What Air Force Wants in a Cloud Broker
January 28, 2014 1 Comment
by Stephanie Meloni, Senior Analyst
Speaking at an AFCEA event, held January 17, Dr. Tim Rudolph, U.S. Air Force Senior Leader for Integrated Information Capabilities, stressed that the Air Force is moving to the cloud too slowly. He admitted that the organization is behind on implementation and that a cultural change is needed. Along with the Navy and Marine Corps, the Air Force appears reluctant to adopt Defense Information Systems Agency (DISA) as their cloud broker. At a separate AFCEA event, held January 21, DISA program managers were in agreement that cultural change is needed when vetting solutions across DOD agencies with “140+ engineers in a room”— each one wanting their own perfect solution.
Dr. Rudolph discussed the challenges and policies surrounding cloud adoption. He stated that the Air Force is still operating under a consolidated data center model. The Air Force needs to stop investing in “future legacy” data centers, and focus on implementation rather than consolidation.
Regarding security issues, Dr. Rudolph spoke of taking on reasonable risk and defensible controls where appropriate. FedRAMP (Federal Risk and Authorization Management Program), provides a government-wide standard approach to security assessment where cloud products are concerned. He said that these security standards may not always be needed – that the “ramp” may be a bit too high and is not providing value in every case. Accepting risk as part of the cloud brokerage process, he said, can be worth it if it speeds up the cycle time and gives the warfighter the capabilities they require. DISA complained that the current pool of FedRAMP-approved cloud vendors is too small and more cooperation from industry is needed to comply with FedRAMP. To show its commitment, DISA will be putting its own internally-developed cloud through the FedRAMP certification process.
The Air Force is looking for honest cloud brokerage – they want a trust model with industry partners. They are looking for innovation through collaboration, and are hoping to leverage the cloud marketplace for real savings. Dr. Rudolph stated that “for robust capability, commercial is the only way to go.” The Air Force needs to balance commodities with budget. Commercial cloud providers can convey value to the DOD by demonstrating how their solutions, tooling, and applications can navigate policies to help them get to the cloud quickly, securely, and with their mission in mind. DISA argues that commercial cloud adoption depends to an extent on the sensitivity of the data. They mentioned three options for DISA to use cloud: (1) private cloud, (2) commercial/private, (3) hybrid model where the commercial cloud is hosted within DISA’s environment. Which path it takes needs to should consider all the different levels of security sensitivities and mission requirements.
Government Sales Insider 
Adoption of cloud based solutions requires that the adopters take a risk, as every sale of a product does. In the current economic and political climate, taking almost any risk is seen as very dangerous. And, if the buy in must be very large, the technological and business risks become much too high. Some cloud solutions invite you to turn over all the keys to the kingdom without a way to march back to safety. Adopters must be confident that they can not only try cloud solutions, but that they can also change course, back out, and maintain staff capable of dealing with both onboarding, offboarding, and production tasks (whether within or outside the cloud).
In short, adopters must be allowed to experiment with hosted, hybrid, and “other government player provided” solutions. Outsourcing to another agency or even having another group within an agency handle cloud duties means you are giving up power, money, and control to that organization. Shifting budget dollars outside your own organization isn’t popular. There needs to be some way to gain recognition, promotions, etcetera with any move that decreases the amount of budget dollars going to head count within an organization. The cloud sounds nice, but not if it endangers your ongoing staffing and budget.
Adopters must be able to make mistakes and encouraged and supported by management to take risks without fear that the world will end, because in any new endeavor, there will always be problems: some of them minor, but possibly some massive ones. If they save money or are able to decrease head count or produce some other improvement, then there needs to be recognition and not “punitive” removal of staff and dollars.
I am not a fan of the word “cloud.” To network engineers, it was just the area between networks controlled by someone else. It was something outside your direct control. It was like the edge of the Earth to old time mariners where there are clouds and the words “here be monsters.” Not all the monsters are in bad guys and technology. Some of them might be in your fleet or the guys telling you to sail into the clouds.