DoD continues to move slowly in finding a way to take advantage of the obvious cost and flexibility benefits of commercial cloud hosting. DISA’s commercial cloud broker is still only offering support for Service pilot activities for the lowest levels of data sensitivity. In the meantime, other federal agencies are already fully underway in adopting commercial cloud hosting.
According to the Kenneth Trippie, executive director of the Enterprise System Development Office at Department of Homeland Security, Kenneth Trippie, DHS has nine private cloud computing environments and three public clouds. All its 112,000 employees use the cloud for email, and private clouds are used by 30,000 employees for collaboration and other purposes. Meanwhile, DISA is attempting to build out an extensive government-owned Core Data Center infrastructure which will be challenging to fund and operate.
Keeping pace with commercial cloud solutions in terms of cost, flexibility and technology has already proven impossible for large government data centers – this approach should be reserved only for classified data with an understanding that it will cost more to create and sustain. Couple this with the government’s Cloud First policy and you’re left wondering why DoD hasn’t already adopted commercial cloud hosting for nearly all of their unclassified applications. Impatience is growing in the Services, and many senior Service personnel are concerned that DISA has an inherent conflict of interest in serving as the DoD’s commercial cloud broker while simultaneously building their own Core Data Center backbone.
Here are three recommendations that DoD and DISA could quickly implement to accelerate the use of and benefits from commercial cloud hosting:
1. Go “all in” on FedRAMP. As a member of the FedRAMP Joint Authorization Board, DoD already has significant control over which Cloud Service Providers achieve FedRAMP authorization and what security controls are required. Why isn’t FedRAMP authorization good enough for DoD? Are unclassified Defense data elements really that much more sensitive than those of other government agencies?
2. Shift from a commercial cloud “pilot activity” mentality to a “production capability” focus. Pick an enterprise application and deploy it in a FedRAMP-approved commercial cloud host. Operate it from there and compare costs, performance and flexibility in sustainment/upgrades to the same application hosted in a DISA data center. Ideally, this would be a joint enterprise application, and could therefore align well with the Joint Information Environment vision. Maria Roat, FedRAMP Director at the General Services Administration, has highlighted emergency response applications as a key use case that fits well with a commercial cloud deployment model. Maybe DoD should start here.
3. Move DISA away from a “Cloud Broker” model to a more flexible and user-friendly “Cloud Advocate” model. Leverage experience from large commercial cloud users (think NetFlix) to create a repository of best practices and lessons learned that Service programs deploying capability can use and tailor to meet their needs. Replace the “one size fits all” mentality with a “how can we help you discover what might suit your individual needs” attitude to assist Services with transition to the commercial cloud.
The jury is in – commercial cloud hosting is the future and the future is now. The only remaining question is how fast DoD can catch up!