by topic area.

On March 17, 2016, the CIO and Deputy CIO for Architecture Strategy and Design signed VA Directive 6551 regarding VA Enterprise Design Patterns. This directive establishes a mandatory policy for establishing and utilizing Enterprise Design Patterns by all Department of Veterans Affairs (VA) projects developing information technology (IT) systems in accordance with the VA’s Office of Information and Technology (OI&T) integrated development and release management process, the Veteran-focused Integration Process (VIP).

Cloud computing enables convenient, rapid, and on-demand computer network access—most often via the Internet--to a shared pool of configurable computing resources (in the form of servers, networks, storage, applications, and services). Quite simply, it is the way computing services are delivered that is revolutionary. Cloud computing allows users to provision computing capabilities rapidly and as needed; that is, to scale out and scale back as required, and to pay only for services used. Users can provision software and infrastructure cloud services on demand with minimal, if any, human intervention.

Because cloud computing is based on resource pooling and broad network access there is a natural economy of scale that can result in lower costs to agencies. In addition, cloud computing offers a varied menu of service models from a private cloud operated solely for one organization to a public cloud that is available to a large industry group and the general public and owned by an organization that is selling cloud computing services. Various forms of cloud computing solutions are already being used in the federal government today to save money and improve services. Let me illustrate with just a few examples:

• The Department of the Army Experience Center in Philadelphia is piloting the use of a customer relationship management (CRM) tool. The Center is a recruiting center that reaches out to young people who are interested in joining our armed forces. The Center wants to move to real time recruiting and to use tools and techniques that are familiar and appeal to its young demographic. They are using a CRM provided by SalesForce to track recruits as they work with the Center. Since the tool integrates directly with e-mail, Twitter and Facebook, recruiters can maintain connections with potential candidates directly after they leave the Center. The Army estimated that to implement a traditional CRM would have cost $500,000. The cloud-based solution has been implemented at the cost of $54,000.
• The Department of Energy is evaluating the cost and efficiencies resulting from leveraging cloud computing solution across the enterprise to support business and scientific services. The Lawrence Berkeley Lab has deployed over 5,000 mailboxes on Google Federal Premiere Apps and they are now evaluating the use of Amazon Elastic Compute Cloud (EC2) to handle excess capacity for computers during peak demand. The Lab estimates that they will save $1.5 million over the next five year in hardware, software and labor costs from the deployments they have made.
• Finally GSA has moved the primary information portal, USA.gov, to a cloud-based host. This enabled the site to deliver a consistent level of access to information as new data bases are added, as peak usage periods are encountered, and as the site evolves to encompass more services. By moving to a cloud, GSA was able to reduce site upgrade time from nine months to one day; monthly downtime improved from two hours to 99.9% availability; and GSA realized savings of $1.7M in hosting services.

In addition to improved services, GSA anticipates that cloud computing will be a major factor in reducing the environmental impact of technology and help achieve important sustainability goals. Effective use of cloud computing can be part of an overall strategy to reduce the need for multiple data centers and the energy they consume. Currently, GSA is supporting OMB in working with agencies to develop plans to consolidate their data centers. Using the right deployment model – private cloud, community cloud, public cloud, or a hybrid model – can help agencies buy improved services at a lower cost within acceptable risk levels, without having to maintain expensive, separate, independent and often needlessly redundant brick and mortar data centers.

In February 2010, the Federal CIO announced the Federal Data Center Consolidation Initiative. In it, he designated two Federal agency CIOs -- Richard Spires (DHS) and Michael Duffy (Treasury) to lead the effort inside the Federal CIO Council. It also highlighted the following goals:

• Reduce the cost of data center hardware, software and operations
• Increase the overall IT security posture of the government
• Shift IT investments to more efficient computing platforms and technologies
• Promote the use of Green IT by reducing the overall energy and real estate footprint of government data centers

GSA has a significant leadership role in supporting the adoption of cloud computing in the federal government. We have concentrated our efforts on facilitating easy access to cloud based solutions from commercial providers that meet federal requirements, enhancing agencies’ capacity to analyze viable cloud computing options that meet their business and technology modernization needs, and addressing obstacles to safe and secure cloud computing. In particular, GSA facilitates innovative cloud computing procurement options, ensures effective cloud security and standards are in place, and identifies potential multi-agency or government-wide uses of cloud computing solutions. GSA is also the information hub for cloud use case examples, decisional and implementation best practices, and sharing exposed risks and lessons learned. GSA has set up the Info.Apps.Gov site as an evolving knowledge repository for all government agencies to use and contribute their expertise.

Cloud services are usually offered and purchased as commodities. This is a new way of buying IT services and requires careful research on both government requirements and industry capability to meet demand. To assist agencies in buying new commercially provided cloud services, GSA established a website -- Apps.Gov -- modeled on other GSA product and service acquisition storefronts. The purpose of Apps.Gov is to provide easy, simple ways to find, research, and procure commercial cloud products and services. Agencies can search for software as a service (SaaS) products categorized under business purpose headings and get product descriptions, price quotes, and links to more information on specific products. Usage patterns to date indicate that agencies use this information to either directly buy SaaS products or, alternatively, as a source of marketplace research that is used to support cloud procurements using other vehicles such as GSA Schedule or GSA Advantage.

One of the most significant obstacles to the adoption of cloud computing is security. Agencies are concerned about the risks of housing data off-site in a cloud if FISMA security controls and accountabilities are not in place. In other words, agencies need to have valid certification and accreditation (C&A) process and a signed Authority to Operate (ATO) in place for each cloud-based product they use. While vendors are willing to meet security requirements, they would prefer not to go through the expense and effort of obtaining a C&A and ATO for each use of that product in all the federal departments and agencies. The PMO formed a security working group, initially chaired by NIST to address this problem. The group developed a process and corresponding security controls that were agreed to by multiple agencies – which we have termed as the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP is a government-wide initiative to provide joint authorizations and continuous security monitoring services for all federal agencies with an initial focus on cloud computing. By providing a unified government-wide risk management for enterprise level IT systems, FedRAMP will enable agencies to either use or leverage authorizations with:

• Vetted interagency approach;
• Consistent application of Federal security requirements;
• Improved community-wide risk management posture; and
• Increased effectiveness and management cost savings.

FedRAMP allows agencies to use or leverage authorizations. Under this program, agencies will be able to rely upon review security details, leverage the existing authorization, and secure agency usage of system. This should greatly reduce cost, enable rapid acquisition, and reduce effort. FedRAMP has three components:

1. Security Requirement Authorities which create government-wide baseline security requirements that are interagency developed and approved. This will initially be the Federal Cloud Computing Initiative and ultimately live with the ISIMC Working Group.

2. The FedRAMP Office which will coordinate authorization packages, manage authorized system list, and provide continuous monitoring oversight. This will be managed by GSA.

3. A Joint Authorization Board which will perform authorizations and on-going risk determinations to be leveraged government-wide. The board will consist of representatives from GSA, DoD, DHS and the sponsoring agency of the authorized system.

GSA is working with OMB, security groups including the Federal CIO Council’s Information Security and Identity Management Committee, and the marketplace to vet this program and ensure that it will meet the security requirements of the government while streamlining the process for industry.

The Common Open Government Dialogue Platform is a project undertaken by GSA in response to the Open Government Directive's mandate that agencies "incorporate a mechanism for the public to provide input on the agency’s Open Government Plan." Over the course of six weeks, GSA provided interested agencies with a no-cost, law- and policy-compliant, public-facing online engagement tool, as well as training and technical support to enable them to immediately begin collecting public and employee input on their forthcoming open government plans. Since then, GSA has worked to transfer ownership of the open government public engagement tool, powered by a cloud SaaS platform called IdeaScale, to interested agencies, in a manner that provided both policy and legal compliance, as well as support for sustained engagement. The tool was launched in February 2010 across 22 federal agencies and the White House Office of Science and Technology Policy; overall resource investment was less than $10,000 – far less than the hundreds of thousands or millions of dollars that would have resulted from agencies independently pursuing and procuring IT solutions. The agencies’ dialogue sites garnered over 2,100 ideas, over 3,400 comments, and over 21,000 votes during a six-week "live" period and the tool continues to be used by several agencies for a variety of other open government purposes.

USASpending.gov is a source for information collected from agencies in accordance with the Federal Funding Accountability and Transparency Act of 2006. This public facing web site is a cornerstone of the Administration’s efforts to make government open and transparent. Using USAspending.gov, the public can determine how their tax dollars are spent and gain insight into the Federal spending processes across agencies. It also houses the Federal IT Dashboard, which displays details on the nearly 800 major federal IT investments based on data reported to the Office of Management and Budget. This data is also now housed in a cloud infrastructure environment maintained by NASA.

Data.gov is the central portal for citizens to find, download, and assess government data. It now hosts over 270,000 data sets covering topics ranging from healthcare to commerce to education. Data.gov was one of the first public facing government websites to deploy cloud computing successfully in government. It empowers citizens by allowing them to create personalized mash-ups of information from diverse sources (e.g., local school academic scores arrayed by education spending levels), solve problems (e.g., FAA flight time arrival information), and build awareness of government’s role in activities affecting daily activities (e.g., food safety, weather, and the like).

Challenge.gov is a government-wide challenge platform that will be hosted in a cloud computing infrastructure service to facilitate government innovation through challenges and prizes. This tool provides forums for seekers (the federal agency challenger looking for solutions) and solvers (those with potential solutions) to suggest, collaborate on, and deliver solutions. It will also allow the public to easily find and interact with federal government challenges. The platform responds to requirements defined in a March 8, 2010, OMB Memo, “Guidance on the Use of Challenges and Prizes to Promote Open Government” which included a requirement to provide a web-based challenge platform within 120 days. GSA is also exploring acquisition options to make it easier for agencies to procure products and services related to challenges.

Citizen Engagement Platform will provide a variety of blog, challenge and other engagement tools to make it easy for government to engage with citizens, and easy for citizens to engage with government. The platform addresses agencies’ need for easy-to-use, easy-to-deploy, secure and policy-compliant tools. This “build once, use many” approach adds lightweight, no-cost options for agencies to create a more open, transparent and collaborative government with tools either hosted or directly managed by GSA.

Cloud computing is a relatively new process for acquiring and delivering computing services via information technology (IT) networks. Specifically, it is a means for enabling on-demand access to shared and scalable pools of computing resources with the goal of minimizing management effort and service provider interaction. To encourage federal agencies to pursue the potential efficiencies associated with cloud computing, the Office of Management and Budget (OMB) issued a Cloud First policy in 2011 that required agency Chief Information Officers to implement a cloud-based service whenever there was a secure, reliable, and cost-effective option.

GAO was asked to assess agencies' progress in implementing cloud services. GAO's objectives included assessing selected agencies' progress in using such services and determining the extent to which the agencies have experienced cost savings. GAO selected for review the seven agencies that it reported on in 2012 in order to compare their progress since then in implementing cloud services; the agencies were selected using the size of their IT budgets and experience in using cloud services. GAO also analyzed agency cost savings and related documentation and interviewed agency and OMB officials. What GAO Found:

• Each of the seven agencies reviewed implemented additional cloud computing services since GAO last reported on their progress in 2012. For example, since then, the total number of cloud computing services implemented by the agencies increased by 80 services, from 21 to 101. The agencies also added to the amount they reported spending on cloud services by $222 million, from $307 million to $529 million. Further, the agencies increased the percentage of their information technology (IT) budgets allocated to cloud services; however, as shown in the table, the overall increase was just 1 percent.
• The agencies' relatively small increase in cloud spending as a percent of their overall IT budgets, is attributed in part, to the fact that these agencies collectively had not considered cloud computing services for about 67 percent of their investments. With regard to why these investments had not been assessed, the agencies said it was in large part due to these being legacy investments in operations and maintenance; the agencies had only planned to consider cloud options for these investments when they were to be modernized or replaced. This is inconsistent with Office of Management and Budget policy that calls for cloud solutions to be considered first whenever a secure, reliable, and cost-effective option exists regardless of where the investment is in its life cycle. Until the agencies fully assess all their IT investments, they will not be able to achieve the resulting benefits of operational efficiencies and cost savings.
• The agencies collectively reported cost savings of about $96 million from the implementation of 22 of the 101 cloud services. These savings included both one-time and multiyear savings. For example, the General Services Administration saved $2.6 million by migrating to a cloud customer service solution, and Homeland Security saved $1.2 million from fiscal years 2011 through 2013 by implementing a cloud-based collaboration service. Agency officials cited two major reasons for why the other services they had implemented did not save money. First, a motivation for changing to some of the cloud-based services was not to reduce spending, but to improve service. Second, in selected cases, the cloud computing service opened up a new service or provided a higher quality of service; while this provided useful benefits to the agency, the associated costs negated any savings.

GAO is recommending, among other things, that the seven agencies assess the IT investments identified in this report that have yet to be evaluated for suitability for cloud computing services. Of the seven agencies, six agreed with GAO's recommendations, and one had no comments.

GAO was asked to examine federal agencies' use of SLAs. GAO's objectives were to (1) identify key practices in cloud computing SLAs and (2) determine the extent to which federal agencies have incorporated such practices into their SLAs. GAO analyzed research, studies, and guidance developed by federal and private entities to develop a list of key practices to be included in SLAs. GAO validated its list with the entities, including OMB, and analyzed 21 cloud service contracts and related documentation of five agencies (with the largest fiscal year 2015 IT budgets) against the key practices to identify any variances, their causes, and impacts.

Federal and private sector guidance highlights the importance of federal agencies using a service level agreement (SLA) in a contract when acquiring information technology (IT) services through a cloud computing services provider. An SLA defines the level of service and performance expected from a provider, how that performance will be measured, and what enforcement mechanisms will be used to ensure the specified performance levels are achieved. GAO identified ten key practices to be included in an SLA, such as identifying the roles and responsibilities of major stakeholders, defining performance objectives, and specifying security metrics. The key practices, if properly implemented, can help agencies ensure services are performed effectively, efficiently, and securely. Under the direction of the Office of Management and Budget (OMB), guidance issued to agencies in February 2012 included seven of the ten key practices described in this report that could help agencies ensure the effectiveness of their cloud services contracts.

GAO determined that the five agencies and the 21 cloud service c