Federal agencies are embracing more cloud deployment models as they become more comfortable with cloud computing and their options multiply.
“Our default is absolutely public cloud,” said John Skudlarek, deputy chief information officer (CIO) at the Federal Communications Commission. “We get the scalability we want. We get the flexibility we want, and most importantly we get the security we want.”
The agency’s public cloud deployments cost a fraction of any legacy system the FCC can build, Skudlarek said during Thursday’s Cloud Connect 2015, hosted by MeriTalk.
Dawn Leaf, CIO at the Department of Labor, said commercial cloud options provide the agency the security it needs.
Labor “is not large in the realm of Federal agencies,” Leaf said. “So while it might make a lot of sense for agencies that have lots of data, lots of systems, huge volume, to build a private cloud because they really can apply the cloud model internally and get all the benefits because of their demand…for DOL, given our size, it makes sense to use the commercial model whenever we can.”
In 2013 the Labor Department made the switch to cloud-based email. Not only did its cloud migration allow the department to mothball nine legacy email systems, it increased the productivity of its employees because the old systems capped the number of emails employees could keep in their inboxes. Employees no longer had to spend an average of two hours a month deleting emails to stay under the threshold, Leaf said.
Richard McKinney, CIO at the Department of Transportation, said it’s important that agencies not limit their cloud options or tie themselves to a single cloud service provider (CSP).
“As far as cloud goes…we’re going to be using different cloud providers,” McKinney said. “We’re not going to put all our eggs in one basket. We’re going to try to have the experience of different providers because we want options to move data around. We need to get good at that.”
The Transportation Department’s cloud migration is not as rapid as the transition other agencies are making, McKinney said, but the Federal Data Center Consolidation Initiative (FDCCI) likely will speed up the agency’s migration of data and applications to the cloud.
“How we approach data center consolidation now is greatly impacted by having the option of moving assets into the cloud,” McKinney said.
CIOs on the panel encouraged agencies to use another agency’s Authority to Operate (ATO), which represents one agency’s approval to provide a service once the CSP in question demonstrates that its cloud service meets the security controls required.
“Why would I turn my nose up at someone else’s ATO if it was well thought out?” McKinney asked. “If it works, let’s go with it. Someone’s going to have to tell me why not to before I would shy away from (using another agency’s ATO).”
The FedRAMP Program Management Office (PMO) has provided guidance on using another agency’s ATO.
“Agencies can share complete ATO package material with other federal agencies. But it is recommended that agencies receive this information directly from the FedRAMP PMO, as it ensures documentation isvalidated against FedRAMP standard,” the PMO states in its guidance.
Leaf said reusing another agency’s ATO saves time and money.
“Why on Earth would any organization unnecessarily duplicate work? It’s not like we’re sitting around with extra money or extra time,” Leaf said.