Cloud Computing: Background, Status of Adoption by Federal Agencies, and Congressional Action

Cloud computing is a new name for an old concept: the delivery of computing services from a remote location, analogous to the way electricity, water, and other utilities are provided to most customers. Cloud computing services are delivered through a network, usually the internet. Utilities are also delivered through networks, whether the electric grid, water delivery systems, or other distribution infrastructure. In some ways, cloud computing is reminiscent of computing before the advent of the personal computer, where users shared the power of a central mainframe computer through video terminals or other devices. Cloud computing, however, is much more powerful and flexible, and information technology advances may permit the approach to become ubiquitous.

As cloud computing has developed, varied and sometimes nebulous descriptions of what it is and what it is not have been commonplace. Such ambiguity can create uncertainties that may impede innovation and adoption. The National Institute of Standards and Technology has developed standardized language describing cloud computing to help clear up that ambiguity:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Since 2009, the federal government has been shifting its data storage needs to cloud-based services and away from agency-owned, in-house data centers. This shift is intended to achieve two goals: reduce the total investment by the federal government in information technology (IT), which currently stands at about $90 billion each year, and realize other stated advantages of cloud adoption: efficiency, accessibility, collaboration, rapidity of innovation, reliability, and security. However, challenges remain as agencies shift to cloud services. According to a survey conducted in September 2018, federal IT managers expressed concerns about security in certain cloud environments, the complexity of migrating existing (“legacy”) applications to the cloud, a lack of skilled staff to manage certain cloud environments, and uncertain funding.

Planning for cloud adoption by federal agencies began with the 2010 publication of “A 25-Point Implementation Plan to Reform Federal IT Management.” More recently, in the 2017 “Report to the President on Federal IT Modernization,” the Office of Management and Budget (OMB) pledged to update the government’s legacy Federal Cloud Computing Strategy (“Cloud First”). Fulfilling this requirement, the Administration developed a new strategy, “Cloud Smart,” which was published on September 24, 2018. The new strategy is founded on what the Administration considers the three key pillars of successful cloud adoption: security, procurement, and workforce.

In the 116th Congress, there has been one cloud-related bill introduced and two hearings directly related to cloud computing:

The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act (H.R. 3941) was introduced on July 24, 2019, by Representative Gerald Connolly. The bill would formally establish within the General Services Administration a risk management, authorization, and continuous monitoring process consistent with the Federal Information Security Modernization Act of 2014.”

On July 17, 2019, the House Committee on Government Reform Subcommittee on Government Operations held a hearing, “To the Cloud! The Cloudy Role of FedRAMP in IT Modernization.” The purpose of the hearing was to examine the extent to which FedRAMP has reduced duplicative efforts, inconsistencies, and cost inefficiencies associated with the cloud security authorization process.

On October 18, 2019, the Committee on Financial Services Task Force on Artificial Intelligence (AI) held a hearing, “AI and the Evolution of Cloud Computing: Evaluating How Financial Data Is Stored, Protected, and Maintained by Cloud Providers.” Among other topics, the hearing explored how AI could be used to improve cloud management functions.

Additionally, there have been two hearings on the implementation status of the Federal Information Technology Acquisition Reform Act. These hearings provide an update on data center optimization, which is an indication of the extent of agency adoption of cloud computing.

Cloud Computing: Background, Status of Adoption by Federal Agencies, and Congressional Action

Updated March 25, 2020 (R46119)
Jump to Main Text of Report

Summary

Cloud computing is a new name for an old concept: the delivery of computing services from a remote location, analogous to the way electricity, water, and other utilities are provided to most customers. Cloud computing services are delivered through a network, usually the internet. Utilities are also delivered through networks, whether the electric grid, water delivery systems, or other distribution infrastructure. In some ways, cloud computing is reminiscent of computing before the advent of the personal computer, where users shared the power of a central mainframe computer through video terminals or other devices. Cloud computing, however, is much more powerful and flexible, and information technology advances may permit the approach to become ubiquitous.

As cloud computing has developed, varied and sometimes nebulous descriptions of what it is and what it is not have been commonplace. Such ambiguity can create uncertainties that may impede innovation and adoption. The National Institute of Standards and Technology has developed standardized language describing cloud computing to help clear up that ambiguity:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Since 2009, the federal government has been shifting its data storage needs to cloud-based services and away from agency-owned, in-house data centers. This shift is intended to achieve two goals: reduce the total investment by the federal government in information technology (IT), which currently stands at about $90 billion each year, and realize other stated advantages of cloud adoption: efficiency, accessibility, collaboration, rapidity of innovation, reliability, and security. However, challenges remain as agencies shift to cloud services. According to a survey conducted in September 2018, federal IT managers expressed concerns about security in certain cloud environments, the complexity of migrating existing ("legacy") applications to the cloud, a lack of skilled staff to manage certain cloud environments, and uncertain funding.

Planning for cloud adoption by federal agencies began with the 2010 publication of "A 25-Point Implementation Plan to Reform Federal IT Management." More recently, in the 2017 "Report to the President on Federal IT Modernization," the Office of Management and Budget (OMB) pledged to update the government's legacy Federal Cloud Computing Strategy ("Cloud First"). Fulfilling this requirement, the Administration developed a new strategy, "Cloud Smart," which was published on September 24, 2018. The new strategy is founded on what the Administration considers the three key pillars of successful cloud adoption: security, procurement, and workforce.

In the 116th Congress, there has been one cloud-related bill introduced and two hearings directly related to cloud computing:

The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act (H.R. 3941) was introduced on July 24, 2019, by Representative Gerald Connolly. The bill would formally establish within the General Services Administration a risk management, authorization, and continuous monitoring process consistent with the Federal Information Security Modernization Act of 2014."

On July 17, 2019, the House Committee on Government Reform Subcommittee on Government Operations held a hearing, "To the Cloud! The Cloudy Role of FedRAMP in IT Modernization." The purpose of the hearing was to examine the extent to which FedRAMP has reduced duplicative efforts, inconsistencies, and cost inefficiencies associated with the cloud security authorization process.

On October 18, 2019, the Committee on Financial Services Task Force on Artificial Intelligence (AI) held a hearing, "AI and the Evolution of Cloud Computing: Evaluating How Financial Data Is Stored, Protected, and Maintained by Cloud Providers." Among other topics, the hearing explored how AI could be used to improve cloud management functions.

Additionally, there have been two hearings on the implementation status of the Federal Information Technology Acquisition Reform Act. These hearings provide an update on data center optimization, which is an indication of the extent of agency adoption of cloud computing.


Introduction

Since 2009, the federal government has been shifting its data storage needs to cloud-based services and away from agency-owned, in-house data centers. This shift is intended to achieve two goals: reduce the total investment by the federal government in information technology (IT), which currently stands at about $90 billion each year,1 and realize other stated advantages of cloud adoption, including efficiency, accessibility, collaboration, reliability, and security.2 However, challenges remain as agencies shift to cloud services. According to a survey conducted in September 2018, federal IT managers continue to express long-held concerns about security in certain cloud environments, the complexity of migrating existing ("legacy") applications to the cloud, a lack of skilled staff to manage certain cloud environments, and uncertain funding.3

This report explains what cloud computing is, including different models for cloud deployment and services, and describes the federal government's planning for IT reform. It also provides information on assessments that have been conducted on agency cloud adoption. Finally, the report provides a summary of recent congressional action and presents some possible mechanisms for Congress to monitor agencies as they implement cloud computing.

What Is Cloud Computing?

Cloud computing is a new name for an old concept: the delivery of computing services from a remote location. Cloud computing services are delivered through a network, usually the internet. Some analysts see this approach as analogous to the networked delivery of electricity, water, and other utilities through the electric grid, water delivery systems, and other distribution infrastructure.4 In some ways, cloud computing is reminiscent of computing before the advent of the personal computer, when users shared the power of a central mainframe computer through video terminals or other devices. Cloud computing, however, is much more powerful and flexible, and information technology advances may permit the approach to become nearly ubiquitous.

Cloud computing differs from local computing, in which local machines perform most tasks and store the relevant data. Some cloud services are adaptations of familiar applications, such as email and word processing. Others are new services that never existed as a local application, such as social networks.

As cloud computing has developed, varied and sometimes nebulous descriptions of what it is and what it is not have been commonplace. Such ambiguity can create uncertainties that may impede innovation and adoption. The National Institute of Standards and Technology (NIST) has developed standardized language describing cloud computing to help clear up that ambiguity:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.5

The first sentence of the definition basically states that cloud computing is a way of providing convenient, flexible access to a broad range of computing resources over a network. The characteristics and models referred to in the second sentence provide the specificity necessary to clarify what cloud computing is and is not, described below.

Characteristics of Cloud Computing6

Cloud computing differs from local computing in many ways. NIST has identified five characteristics in particular:

  • On-demand self-service: A user can directly access the needed computing capabilities from the source, no matter what specific resource is required. An analogy is that a television viewer or radio listener can change stations at will.
  • Broad network access: A user is not tied to one location but can access resources from anywhere the network (typically the internet) is available.
  • Resource pooling: Many users share the same overall set of resources from a provider, using what they need, without having to concern themselves with where those resources originate. An analogy is that homeowners and businesses do not need to know which specific power plants generated the electricity they are using [although some do care, and specifically buy power from "green" sources].
  • Rapid elasticity: Users can quickly increase or decrease their use of a computing resource in response to their immediate needs. An analogy is that electricity customers can use as little or as much power as they need, within the capacity of their connections to the grid.
  • Measured service: The amount of usage by a customer is monitored by the provider and can be used for billing or other purposes. An analogy is the metered use of electricity, water, natural gas, and other utilities.

Deployment Models7

NIST has identified four standard models, or types, of cloud computing that can be implemented to satisfy the varying needs of users or providers. Those models—public, private, community, and hybrid—vary in where the hardware is located, what entity is responsible for maintaining the system, and who can use system resources. An extensive list of deployment model adoption by federal agencies is in the April 2019 report by the Government Accountability Office, Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked.8

Public

In public cloud (sometimes called external cloud) computing, a provider supplies one or more cloud-computing services to a large group of independent customers, such as the general public. Customers use the service over the internet through web browsers or other software applications. Providers usually sell these services on a metered basis, an approach that is sometimes called "utility computing." Some common examples of services using a public cloud model include internet backup and file synchronization9 and web-based media services.10 Public clouds may have price and flexibility advantages over other deployment models, but security and other concerns could restrict federal use. The public cloud deployment model is used predominantly by businesses with low privacy concerns.

Private

A private cloud (sometimes called an internal cloud) works like public cloud computing, but on a private network controlled and used by a single organization. It is a cloud used by a company itself—rather than its customers. Private clouds may provide services that are similar to those provided by public cloud providers, but potentially with fewer risks. Potential disadvantages include cost and logistical challenges associated with purchasing and managing the required hardware and software. Private clouds can provide internal services such as data storage as well as external services to the public or other users.

Community

A community cloud allows a group of organizations with similar requirements to share infrastructure, thereby potentially realizing more of the benefits of public cloud computing than is possible with a purely private cloud. Because a community cloud has a much smaller user base than a public cloud, it may be more expensive to establish and operate, but it may also allow for more customization to meet the users' needs. It may also meet user-specific security and other requirements more effectively than a public cloud. Just like private cloud, community cloud is technically no different from public cloud. The only difference is who is allowed to use it.

Hybrid

A hybrid cloud uses a combination of internal (private or community) and external (public) providers. For example, a user could employ a private or community cloud to provide applications and store current data, but use a public cloud for archiving data. The flexibility of this deployment model may make it particularly attractive to many organizations. By combining different deployment models, users can choose the right balance for their organization between legal compliance, security, and scalability.

Service Models11

Cloud computing can provide various kinds of services, ranging from basic computing tasks to the provision of sophisticated applications. While these services can be categorized in different ways, the NIST definition uses three basic service models, described below.12

Software as a Service (SaaS)

In the SaaS13 model, customers use applications that the provider supplies and makes available remotely on demand, rather than using applications installed on a local workstation or server. SaaS is the most readily visible and simplest service model to the end user. In many cases, SaaS applications are accessible through hardware or software "thin clients."14 Examples include web-based services such as Google Apps and online storage such as DropBox.

Platform as a Service (PaaS)

With PaaS, customers create applications on the provider's infrastructure using tools, such as programming languages, supplied by the provider. Facebook is one example of such an application.15 Such a platform could include hosting capability and development tools to facilitate building, testing, and launching a web application. The user controls the applications created via the platform, and the provider controls and maintains the underlying infrastructure, including networks, servers, and platform upgrades.

Infrastructure as a Service (IaaS)

IaaS providers supply fundamental computing resources that customers can use however they wish. Customers can install, use, and control whatever operating systems and applications they desire, as they might otherwise do on desktop computers or local servers. The provider maintains the underlying cloud infrastructure. Examples of IaaS are Amazon Web Services and Microsoft Azure.

Service Model Comparison

A simple local-computing analogy for these three kinds of services would be the purchase of a desktop computer, which serves as infrastructure on which the user installs a chosen operating system such as Windows or Linux and uses it as a platform to create custom applications and run whatever software is needed. By providing these infrastructure, platform, and software services remotely, a cloud provider frees its customers from having to provide local infrastructure and support. In the case of IaaS, the user need not have a local workstation, using instead a thin client with minimal need for computing power.

Federal Agency Cloud Adoption16

Planning for cloud adoption by federal agencies began with the 2010 publication by the Federal Chief Information Officer (CIO) of "A 25-Point Implementation Plan to Reform Federal IT Management."17 The reforms put forth in the plan were focused on eliminating barriers that were impeding effective management of IT programs throughout the federal government. In the plan, the Federal CIO recognized that too many past federal IT projects had run over budget, fallen behind schedule, or failed to deliver promised functionality. The plan stated that the federal government would shift to a "Cloud First" strategy, which it stated would be more economical, faster, and more flexible.

Increased cloud adoption is also a stated goal of the Federal Information Technology Acquisition Reform Act (FITARA), enacted on December 19, 2014.18 Among other provisions, FITARA required the Federal CIO, in conjunction with federal agencies, to refocus the Federal Data Center Consolidation Initiative (FDCCI) to include adoption of cloud services.19 The FDCCI was superseded by the Data Center Optimization Initiative (DCOI) in August 2016.20

In the 2017 "Report to the President on Federal IT Modernization,"21 the Office of Management and Budget (OMB) pledged to update the federal government's legacy Federal Cloud Computing Strategy ("Cloud First"). Fulfilling this requirement, the Administration developed a new strategy, Cloud Smart, published as a draft on September 24, 2018.

The DCOI was updated in June 2019.22 Among other requirements, the updated DCOI placed a freeze on funds or resources to build new agency-owned data centers or significantly expand existing agency-owned data centers without approval from OMB. It also requires agencies to evaluate options for the consolidation and closure of existing data centers, in alignment with the Cloud Smart Strategy.

The Cloud Smart Strategy

On June 24, 2019, the Federal CIO issued the Cloud Smart Strategy23 to provide agencies with practical implementation guidance to achieve the potential of cloud-based technologies. The new strategy is founded on three pillars:

  • Security: Modernize security policies to focus on risk-based decisionmaking, automation, and moving protections closer to data.
  • Procurement: Improve the ability of agencies to purchase cloud solutions through repeatable practices and sharing knowledge.
  • Workforce: Upskill, retrain, and recruit key talent for cybersecurity, acquisition, and cloud engineering.

Across these areas, the strategy identifies 22 "action items" to be completed not later than December 2020. As of November 2019, over half had been completed. (See Table 1 and Table 2.)24

Table 1. Completed Cloud Smart Actions

The Chief Information Officer (CIO) Council, Office of Management and Budget (OMB), and General Services Administration (GSA) will work together to consolidate information into a central location to share guidance and best practices on cloud topics. (Action 1)a

The CIO Council will work with OMB, GSA, and agency and industry experts to develop methods to optimize agency use of cloud services. (Action 2)b

OMB will release updated policy on infrastructure optimization, in alignment with Cloud Smart. This will update the Data Center Optimization Initiative established in M-16-19. (Action 3)c

OMB will publish an updated Identity, Credential, and Access Management Policy. (Action 5)d

OMB will work with GSA to expedite the authorization of low risk Software-as-a-Service offerings through the effective implementation of Federal Risk and Authorization Management Program Tailored. (Action 7)e

OMB, in coordination with GSA, will develop a Strategic Plan to evolve the Authorization to Operate process. (Action 8)f

OMB will work with GSA and the CIO Council to create a first-of-its kind view of agency requirements across the federal security enterprise. (Action 9, Ongoing)f

The Information Technology Category Manager (ITCM) and Cloud Solutions Category Team (CSCT) will work with OMB to contribute to the portal in Action 1. (Action 10)a

The GSA CSCT will implement supplier-relationship management through active engagement with industry partners. (Action 11)g

The government-wide ITCM at GSA will establish a government-wide CSCT. (Action 12)g

OMB will provide direction to agencies to improve the security and visibility for systems and data managed in the cloud. (Action 15)h

Each agency CIO and Chief Human Capital Officer (CHCO) must identify two position or skill segment priorities and incorporate them into to the agency's Human Capital Operating Plan. (Action 17)i

OMB, supported by OPM, will consider positions affected by cloud migration as part of the strategic workforce planning efforts laid out in the President's Management Agenda. (Action 18)j

The CIO Council and the CHC Council will jointly develop and execute on strategies and initiatives that expand the use of career fairs, national hiring events, etc. (Action 20)k

Source: Cloud Smart Initiative, Office of the U.S. Chief Information Officer, June 24, 2019, https://cloud.cio.gov/strategy/.

a. https://hallways.cap.gsa.gov/app/#/gateway/cloud-information-center.

b. https://www.cio.gov/assets/files/Application-Rationalization-Playbook.pdf.

c. https://www.whitehouse.gov/wp-content/uploads/2019/06/M-19-19-Data-Centers.pdf.

d. https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf.

e. https://tailored.fedramp.gov/.

f. The CIO Council has created an Authorization to Operate Working Group to further improve the process.

g. https://gsa.gov/cloud.

h. https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf.

i. Refer to each agency's Human Capital Operating Plan for specific implementation details.

j. https://www.challenge.gov/challenge/gear-center-challenge/.

k. https://www.cio.gov/reskilling.

Table 2. Uncompleted Cloud Smart Actions

The Office of Management and Budget (OMB) will work with General Services Administration (GSA), Chief Information Officer (CIO) Council, and Department of Homeland Security to update the Trusted Internet Connection Policy to ensure program objectives can be achieved. (Action 4)

OMB will release updated guidance that focuses on accelerating the implementation of the Continuous Diagnostics and Mitigation program across the Government. (Action 6)

The Cloud Solutions Category Team will evaluate and recommend government-wide contract vehicles for cloud services based on a thorough evaluation of each contract. (Action 13)

OMB and GSA will create or leverage existing, cross-government working groups to identify agency Service Level Agreements not addressed by existing commercial industry offerings specific to unique government requirements. (Action 14)

The Office of Personnel Management (OPM), with support from the OMB and the Department of Homeland Security, will identify critical skill gaps across the federal enterprise. (Action 16)

OMB, in coordination with the Federal Acquisition Institute, will continue to conduct its biennial acquisition workforce competency survey to identify skill and talent gaps within the acquisition workforce. (Action 19)

OMB, in collaboration with OPM, will work with agencies that have managed successful migration efforts to collect a set of best practices and strategies for effective employee communication, engagement, and transition. (Action 21)

OMB, CIO Council, and Chief Human Capital Officers Council, will develop a market-informed pay and compensation strategy. (Action 22)

Source: Cloud Smart Initiative, Office of the U.S. Chief Information Officer, June 24, 2019, https://cloud.cio.gov/strategy/.

2019 GAO Report

In April 2019, the Government Accountability Office (GAO) published a report examining the status of cloud adoption at 16 agencies.25 GAO found that 10 of the agencies reported increasing their use of cloud services from FY2016 through FY2019. All 16 agencies had made progress in implementing cloud services, meaning they had established assessment guidance, performed assessments, and implemented services, but the extent of their progress varied. For example, not all had followed OMB guidance that directs agencies to review all IT investments for compatibility with cloud services. GAO also found that

  • 16 agencies reported an increase in their cloud service spending since 2015.
  • 13 of the 16 agencies saved a total of $291 million to date from using cloud services.
  • 15 of the 16 agencies identified significant benefits from acquiring cloud services, including improved customer service and the acquisition of more cost-effective options for managing IT services.
  • 15 of the 16 agencies identified nine cloud investments that enhanced the availability of weather-related information; facilitated collaboration and information sharing among federal, state, and local agencies related to homeland security; and provided benefits information to veterans.

In collecting the information requested by GAO, agency CIOs identified the following challenges:

  • Spending data were not consistently tracked.
  • Different methods were used to calculate cloud spending costs.
  • Interpreting changes in OMB and related guidance created confusion regarding what spending data should be tracked.

As a result of these challenges, GAO concluded that agency-reported cloud spending and savings figures were likely underreported.

GAO made one recommendation to OMB on cloud savings reporting, and 34 recommendations to the 16 agencies on cloud assessments and savings. To OMB, GAO recommended that agencies be required to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. The 34 recommendations to the agencies included directing CIOs to

  • establish guidance to assess new and existing IT investments for suitability for cloud computing services;
  • complete an assessment of existing IT investments for suitability for migration to a cloud computing service; and
  • establish a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services.

Congressional Activity: 116th Congress

Congress has conducted ongoing oversight of IT acquisitions, including cloud computing activity, for many years. This section summarizes cloud-related legislation and hearings in the 116th Congress.

Legislation

The Federal Risk and Authorization Management Program (FedRAMP)26 Authorization Act (H.R. 3941),27 introduced on July 24, 2019, by Representative Gerald Connolly, would establish a risk management, authorization, and continuous monitoring process to "leverage cloud computing services using a risk-based approach consistent with the Federal Information Security Modernization Act of 2014."28

Hearings

On July 17, 2019, the House Committee on Oversight and Reform Subcommittee on Government Operations held a hearing titled "To the Cloud! The Cloudy Role of FedRAMP in IT Modernization."29 The purpose of this hearing was to examine the extent to which FedRAMP has reduced duplicative efforts, inconsistencies, and cost inefficiencies associated with the cloud security authorization process.

On October 18, 2019, the Committee on Financial Services Task Force on Artificial Intelligence (AI) held a hearing, "AI and the Evolution of Cloud Computing: Evaluating How Financial Data Is Stored, Protected, and Maintained by Cloud Providers." Among other topics, the hearing explored how AI could be used to improve cloud management functions.

FITARA Scorecard

Since November 2015, a year after FITARA became law, the House Committee on Oversight and Reform has held two FITARA oversight hearings per year. These hearings provide a "scorecard" on various aspects of FITARA implementation, including data center optimization, which is an indication of the extent of agency adoption of cloud computing. Thus far in the 116th Congress, these hearings were held on June 26, 2019,30 and December 11, 2019.31

Options for Congress

As Congress monitors the progress of federal departments and agencies in implementing cloud computing, its options for ongoing oversight include holding hearings; requesting review of an agency's status by either the agency itself or the GAO; and assessing the agency's progress and projected goals against the stated goals of the Cloud Smart Strategy.

Hearings

Committees might choose to focus hearings on OMB, which oversees the management of the Cloud Smart Strategy at the agency level. This role makes OMB the central point of information regarding the status of agency planning and implementation. If OMB management practices for cloud computing are lacking, the impact could potentially affect the performance of all agencies. Consistent congressional review of OMB's management practices with respect to the Cloud Smart Strategy could help to detect and correct problems in a timely manner.

Alternatively, or in addition, committees might choose to hold hearings to receive status reports directly from the CIOs of particular agencies under their jurisdictions.

Review of Agency Cloud Computing Plans and Implementation Assessments

As plans to migrate to cloud services within the federal government are created and implemented, policymakers may choose to monitor how agencies are following federal directives and responding to GAO assessments. Such monitoring could be achieved through assessments conducted internally by a department or agency itself, externally by GAO, or directly by a committee of jurisdiction. A model for internal assessments and reporting could be based on progress made on the uncompleted items of the Cloud Smart Strategy.

Review of External Status Reports

GAO conducts status reports on cloud adoption across the federal agencies, such as the April 2019 report discussed above, but it has not issued separate reports focused on the status of individual departments or agencies.

When examining shortcomings in individual agencies' implementation of the Cloud Smart Strategy, as identified by GAO, Congress might consider requesting follow-up reviews focused on particular challenges.

Author Contact Information

Patricia Moloney Figliola, Specialist in Internet and Telecommunications Policy ([email address scrubbed], [phone number scrubbed])

Footnotes

1.

Government Accountability Office, "Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked," April 2019, https://www.gao.gov/products/GAO-19-58. Hereinafter, "Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked."

2.

IBM, "Benefits of Cloud Computing," undated, https://www.ibm.com/cloud/learn/benefits-of-cloud-computing.

3.

"Federal Cloud Readiness Report," FedScoop, January 2019, https://www.fedscoop.com/download-research-study-federal-cloud-readiness-report/.

4.

For a discussion of utility and other models of providing computing services, see M. A Rappa, "The Utility Business Model and the Future of Computing Services," IBM Systems Journal 43, no. 1 (2004): 32–42,

http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5386779.

5.

National Institute of Standards and Technology, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, September 2011, http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.

6.

The NIST Definition of Cloud Computing.

7.

The NIST Definition of Cloud Computing.

8.

Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked. See specifically, Appendix V, "Description of Cloud Computing Investments Provided by Selected Agencies for Fiscal Year 2018." The 16 agencies were the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Justice, Labor, State, Treasury, Transportation, and Veterans Affairs, the General Services Administration, the Small Business Administration, and the Social Security Administration.

9.

Examples include Dropbox (https://www.dropbox.com), Microsoft OneDrive (https://onedrive.live.com), Apple iCloud (https://www.apple.com/icloud), and Google Drive (https://drive.google.com).

10.

Examples include Hulu (https://www.hulu.com), Netflix (https://www.netflix.com), and YouTube (https://www.youtube.com), which provide video streaming; and music-streaming service Spotify (https://www.spotify.com).

11.

The NIST Definition of Cloud Computing. The generic term for cloud service models is XaaS. While the three described in this section are widely recognized as useful, they are not definitive. There may be other kinds of services, and the differences between models may not always be clear. Sometimes additional services are distinguished, such as data storage (DaaS) or communications (CaaS); or a particular service may have elements of two models, such as both SaaS and IaaS.

12.

While other ways of characterizing cloud services have been discussed (see, for example, Sam Johnston, "Taxonomy: The 6 Layer Cloud Computing Stack," Sam Johnston, September 18, 2008, http://samj.net/2008/09/taxonomy-6-layer-cloud-computing-stack.html), the three models described by NIST are in widespread use.

13.

SaaS is sometimes called Applications as a Service.

14.

A thin client is hardware or software that depends on the computer power of a server to which it is connected to perform computing tasks, rather than performing those tasks itself. It can therefore have less computing power—in other words, be "thinner"—than a client that performs those tasks itself. It is somewhat analogous to the "dumb terminal" once used to communicate with a remote mainframe computer, where the computing hardware and software resided. An example of a modern hardware thin client is a mobile device such as a tablet computer or smartphone. An example of a software thin client is a web browser used as an interface for a cloud application. Examples of "fat" clients are desktop computers and local application programs such as word processors.

15.

"Demystifying SaaS, PaaS, and IaaS," Skytap, November 28, 2017, https://www.skytap.com/blog/demystifying-saas-paas-and-iaas/.

16.

One of the most notable recent federal cloud contracts has been for the Department of Defense (DOD) Joint Enterprise Defense Infrastructure (JEDI). JEDI is intended to be a DOD-wide system capable of supporting Unclassified, Secret, and Top Secret requirements. It has also proven to be quite controversial. Additional information about JEDI can be found in CRS Report R45847, The Department of Defense's JEDI Cloud Program, by Heidi M. Peters, CRS In Focus IF11264, DOD's Cloud Strategy and the JEDI Cloud Procurement, by Heidi M. Peters, and CRS Insight IN11203, Amazon Protest of the Department of Defense's JEDI Cloud Contract Award to Microsoft, by Heidi M. Peters.

17.

Vivek Kundra, U.S. Chief Information Officer, A 25-Point Implementation Plan to Reform Federal IT Management, December 9, 2010, https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/25-point-implementation-plan-to-reform-federal-it.pdf. ("25-Point Plan").

18.

Title VIII, Subtitle D of the National Defense Authorization Act (NDAA) for Fiscal Year 2015, P.L. 113-291.

19.

For additional information about FITARA, see CRS Report R44462, The Federal Information Technology Acquisition Reform Act (FITARA): Frequently Asked Questions, by Patricia Moloney Figliola.

20.

Memorandum For Heads Of Executive Departments And Agencies: Data Center Optimization Initiative (M-16-19), Office of the U.S. Chief Information Officer, August 1, 2016, https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m_16_19_1.pdf.

21.

Report to the President on Federal IT Modernization, Office of Management and Budget, December 13, 2017, https://itmodernization.cio.gov/assets/report/Report%20to%20the%20President%20on%20IT%20Modernization%20-%20Final.pdf ("Federal IT Modernization Report").

22.

Memorandum for Heads of Executive Departments and Agencies: Update to Data Center Optimization Initiative, (M-19-19), Office of the U.S. Chief Information Officer, June 25, 2019, https://www.whitehouse.gov/wp-content/uploads/2019/06/M-19-19-Data-Centers.pdf.

23.

https://cloud.cio.gov/strategy/.

24.

https://cloud.cio.gov/strategy/actions/.

25.

Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked.

26.

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

27.

https://www.congress.gov/bill/116th-congress/house-bill/3941/.

28.

The Federal Information Security Management Act (FISMA) defines a comprehensive framework to protect government information, operations, and assets against natural or manmade threats. It was enacted as Title III of the E-Government Act of 2002 (P.L. 107-347).

29.

https://oversight.house.gov/legislation/hearings/to-the-cloud-the-cloudy-role-of-fedramp-in-it-modernization.

30.

https://oversight.house.gov/legislation/hearings/fitara-80.

31.

https://oversight.house.gov/legislation/hearings/fitara-90.