Public Input on ‘Cloud Smart’ Policy Starts With a Basic Question: What Is Cloud?

emojoez/Shutterstock.com

Commenters suggested various parameters for what cloud computing in government should look like, but most agreed the draft document needs a better definition.

As the administration looks to finalize an updated governmentwide cloud computing strategy, public input has honed in on what seems like the most basic of questions: How should “cloud” be defined?

The Office of Management and Budget released the draft “Cloud Smart” policy on Sept. 24 and opened a 30-day public comment period to garner feedback. As of Monday, the administration had received 40 comments, the majority from cloud service providers and other industry stakeholders.

In general, most of the comments were unsurprising—commercial cloud companies wanted there to be more focus on using commercial clouds; cybersecurity companies wanted a stronger focus on cybersecurity. But one recurring theme stood out: Should the government push for greater adoption of commercial solutions over in-house—or private—clouds?

The first section of the draft policy suggests there has been much confusion within government over what constitutes cloud computing.

“The term ‘cloud’ inside of government is often used to refer to any technology solution provided by an outside vendor,” the document notes.

In actuality, “’cloud computing’ refers to a variety of technologies that allow the rapid provisioning of systems or services from a shared pool of resources,” the authors wrote, mirroring language used by the National Institute of Standards and Technology in defining cloud.

A number of comments called on OMB to include a more concrete definition of cloud, though they differed on what that definition should be.

“Cloud Smart should reaffirm the administration's desire to ‘bring the government to the cloud’ not ‘bring the cloud to government’ as outlined in the IT Modernization Report,” wrote David Levy, vice president of Amazon Web Services’ federal practice.

Levy urged the administration to include stronger references to commercial—or public—cloud options, rather than a hybrid approach that would mix cloud services owned and operated by an agency with those from private sector companies.

Commenters from the Internet Association, a lobbying group for internet companies, agreed.

“The absence of explicit support for commercial cloud in the draft policy is concerning,” wrote Melika Carroll, the group’s senior vice president for global government affairs. “IA member companies believe commercial cloud offerings provide the superior affordability, flexibility and security that is required by the federal government’s modernization efforts. We encourage the government to revise the policy to specifically state the government will be moving to commercial cloud and to link this goal to pre-existing modernization and commercial cloud efforts.”

But other companies and industry groups disagreed, urging OMB to take the opposite tack with Cloud Smart.

“Most federal CIOs—as well as private sector CIOs—acknowledge, and Intel agrees, that some workloads belong in the public cloud and that some are better in on premise or private clouds as determined by individual mission and security factors,” wrote Intel’s Lisa Davis, who spent 26 years as an IT leader in the federal government.

Employees writing on behalf of Red Hat agreed, noting Cloud Smart calls out the multi- and hybrid-cloud approaches but saying it doesn’t go far enough.

“Cloud Smart should promote a multi-cloud approach explicitly, consistent with its recognition of the importance of hybrid and private cloud implementations,” they wrote. “Agencies should ensure that cloud procurements do not: limit access [to] functionality improvements in the future offered by providers, preclude security and practical benefits of using different cloud providers for different use cases, or create risk of being charged monopoly rents in the future as cloud providers are crowded out.”

Officials from Hewlett Packard Enterprises agreed, as well, and took the argument for highlighting hybrid environments even further.

“The fact that IT organizations can provide their own private cloud services is an important fact because it leads into a key point: The world is hybrid,” the company wrote. “It is no longer an either ‘on-premise’—i.e. ‘on-prem’—or ‘off-premise’—i.e. ‘off-prem’—equation. Hybrid IT reflects the notion that each and every IT organization has an ‘estate’ of environments that they need to choose from and manage.”

Google Senior Policy Counsel Behnaz Kibria took a middle way, stating that OMB is correct in saying many are confused about what constitutes cloud services but added that there needs to be some fluidity in the definition.

“For example, as OMB correctly notes, not all outsourced technology services can be considered ‘cloud’ simply because an outside vendor provides them. The National Institute of Standards and Technology definition of cloud computing … should continue to be the operative one for the government. At the same time, all cloud deployment models are not the same and the question of whether a given solution is right should not end with whether it meets the technical definition of cloud but whether it allows the agency to reap the greatest possible benefits that cloud technology has to offer.”

Rather than focus as much on the definition, Kibria suggests OMB emphasize a “preferred end-state so that agencies move as expeditiously as possible to public cloud options.”

Researchers at MITRE, which runs several federally-funded research institutions, also used the “end-state” language in their recommendation to highlight hybrid options.

“MITRE recommends enhancing the document to include an updated federal cloud vision statement and supporting objectives,” wrote Science and Technology Analyst Duane Blackburn. “The strategy should clearly articulate the federal CIO’s desired end-state for federal cloud adoption and address the holistic, multi-functional and integrated approach needed to properly adopt cloud capabilities.”

OMB officials are preparing to review all 40 comments submitted but are also angling to get a few more. Officials decided to keep the public comment period open until Oct. 31 to garner any additional feedback that might be out there.