Jay Huie, Cloud Portfolio Director for GSA’s Technology Transformation Service (TTS)–which includes FedRAMP–sat down with MeriTalk last week. He offered insights on his role at GSA, FedRAMP, and the perspective on the road ahead for cloud adoption, FITARA, and MGT.
MeriTalk: How Did You Come to GSA–Tell Us A Little Bit About Your Journey?
Jay Huie: I originally came from industry as a developer, system administrator, and architect. I’ve worked on everything from mainframes, to open source systems, to high-performance computing platforms. What motivates me is finding challenging problems at the intersection of many disciplines, because if you only have a hammer every problem ends up looking like a nail. In today’s era, we have so many tools in our toolbox–the trick is using them.
I moved into the government first as a contractor, helping agencies with modernization initiatives, including cloud computing and data processing, managing policies like cloud, IPv6, open data, and being responsible for enterprise architectures and capital planning. Even before I joined the government service at GSA, I have always been passionate about connecting dots and building bridges, whether those are people or technology–and I think that’s something I continue to strive for in my current role.
As the Cloud Portfolio Director for GSA’s Technology Transformation Service (TTS), What Are Your Top Responsibilities and Priorities?
My priority is helping agencies adopt cloud so they can be more effective and efficient in meeting their missions. This responsibility is manifested in three main ways:
- Policies: reduce barriers and informing updates based on industry and agencies’ experiences
- Partnerships: foster connections with and between agencies and industry
- Practices: collect, consolidate, and communicate insights to stakeholders
You’ve Been Tasked with Leading GSA’s Cloud Adoption Center of Excellence, Supporting the White House Office of American Innovation. What Does this Entail?
This is really a recognition that the best way to help agencies isn’t just to provide them with products and services, but also supply some measure of expertise in how those fit together.
I look at it as sort of an “open source” mindset to cloud adoption, only it’s not always code, sometimes open source can mean more contracting or consultative experience. Historically, agencies shared best practices and lessons learned in a sort of sporadic fashion; maybe between two CIOs at an event or facilitated through attendance at a public-private partnership.
The CoEs help continue the information sharing by acting as a small “hub” to continue to connect the community, but they also capture and share the lessons learned. Often those doing the thing don’t have time to write down how they did it, or what they learned from it; we’re committed to sharing research and best practices for modernization to galvanize agency adoption of cloud services.
The FedRAMP Program Recently Released New Guidance Around How It Evaluates Compliance with Continuous Monitoring Rules. Why Was This Significant and Necessary?
We’re always trying to talk with our industry and agency partners and share what we’ve learned, as well as improve the process. Our new guidance takes that input from industry to:
- Improve the overall process and clarify certain elements or expectations
- Make it easier to reference aspects of the process that were not documented previously
- Create clarity in parts that may have been interpreted differently
In order to create the new guidelines we had extensive conversations with our community, including:
- Interviews with 90 percent of the CSPs with JAB P-ATO authorization
- Feedback specific to our small business partners
- Created five Stakeholder Journey and Process Maps
- Spent over two hours with six (small, medium, and large) agencies
All in all, we spent about 100 hours gathering information across all of our partners (CSPs, agencies, 3PAOs) to gather insight on how we could improve the overall process before we released any new guidance.
We also released an “agency playbook” to help agencies navigate their part of the process and make life easier for cloud service providers as they work with agencies. I think this is significant because it shows that just as technology is constantly evolving, so are we, and we’re able to take advantage of GSA’s unique role balanced between our industry and agency partnerships.
What Are FedRAMP’s Key Priorities This Year?
Last year we made some dramatic enhancements to the process and program, reducing the time for decisions by over 75 percent for JAB authorizations, cutting the costs for vendors, and providing them with more certainty upfront through the readiness self-assessment guidance.
This is really a year of refinement and we’re focused on three main objectives:
- Continuing to increase the number of cloud services that our agency partners can choose from (increasing ATOs, reuses, and converting FedRAMP Ready CSPs to In-process and Authorized)
- Transforming parts of the process through automation and innovation, such as incorporating even more of the ideas from industry we gained through our ConMon research
- Strengthening the community, both for FedRAMP as well as the broader “cloud community”–often we find helping people think more about their cloud strategy benefits the security aspects
What Does Success in Government Digital Transformation Look Like and Can You Point to Some Early Successes?
I think success looks a lot like constant change–it’s just that we need to be more granular in utilizing that change to our benefit. Matt Lira has referred to IT Modernization as a relay race, and I think that’s appropriate, just that the finish ribbon is at the end of every lap and hopefully the race never ends.
For agencies, success isn’t some end state where an agency can “get there” then forget about their system, that’s what’s happened in the past. Success means an organization that has redefined its IT capabilities in terms of the citizens it serves, and the constant responsibility to continue to mature the ways technology supports the mission.
What Are The Biggest Obstacles to Broader Cloud Adoption?
I think the biggest obstacle to adoption is the complexity agencies have built into their infrastructure. We’ve tried to make our networks, compute, and storage infrastructure smart, and ended up with applications that have struggled to deliver.
What industry has shown us is that a lot of successful solutions embed a lot of intelligence into individual applications–this new approach requires an application-centric rather an infrastructure-centric model.
FITARA Has Not Changed Federal IT Efficiency–What Needs to Change to Give It Teeth, and/or Does It Need Teeth?
I think most of us have been working in this space long enough to know that between a carrot and a stick, the carrot is usually the most successful. So I can’t speak to whether it needs teeth, or how that might be done, but I can state that what we’ve seen with FedRAMP is that providing help to industry and agencies (by reducing their time to access a solution) has been a powerful carrot.
So what I think FITARA has given us is more data and that’s really the spark that can ignite so much transformation. We saw this with data center consolidation and optimization, where clarity on the situation yielded tremendous attention and action.
I believe that cloud, like FITARA, is most successful when it demonstrates the support of agency leadership. That’s something I’ve seen here at GSA, in particular. Strong executive leadership helps integrate new norms into cultures that traditionally prized stability above almost all else. Now we’re facing a dynamic landscape, that’s only accelerating, so the successes we see most are those that have helped integrate a willing culture of change, by demonstrating the commitment of the agency’s leadership.
What Are Your Recommendations on How to Do MGT Right?
It’s easy to toss around phrases like “fail fast” or “embrace change,” “develop incrementally,” or “agile acquisition”–but my recommendation for Modernizing Government Technology is to look at what those catch phrases are trying to say and move beyond the sound bite into action.
I imagine someone who’s tasked with implementing MGT (I mean in the little “modernizing govtech” sense, not the big MGT process itself) is looking at all this guidance and trying to make sense of what’s required. But, as they say, the best place to start is at the beginning and most of this is less about the historical approach where we told agencies “you must” and more about telling them “we’re here to help.”
Could You Provide Some Stats/Insights About Federal IT That People Might Find Surprising?
- We estimate that FedRAMP authorizations now cover one-third of the entire traffic of the internet and we monitor over 5 million in assets on a monthly basis, for a program that’s less than $10M per year.
- Based on over 600 re-authorizations, where someone (including industry) leverages a pre-existing security authorization, we estimate we’ve saved over $150 million in costs.
- About 30 percent of Federal IT authorizations are attributed to small business, which shows the benefit of the “do-once-use-many” approach we enable–saving companies time and money.
If You Were Federal CIO, What Would You Change?
I would focus the modernization conversation beyond just on infrastructure upgrades. Mission owners care about costs, but given the option between saving money on their compute/network/storage or having radically enhanced services, I’m pretty sure most would chose the latter, knowing that industry is always working to bring the value up and the costs down, and the public is the most important measure of cost and value.
Too often “modernization” ends up as a mantra for the IT organization to just provide themselves with new tools instead of listening to what the mission owners are asking for assistance with; that can be the difference between upgrading the network wiring vs. providing wireless access. It can be the difference between upgrading a website experience for the public, or upgrading the underlying server.
I’d also leverage the “cyber sprint” approach, where there was radical clarity, and priority, on what agencies were being asked to do–instead of trying to have them do “all the things” all at once, like surfacing low-impact shadow IT, while at the same time protecting high-value assets.
And lastly, we need to get into a discussion about tradeoffs. What’s the cost benefit of this cloud-migration vs. this legacy operation? What’s the risk-reward tradeoff of investing in a legacy approach vs. embracing a new industry solution? I think the only thing absolute is that there are rarely any absolutes, so while it’s tempting to say “security is the barrier,” or “acquisition,” “or “talent”–the reality is far more complex and I think we should embrace that because it gives more options, not less, for providing solutions.
If You Weren’t in the Federal IT Business, What Would You Be and Why?
Truly I love what I do, but I guess I’d try to find something that on the surface doesn’t look at all like an IT challenge, and apply the lessons I’ve learned. I actually have an interest in woodworking and I suspect many of the buzzwords like agile development, and iterative design, would be fun to leverage for such a crafty industry.
Many people have pointed out that our IT organizations actually model the history of our industrialized organizations. I suspect, if we applied the DevOps-style approach that cloud companies have proven to non-traditional technology areas–like maybe woodworking–we’d end up with a lot of positive examples about the benefits of a new way of looking at your culture and organizational structure that would prove the value of these techniques to technology groups that can be resistant to these new models.
I think this is actually what we’ve seen with techniques like “Technology Business Management”–where it’s been proven in traditionally non-tech areas, and the benefits are now finding their way into Federal CIO organizations.
What Book Are You Reading Now, or What Book Did You Just Finish Reading?
I tend to alternate between relaxing books and business ones, and I just finished a popular fantasy series called the “Wheel of Time.” Even in a non-tech novel, I see the relevance to our work: the wheel of time is about modernization, which means perpetually embracing change, it’s not about a single technology like “cloud”–we’ve seen that with mainframes, client server, distributing computing and now cloud. There’s a heartbeat to technology that should power our organizations and services.
I also finished a business book about creating a high-performance culture. One of the parables it used is that darkness isn’t the opposite of light–it’s the absence of it. Simply striking a match in the darkness can help light the way, and I think this is the focus of all our IT efforts.
I’m a child of Star Wars and we know that the light and dark sides of the Force are about balance, and that’s the same with cloud–it’s not an all or nothing approach; Cloud isn’t the absence of darkness, you still need data centers to connect to the internet; a high-performing organization has both at their disposal.
What Haven’t I Asked You That I Should Have?
Perhaps how can people help? I think there’s a lot of recognition that we’re all in this together; as in basketball all the technologies–like cloud–are a team sport.
Having worked on both sides of the “line”–contractor and Federal employee–I’m well aware of the passion that everyone can bring to bear on this topic. We need it, not to point fingers, or over simplify the solutions, but to provide the data, insights, and radical candor that we all need to succeed.