Accelerating Federal Cloud Adoption for Modernization and Security
Cloud computing services are integral to modern businesses, and the case for accelerating federal adoption of cloud computing should be self-evident. But the government’s digital transformation, and with it cloud migration, has been slower than it should be. This increases both cost and risk. Some agencies still use legacy computing technologies that are decades old, and a few are even reducing their use of cloud computing and services (according to a 2023 survey). Accelerating federal use of cloud computing would better serve the nation, but achieving this raises concerns over changing federal funding, culture, and modernization strategy.
A majority of companies, ranging from start-ups to large enterprises, use cloud computing and are migrating to the cloud. Using cloud computing can provide more security, greater efficiencies, and lower costs. Greater use of cloud services can help the federal government improve the delivery of services to citizens and the security of its networks. It’s worth noting that unlike many policy problems, greater use of cloud services need not require new funding or new legislation if existing spending can be reallocated to cloud services. A Federal cloud computing strategy has three elements:
- Modernization: Increase the use of cloud computing to modernize Federal IT and move away from legacy systems, some of which are decades old. This will increase security and lower costs, with enough savings to pay for much of what is required for modernization.
- Funding: Funding rules should be streamlined to eliminate duplication and make it easier to acquire cloud services. Federal contracting and acquisitions processes should be streamlined to avoid duplicative reviews and create standard contract vehicles—streamlining was the intent of the Federal Risk and Authorization Management Program (FedRAMP), but more can be done to make it easier to do business with agencies and easier for agencies to buy “off-the shelf” cloud solutions.
- Cybersecurity: Federal rules disincentivize cybersecurity. This must be changed. Greater use of cloud computing increases resiliency and frees smaller agencies from many cybersecurity burdens. Requirements to use federal contracting and acquisitions authorities for agencies to only buy secure cloud computing infrastructures and help drive the private cloud market as well.
One barrier to cloud adoption is that the federal government does not have the same incentives created by business competition that drive the private sector to modernize and improve. Federal decisionmaking requires more oversight, has less flexibility, and is by design more deliberate. This means that migration to cloud computing for government agencies will take a different (and sometimes longer) path; that said, greater use of cloud computing by federal agencies is still the path that the United States should take.
Clouds can be public, private, or some blend of both. The size of the agency, the sensitivity of data, and the cost will help determine which kind of cloud to use, but the trend should be toward a greater reliance on the cloud. Cloud is not a panacea, since maximizing the benefits requires well-designed data policies and service agreements; however, there is a reason that all major companies have moved to increased cloud use, and agencies should do the same. Poorly designed contracts and weak cybersecurity practices can diminish the benefits of cloud services, but these are all avoidable problems. This paper looks at how to accelerate adoption of cloud services in the U.S. government given the benefits to citizen services, modernization and efficiency, and security because of the resilience, flexibility, and range of services that cloud services provide. To modernize services and improve security, policies must address several barriers to greater government use of cloud computing and services.
Legacy Systems: Too many government agencies rely on legacy systems and software that are not compatible with cloud services. Some federal computers are decades old. Older systems are more expensive to maintain and easier to hack. Reasonable fears of service disruption or data loss in any transition from legacy systems can also slow cloud adoption. The Office of Management and Budget (OMB) is tasked in the National Cybersecurity Strategy with developing a plan to remove legacy systems incapable of implementing its zero-trust architecture strategy within a decade.
Funding and Appropriations: The U.S. government spent over $100 billion in fiscal year 2022 on information technology (IT), and even though $12 billion went to cloud services, a significant portion (more than half) went to the maintenance of legacy systems that are more vulnerable to hacking and whose upkeep is costly. The Government Accountability Office looked at the age of key legacy systems and found they ranged from 8 to 51 years old. Congress has appropriated significant sums to fund agencies’ annual IT budgets over the years; much of it has been dedicated to the operations and maintenance of legacy infrastructure, leaving fewer resources to fund more capable and secure systems that cost less. Moving from these legacy systems would be a complex undertaking, but many large companies have done it; further, it would save money, increase security, and improve the delivery of services. Transitioning to greater cloud use will be challenging and require the reprioritization of spending on IT.
Agencies can find it difficult to secure funding for IT modernization programs, while it is by comparison relatively easy to maintain funding for existing systems. Congress attempted to help remedy this in 2017 when it created the Technology Modernization Fund (TMF), and the TMF was given a massive injection of funds from the American Rescue Plan of 2021. Although some TMF projects support cloud adoption, the program has mostly been used for piecemeal modernization efforts and network upgrades rather
than cloud migration. One benefit of a transition to greater cloud use is that it can create substantial efficiencies and savings that can then be used to support modernization. The TMF requires full repayment, however, creating a barrier to proposal submission.
Regulation: Agencies must comply with multiple regulations and laws on cloud use, such as FedRAMP, which sets standards for cloud security, or the Federal Information Security Management Act (FISMA). The intent of the act is to enhance cybersecurity, but the unintended result can be to create compliance burdens. Regulation is necessary for privacy, security, and fair competition to ensure that data is protected and that contracts are awarded fairly, but overly burdensome regulations can harm innovation and competition. Meeting these compliance requirements can be expensive and time-consuming. FedRAMP has already been written into law, but expanding approval reciprocity and streamlining FedRAMP and other internal regulations should be part of any modernization effort.
Legislation for Cloud Adoption
The Federal Information Technology Acquisition Reform Act directed agencies to modernize infrastructure and IT and gave more power to agency chief information officers (CIOs).
FISMA provided authorities to oversee federal government cybersecurity.
The Modernizing Government Technology Act created the TMF and provided agencies with funding for investments in cloud services.
The FedRAMP Authorization Act authorized and expanded the FedRAMP program.
Privacy and Data Protection: In all IT systems, ensuring data protection from unauthorized access, breaches, and espionage is a challenge. The inaccurate perception that cloud use compromises privacy or data can slow or block migration.
Data Ownership: When data is stored in the cloud, it is essential to recognize who owns and controls the data and to spell this out in contracts or service agreements. In most cases, the data owner retains ownership, but the cloud service provider may have certain rights and access to the data as outlined in the service agreement. Although cloud services are more secure, no system is entirely immune to data breaches. In the event of a breach, agencies will need to understand how the provider manages such incidents, including notifications, mitigation measures, and liability.
“Lock-In” and Bundling: Agencies also fear vendor “lock-in” that impedes transferring data and services between cloud providers and limits the government's ability to move data, switch providers, or negotiate favorable terms. This is also the subject of a Federal Trade Commission inquiry that, though unlikely to have much immediate effect, does highlight the issue. These fears can often be overstated, but the solution does still require careful planning and contract drafting to ensure the portability of data and applications.
Agency Culture: Making use of the cloud, or even being willing to adopt it, requires thinking differently about IT services and data than was the case for the traditional on-premise solutions. Some of this reflects an understandable aversion to risk, particularly the risk that moving to new systems could disrupt critical services. It can also reflect a lack of familiarity with cloud technology and best practices. The result is an impediment to change.
Recommendations to Expand Federal Cloud Use
Addressing these obstacles requires a comprehensive federal approach directed and led by the White House, based on collaboration between the presidential administration, government agencies, and cloud service providers. This partnership can develop a strong security framework; streamline compliance processes; and address concerns related to data, privacy, and interoperability. This paper offers the following recommendations:
- The U.S. government should develop and implement a comprehensive strategy for the transition to secure cloud services and infrastructures in federal agencies. The strategy should include a roadmap outlining specific steps to complete by the end of the decade for implementation, modernization, and the replacement of legacy systems with secure cloud services across the federal government. It should also include a sunset provision with milestones for legacy systems to be retired over the next seven years. The strategy should include tasks for the Office of the National Cyber Director (ONCD) and the National Institute of Standards and Technology (NIST) to develop cloud cybersecurity requirements that can become mandatory elements of federal cloud contracts.
- The strategy should take an open-data approach that creates the conditions for sharing data and services across agencies. The Department of Treasury’s shared services program, which provides common administrative services to both internal and external federal customers, is a strong example of how cloud-based shared services can lower costs and improve performance. The strategy should recognize that cloud use will be a blend of public cloud, private cloud, and on-premise systems, based on agency assessments on the sensitivity of data. The presumption should be that agencies will move to the cloud within time frames fixed by the roadmap; further, as part of the annual budget approval process, the OMB should require agencies to provide a clear rationale for any delay or decision not to move to the cloud. Greater cloud use offers the opportunity to use shared services and consolidate administrative functions, such as human resources, financial management, and procurement. Centralizing services provides lower expenditures and improves operational efficiency.
- Budgeting and acquisitions will play a central role in implementing a cloud strategy. The administration needs to work with Congress to develop and authorize flexible funding processes, including multiyear funding and new reprogramming authorities. In particular, legislation should modify the requirements of the Antideficiency Act for agencies to obligate funds in advance. The United States should adopt performance-based contracting that lets agencies—with congressional approval—reallocate funds to support cloud adoption as legacy systems are retired. Cloud acquisition contracts or service-level agreements must include mandatory cybersecurity requirements for observability, DevSecOps (the process of integrating security testing into the software development process), and application security. To help overcome cultural obstacles and reluctance to cloud adoption, federal training for acquisitions officials and IT executives should be expanded to include guidance on the role of technology in government services and to build familiarity with cloud services.
- For developing the strategy, the administration should put the OMB in charge, in consultation with the ONCD and the Cybersecurity and Infrastructure Security Agency (CISA), and supported by standards work at the NIST. The use of CISA authorities provided by the Homeland Security Act can provide for full and timely private-sector participation. Some of the elements of the strategy will come from agency-specific migration plans provided by agency CIOs and “business” owners. This process can become the foundation for a cloud management group to oversee implementation, perhaps by expanding the role of the newly formed Secure Cloud Advisory Committee.
- The strategy must streamline FedRAMP and other potential regulations and provide additional resources for expanded staffing to increase the speed of review. These policy changes are needed to continue ensuring the reciprocity of approvals under FedRAMP so that the same service does not need to be reviewed multiple times. This includes amending the processes of FedRAMP’s Joint Authorization Board (JAB) to provide an assumption of approval that allows companies to move ahead after the JAB process has reached six months, whether it is concluded or not.
To reduce the risk of disruption from a transition to the cloud, the OMB should ensure that agencies take an iterative approach to cloud deployment using rapid prototyping to test solutions before deploying them at scale. Cloud transition does not mean flipping a switch. This iterative approach should be tied to budget milestones that monitor the transition to cloud computing in agency spending. One step would be to update the 2016 General Services Administration publications on best business practices for U.S. government cloud adoption and procurement.
The ONCD, CISA, and the NIST should identify cybersecurity requirements for federal cloud use, building on the National Cybersecurity Strategy. In turn, the OMB can use these requirements for mandatory inclusion in federal cloud contracting. The requirements should include termination clauses in cloud contracts based on service provider performance. This would fix one frequently heard complaint that cloud contracts sometimes do not include security requirements even when these are available from the cloud service provider (CSP) at a higher cost. Federal agencies can often choose lower-cost options, but they are usually less secure. Making security requirements a mandatory part of contracts could help remedy this. Agencies will need to use the security measures from their CSP and also implement their own security controls. A high-profile July 2023 cloud breach exposed sensitive data and caused widespread concerns over cybersecurity, and led to the offer of security tools, such as cloud logging, a managed services that monitors and alerts, should be required in every federal contract.
The recently released National Cybersecurity Strategy highlighted the importance of modernization and expanded use of cloud-based services for better security and resilience. What the authors of the National Cybersecurity Strategy envision is that security will become an essential element in the federal acquisition of cloud services, making security a requirement for contracts the same way that seat belts and airbags are mandatory for cars and not something a buyer has to negotiate. These security measures can include requirements for the use of encryption, firewalls, and access controls, as well as spelling out requirements for continuity of service. Mandatory cloud security requirements will raise immediate costs somewhat but pay for themselves over the long term. Cloud infrastructure and platform services can make data more secure and networks less vulnerable to cyberattacks.
- One advantage of increased cloud use is that it can outsource the federal IT workforce. The federal government can often find it difficult to recruit and retain IT and cybersecurity professionals, as it is competing with better-paying private companies for IT and cybersecurity talent. A reliance on the cloud reduces and reshapes the hiring requirements for the federal workforce in ways that make the shortfall problem easier to manage. Federal workforce plans should be adjusted to take into account the benefits of more cloud computing.
- The U.S. government should continue to make cloud adoption a bigger part of the larger federal effort to streamline data center use. There are still several thousand government data centers—a smaller number than 10 years ago, but there is still underused capacity and associated expenses (like electricity). Agencies recognize the benefits of consolidating and optimizing data center infrastructures to eliminate redundancy and improve operational efficiency. By consolidating data centers, agencies can also take advantage of shared services. A federal cloud should include accelerating data center consolidation and the use of commercial CSPs (with appropriate attention to security and data transportability among providers). The success of the cloud-first policy at the National Oceanic and Atmospheric Administration, which has allowed it to deal with unpredictable surges in demand for information on storms and weather events, shows the benefit of moving to the cloud.
- Changing federal acquisitions and IT culture to make it more supportive of cloud use requires that agencies follow direction from the White House and establish education and training for acquisitions officials and executives to expand familiarity with how the cloud works and what it requires. Some of this cultural change will occur naturally as more “digital natives,” who are accustomed to using cloud-based services, enter federal service, but training and education can accelerate this transition and make expanded adoption of cloud services easier for government agencies.
Previous administrations have wrestled with these problems but in a different technological and international security environment. Some efforts, like the Obama-era United States Digital Service, proved to be largely symbolic. Others, like the Cloud Smart program (which replaced Cloud First), were substantively strong but lacked the White House oversight needed to drive progress. This administration has an opportunity to build on these previous efforts, along with its National Cybersecurity Strategy, to accelerate IT modernization and improve services and security. The metrics for success will be funding levels and comparative use. The first involves spending less on legacy systems. Modernization requires that the United States stop funding legacy systems and transition to greater reliance on cloud services and infrastructure use. This transition will take a period of years but is essential.
The second metric involves comparing government cloud use to the cloud use rates of large enterprises in the private sector. Agencies lag behind companies, in part because of the reliance on legacy systems. Success will be reached if, at the end of the day, the administration is spending less on legacy IT and more on the cloud. And if agencies make greater use of cloud services and start looking more like twenty-first-century private enterprises, it would be clear there has been improvement.
Move Faster or Fall Further Behind
Federal IT modernization efforts use technology to improve cybersecurity and the delivery of government services. Cloud plays a central role in these efforts. Faster cloud adoption is essential for modernization. No agency uses cars from the 1960s or even the 1990s; the same should apply to computing and data. The challenge here is that Congress can often be slow to approve funds for modernization. It created the TMF to remedy this, but its application has been limited. The issue here is ad hoc and small-scale implementation, rather than lack of funds—problems that can be addressed by developing a comprehensive cloud strategy.
The annual appropriations process means that cloud migration (and IT modernization efforts generally) will take several budget cycles. Uncertainty about the amounts and timing of IT appropriations also makes modernization more difficult to implement. Even with adequate funding, the pace of federal IT modernization would still be stymied by the current authorities and regulations governing federal IT procurement. Developing a cloud strategy in consultation with the relevant congressional committees can be a step toward remedying this. Federal agencies have complex structures and bureaucratic processes, which can create resistance to change. Embracing cloud computing requires a shift in agency culture, processes, and skill sets, since these have historically produced resistance and delays. This also points to the need for an expanded role for agency CIOs. The view is that, despite all these potential obstacles, the benefits of greater cloud use for security and citizen services will justify the effort.
It is worth noting that the Ukrainian government’s decision to move much of its critical data onto the cloud before the Russian invasion left it much better prepared to deal with the unprecedented series of cyberattacks it faced from Russia. Although a similar level of cyberattack against the United States is unlikely, it cannot be ruled out in an increasingly tense international environment. A hesitant migration to the cloud leaves the United States vulnerable. It is also worth noting that the current infatuation with artificial intelligence (AI) must take into account how greater use of AI (and robotics) will require greater cloud resources. Slow or patchy adoption will make it more difficult for agencies to make use of future technologies.
This paper does not detail the implementation of these recommendations, so a final suggestion is to create a federal cloud management group, chaired by the OMB, to oversee these efforts. There is a self-imposed federal deadline to fully adopt cloud by the end of the decade. Implementing the recommendations above, overseen by a new cloud management group, will allow the United States to meet this goal. Service, security, and cost can all be improved if government agencies accelerate their move to the cloud.
James A. Lewis is senior vice president, holds the Pritzker Chair, and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
The author would like to thank the commentators and participants in the CSIS cloud computing roundtables.
This report was funded jointly by Microsoft, IBM, Oracle, and AWS.