You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Suite 250 oracle.com
Washington
District of Columbia 20005
October 24, 2018
Suzette Kent
Federal Chief Information Officer
Office of Management and Budget
Washington, DC
Dear Ms. Kent,
Oracle appreciates the opportunity to provide comments on the Administration’s draft Cloud
Smart strategy. With Cloud Smart, the Office of Management and Budget (OMB) is starting a
revolution in government services. Cloud Smart harnesses two key trends of the cloud computing
market - the ferocious competition within the market and the continuous transformation cloud
computing enables in Information Technology (IT) services. We believe the Cloud Smart
strategy captures both of these principles and we support it fully. Cloud Smart recognizes
that the migration to cloud services represents a once-in-a-generation opportunity to achieve
security, improve efficiency, and reduce costs.
A Cloud Company’s View of the Market
As a foundational principle, Oracle believes government should not sacrifice security and
performance while modernizing its IT systems with cloud technologies. This view is based both
on decades of partnering with US. government customers across all mission sets and our
experiences building the first enterprise-grade commercial cloud. In a dynamic and evolving
cloud marketplace, security is a key differentiator and underlying capability that powers next
generation cloud environments. Similarly, raw performance still matters, impacting both mission
success and the underlying cost to departments and agencies. Where there are extreme mission
demands for security and performance, there is no substitute for cloud technologies built with the
enterprise customer as the primary engineering design point.
Oracle sees a cloud computing market that is increasingly dynamic, innovative, and changing.
The cloud computing market has changed radically since it was first defined over a decade ago.
In the early years, the market was divided into three categories: Infrastructure-as-a—Service
(IaaS), Platform-as-a-Service (PaaS), and Software-as-a—Service (SaaS). Over time, SaaS has
become increasingly differentiated, evolving into a number of niche applications to meet needs
ranging from email services to advanced financial applications. At the same time, IaaS has begun
to converge with PaaS into a few, hyper-scale Platform-and-Infrastructure-as-a-Service (PIaaS)
ecosystems. These PIaaS systems no longer compete on basic cloud features such as capacity,
scalability, and availability of services, which are increasingly commoditized. Instead, they have
begun differentiating by offering enhanced features for specialized purposes such as artificial
intelligence and machine learning, intemet of things, security, and enterprise-grade deployment.
Here, it is critical to recognize that while cloud provides a whole new metaphor for deploying
and consuming technology, the underlying technology choices still matter. A platform that does
not meet the mission requirements as an on-premises deployment does not change simply
because it is deployed and consumed as a cloud service.
The government’s goal should be to harness this change and innovation, which will only
accelerate in coming years. The cloud computing market today looks little like the market of five
years ago, and the market five years from today will look even more different. Fully integrated
cloud suites will become increasingly common, as will services and approaches to bridge those
offerings. These suites will have unique, differentiated strengths that are integrated into hybrid-
and multi-cloud environments. SaaS will play an increasingly important role, as more customers
seek to move mission critical enterprise applications to cloud environments. The vital task for
government will be preparing to successfully use these innovations to improve services.
Key Principles in Cloud Modernization
OMB’s Cloud Smart is an excellent roadmap for the Federal government to capture all the value
of the emerging cloud market. Oracle has deep expertise with cloud solutions and assisting large
enterprises in their modernization journey. As the government embarks on this journey, we
particularly applaud several overarching themes in Cloud Smart:
Modernize with a Focus on Mission: Cloud Smart recognizes that cloud computing is
first and foremost about enabling the mission of the government. Modernization through
cloud begins with the goals the government seeks to achieve (security, performance, fit-
to-mission), rather than making modernization about cloud adoption as an end to itself.
Procuring cloud is like procuring any other capability — the government can only buy the
right system if it starts with the right requirements. This only happens when the
government begins by thinking about its mission and goals and, in many cases, takes on
the tough task of process re-engineering.
Bring Private Competition into the Public Sector: Cloud Smart acknowledges the
tremendous innovation, diversification, and change going on within the cloud computing
market — all under the rubric of competition. It embraces and prepares government to
leverage the full range of architectures and services enabled by this competition. This is
exactly how government should leverage the private sector. Encouraging and promoting
competition produces better outcomes for the taxpayer while inspiring the development
of better products for everyone.
Move from Periodic to Continuous Operations: Cloud Smart understands that cloud is a
continuous service that changes frequently and rapidly as vendors update and improve
their services. It disrupts the old paradigm of IT focused on large, periodic events,
whether that was the purchase of new hardware, the push of a new software version, or
the rollout of a new application. SaaS lets end users receive improved functionality, new
features, and the latest security updates transparently and in the background. PIaaS is
powerful because it lets IT users experiment with, iterate through, and deploy new
capabilities faster than ever. When combined with modern development methodologies
such as Agile and DevOps, which permit continual code updates, it can be revolutionary.
As a result, government must adapt its compliance, procurement, and IT management
systems to work continuously in order to fully benefit from this IT acceleration.
Modernize with a Focus on Mission
Cloud computing is ultimately about improving the govemment’s ability to execute on its
mission and deliver cost-effective, efficient services to the citizens. Based on its work with
enterprise-scale customers around the world, Oracle recommends the government extend its
current approach in Cloud Smart by incorporating the following considerations into its
modernization efforts:
Security in the cloud: Cloud Smart rightly acknowledges that security is a paramount,
cross-cutting policy priority that the US. government must get right. Workloads should
not just be ported to clouds that offer no or only notional improvements in security.
Instead, these workloads should be ported to environments that are engineered — both in
hardware and software — to offer cutting edge security features from the core to the edge,
all powered by artificial intelligence and machine learning. The same security-first
mindset should apply equally to new workloads. This type of next generation security is
imperative in our dynamic and increasingly dangerous threat environment, and it is the
only manner in which a truly defense-in-depth approach can be adopted to realize US.
government security objectives.
Performance matters for the mission and the bottom line: In the move to adopt cloud
technologies, some government customers have “modernized” with solutions whose
performance fell short of existing capability. Cloud architects often presume adding more
resources can solve any performance problem, but this not always true. For many
workloads, there is a point of diminishing or even negative returns, all while the meter is
running for an ever-larger bill. Assuming scale will solve performance problems risks
saddling mission critical systems with cloud environments that cost more and deliver
inferior results.
Do not build from infrastructure up: Cloud computing is often seen as simply a
replacement for physical hardware, letting an enterprise move from owning its IT
infrastructure to renting it. However, this is far from the truth. Unlike traditional IT —
where a user must buy hardware before they can run software — cloud computing enables
customers to skip to the level of the stack that best meets their needs. PaaS contains
everything that is needed to build and deploy code, while SaaS works from the first login.
In neither case does government need to separately purchase or build up from IaaS as an
initial setup. Defaulting to an infrastructure-first mindset only increases cost and
complexity while hurting performance.
Buy the most integrated service possible: Cloud computing works because it permits
customers to buy a fully integrated stack of computing, saving on both the cost and labor
of buying, managing, maintaining, and securing its own systems. These benefits are
greatest when buying services from the “top of the stack” — i.e. SaaS. When SaaS
applications can meet mission needs, government will be able to rapidly transition at
lower cost and with improved security. Only when a thorough market survey has
determined that there are no SaaS applications that meet mission needs should
government resort to building custom application on PIaaS. In some cases, this may
require the government to adapt its processes and regulations to conform more closely to
private sector best practices — but this will almost always produce long-term benefits for
the government.
Shift to a data-centric approach: Cloud computing virtualizes and abstracts away
many levels of IT systems for the customer. It works best when customers focus on
managing and seeming their most important asset — their data — rather than their IT
systems. Procuring systems with features such as risk-based assessments of security,
defense-in—depth, default encryption, robust and highly segregated data access controls,
and use of open-standards are good starts to implementing a data-centric approach.
Incorporate artificial intelligence and machine learning: Cloud computing offers the
opportunity to integrate artificial intelligence and machine learning into system
management and security. Artificial intelligence and machine learning can be used for
threat detection and response, patching, configuration, and system management. Such
integration reduces human error and frees the workforce to focus on high—value tasks. It
permits government to mitigate workforce skill gaps, making it possible to tap into
advanced data processing frameworks while reducing the requirement for workers with
advanced degrees in data science. Finally, artificial intelligence and machine learning
offer the only viable way to process and take action on the vast amounts of data produced
by cloud-based tools in real time.
Maintain flexibility for evolving deployment models: Just as rapidly as cloud
technology is changing, so too are cloud deployment models evolving from commercial
cloud to enterprise cloud to public, private, and hybrid clouds. Each deployment model
has tradeoffs depending upon the end use mission, the sensitivity of the data involved, the
security profile, and the performance requirements.
Bring Private Competition into the Public Sector
The private sector currently has over a decade of experience working with cloud solutions. Like
government, many companies are in the early stages of integrating cloud offerings, but some
early adopters have started to realize the limitations of first generation cloud services. The
market therefore remains as complicated, fluid, and competitive as ever. Oracle encourages the
government to integrate the following high-level goals to take advantage of the continued
evolution of the cloud computing market:
Preserve choice: Cloud computing permits customers — including the government — ever
more flexibility in choice. In some cases, this choice can take the form of continuous
competition between cloud vendors by running the same workloads on multiple PIaaS
offerings. In others, it may mean considering the full range of on-premises, hybrid, and
cloud architectures as part of a proposal process. In all cases, government should be
conscious of preserving its choice and flexibility by avoiding long-term, single vendor
commitments whenever possible. In fact, if the alternative to one cloud option is to
remain on-premises, such commitments can even slow cloud adoption.
Enable portability: Government should preserve its ability to move workloads and data
between different computing environments whenever possible. In practice, portability
requires leveraging industry-wide standards. It also requires preserving the ability to
move workloads between on-premises, hybrid, and cloud computing environments,
which provide the government the ability to select architectures that best meet cost,
performance, compliance, and security requirements.
Consider the fully-loaded costs of software: The fundamental economics of IT systems
still apply in cloud environments, and sub-optimal decisions for cloud architecture can
result in increased costs for decreased performance. One reason why SaaS is cost
effective is the layers of technology required to support an enterprise application are fine-
tuned for the task at hand. Custom systems come with support requirements that can
easily make them more expensive — in both time and money — than comparable
commercial cloud services. Similarly, the costs of migration are an often overlooked
element of moving to a cloud environment that requires careful planning and preparation.
Look to and use multiple vendors: Pursuing a homogenous ecosystem through a single
vendor procurement deprives the government of the full variety of choice in cloud
computing. As reflected in the private sector, government IT systems will always remain
a mix of vendors and services. The rise of an entire class of services dedicated to
managing hybrid- and multi-cloud environments demonstrates that heterogeneity is not a
bug to be quashed but a feature to be embraced. The adoption of multi-vendor, multi-
architecture environments, which is recognized as an effective approach by the Cloud
Smart strategy, reflects this reality.
Move from Periodic to Continuous Operations
One of the most important features of cloud computing is its ability to make computing
continuous and dynamic. Vendors constantly update and improve their services without ever
requiring their users to install patches or buy new versions. Service can be constantly and rapidly
scaled up or down. In order for government to see the full benefits of cloud computing, it needs
to ensure its internal processes are adapted to similarly enable continuous change and innovation.
Oracle recommends government use the following targets to achieve this goal:
Foster simple, quick, and flexible access: Cloud computing is simple to start, rapid to
scale, and readily available to use. Unlike traditional IT systems, which require large
capital investments up front, cloud computing resources can be available at the click of a
button. Yet government procurement systems are still setup for large, one-time
acquisitions. Government must modernize its procurement system so that agency users
can simply, quickly, and flexibly access appropriate cloud resources from multiple
vendors through competitive task orders.
Modernize processes along with technology: Cloud computing is, by nature, a _
continuous process, but government procurement, security, compliance, and management
policies and processes were designed in an era of periodic technology purchases. Fully
leveraging the benefits of the cloud requires not just modernization of technology, but
modernization of the policies and processes surrounding and governing that technology.
Move to continuous security and compliance: Cloud-based architectures make heavy
use of software-defined system and networks, enabling continuous monitoring and
improvement of the entire system environments. F edRAMP approval requires a massive,
document based review process followed by periodic inspection. Combining the
continuous metrics from cloud services with tools such as the DHS Continuous
Diagnostics and Mitigation (CDM) program would ensure better awareness of the
govemment’s security environment.
FedRAMP
With such a clear cloud computing vision and roadmap, OMB may have the opportunity to look
for further ways to enhance cloud migration. OMB has already identified FedRAMP as an area
of interest for further evolution. In support of this effort, Oracle has a few recommendations for
new, more streamlined ways of achieving government compliance and security goals:
Create a “FedRAMP Enhanced” approach to certification: FedRAMP was developed
to ensure security and compliance for commercial public cloud services, but most Federal
cloud services are provided from dedicated, govemment-only regions today. A
FedRAMP Enhanced regime that recognizes this reality could provide increased security
and visibility for government cloud workloads while also accelerating innovation by
reducing compliance burden on vendors. Oracle would welcome the opportunity to
provide an expanded proposal upon request.
Pilot real-time accreditation and monitoring: FedRAMP accreditation using
automated, real-time data feeds could eliminate many of the prepared documents used to
determine whether Cloud Service Providers (CSPs) are complying with FedRAMP
security requirements. Of the 98 controls listed as informative references for the
Cybersecurity Framework, 37 can be actively monitored in real-time or near—real time
with data fed to F ederal agencies. An additional 50 control groups can be monitored in a
data-driven reporting approach. Moving FedRAMP to a process that relies on such real-
time data would permit the government to verify compliance continuously through an
automated dashboard connected to vendor data feeds.
Launch an effort to develop a cloud computing profile and supporting tools for the
Cybersecurity Framework: Developing a consensus Cybersecurity Framework profile
for cloud would help to identify and better assess the security outcomes the government
is seeking to achieve through F edRAMP. NIST is best equipped to lead this effort in
partnership with DHS, GSA, and the private sector. Additionally, where necessary, new
standards and tools could be developed to address real-time monitoring of cloud security.
Eliminate FedRAMP approvals for infrastructure upgrades: Permitting vendors to
certify that they will continue to meet programmatic requirements when installing new
equipment, rather than requiring the complete resubmission of a FedRAMP package,
would simplify and accelerate the process of upgrading cloud environments. This could
be combined with continuous monitoring to verify the cloud vendor’s certification.
Conclusion
Oracle applauds OMB for developing such a forward-thinking strategy to guide Federal
implementation of cloud computing. Cloud Smart recognizes the realities of the market and sets
the government on a path to success. With Cloud Smart fully implemented, the government will
be well positioned to benefit from the scale and speed of cloud computing environments and
from the technological innovation that is occurring in the cloud computing market. Oracle looks
forward to supporting OMB in its effort to modernize IT across the US. Government.
Sincerely,
Kenneth Glueck
Senior Vice President
The text was updated successfully, but these errors were encountered:
ORACLE 1015 15th Street NW phone +1.202.835.7360
Suite 250 oracle.com
Washington
District of Columbia 20005
October 24, 2018
Suzette Kent
Federal Chief Information Officer
Office of Management and Budget
Washington, DC
Dear Ms. Kent,
Oracle appreciates the opportunity to provide comments on the Administration’s draft Cloud
Smart strategy. With Cloud Smart, the Office of Management and Budget (OMB) is starting a
revolution in government services. Cloud Smart harnesses two key trends of the cloud computing
market - the ferocious competition within the market and the continuous transformation cloud
computing enables in Information Technology (IT) services. We believe the Cloud Smart
strategy captures both of these principles and we support it fully. Cloud Smart recognizes
that the migration to cloud services represents a once-in-a-generation opportunity to achieve
security, improve efficiency, and reduce costs.
A Cloud Company’s View of the Market
As a foundational principle, Oracle believes government should not sacrifice security and
performance while modernizing its IT systems with cloud technologies. This view is based both
on decades of partnering with US. government customers across all mission sets and our
experiences building the first enterprise-grade commercial cloud. In a dynamic and evolving
cloud marketplace, security is a key differentiator and underlying capability that powers next
generation cloud environments. Similarly, raw performance still matters, impacting both mission
success and the underlying cost to departments and agencies. Where there are extreme mission
demands for security and performance, there is no substitute for cloud technologies built with the
enterprise customer as the primary engineering design point.
Oracle sees a cloud computing market that is increasingly dynamic, innovative, and changing.
The cloud computing market has changed radically since it was first defined over a decade ago.
In the early years, the market was divided into three categories: Infrastructure-as-a—Service
(IaaS), Platform-as-a-Service (PaaS), and Software-as-a—Service (SaaS). Over time, SaaS has
become increasingly differentiated, evolving into a number of niche applications to meet needs
ranging from email services to advanced financial applications. At the same time, IaaS has begun
to converge with PaaS into a few, hyper-scale Platform-and-Infrastructure-as-a-Service (PIaaS)
ecosystems. These PIaaS systems no longer compete on basic cloud features such as capacity,
scalability, and availability of services, which are increasingly commoditized. Instead, they have
begun differentiating by offering enhanced features for specialized purposes such as artificial
intelligence and machine learning, intemet of things, security, and enterprise-grade deployment.
Here, it is critical to recognize that while cloud provides a whole new metaphor for deploying
and consuming technology, the underlying technology choices still matter. A platform that does
not meet the mission requirements as an on-premises deployment does not change simply
because it is deployed and consumed as a cloud service.
The government’s goal should be to harness this change and innovation, which will only
accelerate in coming years. The cloud computing market today looks little like the market of five
years ago, and the market five years from today will look even more different. Fully integrated
cloud suites will become increasingly common, as will services and approaches to bridge those
offerings. These suites will have unique, differentiated strengths that are integrated into hybrid-
and multi-cloud environments. SaaS will play an increasingly important role, as more customers
seek to move mission critical enterprise applications to cloud environments. The vital task for
government will be preparing to successfully use these innovations to improve services.
Key Principles in Cloud Modernization
OMB’s Cloud Smart is an excellent roadmap for the Federal government to capture all the value
of the emerging cloud market. Oracle has deep expertise with cloud solutions and assisting large
enterprises in their modernization journey. As the government embarks on this journey, we
particularly applaud several overarching themes in Cloud Smart:
Modernize with a Focus on Mission: Cloud Smart recognizes that cloud computing is
first and foremost about enabling the mission of the government. Modernization through
cloud begins with the goals the government seeks to achieve (security, performance, fit-
to-mission), rather than making modernization about cloud adoption as an end to itself.
Procuring cloud is like procuring any other capability — the government can only buy the
right system if it starts with the right requirements. This only happens when the
government begins by thinking about its mission and goals and, in many cases, takes on
the tough task of process re-engineering.
Bring Private Competition into the Public Sector: Cloud Smart acknowledges the
tremendous innovation, diversification, and change going on within the cloud computing
market — all under the rubric of competition. It embraces and prepares government to
leverage the full range of architectures and services enabled by this competition. This is
exactly how government should leverage the private sector. Encouraging and promoting
competition produces better outcomes for the taxpayer while inspiring the development
of better products for everyone.
Move from Periodic to Continuous Operations: Cloud Smart understands that cloud is a
continuous service that changes frequently and rapidly as vendors update and improve
their services. It disrupts the old paradigm of IT focused on large, periodic events,
whether that was the purchase of new hardware, the push of a new software version, or
the rollout of a new application. SaaS lets end users receive improved functionality, new
features, and the latest security updates transparently and in the background. PIaaS is
powerful because it lets IT users experiment with, iterate through, and deploy new
capabilities faster than ever. When combined with modern development methodologies
such as Agile and DevOps, which permit continual code updates, it can be revolutionary.
As a result, government must adapt its compliance, procurement, and IT management
systems to work continuously in order to fully benefit from this IT acceleration.
Cloud computing is ultimately about improving the govemment’s ability to execute on its
mission and deliver cost-effective, efficient services to the citizens. Based on its work with
enterprise-scale customers around the world, Oracle recommends the government extend its
current approach in Cloud Smart by incorporating the following considerations into its
modernization efforts:
Security in the cloud: Cloud Smart rightly acknowledges that security is a paramount,
cross-cutting policy priority that the US. government must get right. Workloads should
not just be ported to clouds that offer no or only notional improvements in security.
Instead, these workloads should be ported to environments that are engineered — both in
hardware and software — to offer cutting edge security features from the core to the edge,
all powered by artificial intelligence and machine learning. The same security-first
mindset should apply equally to new workloads. This type of next generation security is
imperative in our dynamic and increasingly dangerous threat environment, and it is the
only manner in which a truly defense-in-depth approach can be adopted to realize US.
government security objectives.
Performance matters for the mission and the bottom line: In the move to adopt cloud
technologies, some government customers have “modernized” with solutions whose
performance fell short of existing capability. Cloud architects often presume adding more
resources can solve any performance problem, but this not always true. For many
workloads, there is a point of diminishing or even negative returns, all while the meter is
running for an ever-larger bill. Assuming scale will solve performance problems risks
saddling mission critical systems with cloud environments that cost more and deliver
inferior results.
Do not build from infrastructure up: Cloud computing is often seen as simply a
replacement for physical hardware, letting an enterprise move from owning its IT
infrastructure to renting it. However, this is far from the truth. Unlike traditional IT —
where a user must buy hardware before they can run software — cloud computing enables
customers to skip to the level of the stack that best meets their needs. PaaS contains
everything that is needed to build and deploy code, while SaaS works from the first login.
In neither case does government need to separately purchase or build up from IaaS as an
initial setup. Defaulting to an infrastructure-first mindset only increases cost and
complexity while hurting performance.
Buy the most integrated service possible: Cloud computing works because it permits
customers to buy a fully integrated stack of computing, saving on both the cost and labor
of buying, managing, maintaining, and securing its own systems. These benefits are
greatest when buying services from the “top of the stack” — i.e. SaaS. When SaaS
applications can meet mission needs, government will be able to rapidly transition at
lower cost and with improved security. Only when a thorough market survey has
determined that there are no SaaS applications that meet mission needs should
government resort to building custom application on PIaaS. In some cases, this may
require the government to adapt its processes and regulations to conform more closely to
private sector best practices — but this will almost always produce long-term benefits for
the government.
Shift to a data-centric approach: Cloud computing virtualizes and abstracts away
many levels of IT systems for the customer. It works best when customers focus on
managing and seeming their most important asset — their data — rather than their IT
systems. Procuring systems with features such as risk-based assessments of security,
defense-in—depth, default encryption, robust and highly segregated data access controls,
and use of open-standards are good starts to implementing a data-centric approach.
Incorporate artificial intelligence and machine learning: Cloud computing offers the
opportunity to integrate artificial intelligence and machine learning into system
management and security. Artificial intelligence and machine learning can be used for
threat detection and response, patching, configuration, and system management. Such
integration reduces human error and frees the workforce to focus on high—value tasks. It
permits government to mitigate workforce skill gaps, making it possible to tap into
advanced data processing frameworks while reducing the requirement for workers with
advanced degrees in data science. Finally, artificial intelligence and machine learning
offer the only viable way to process and take action on the vast amounts of data produced
by cloud-based tools in real time.
Maintain flexibility for evolving deployment models: Just as rapidly as cloud
technology is changing, so too are cloud deployment models evolving from commercial
cloud to enterprise cloud to public, private, and hybrid clouds. Each deployment model
has tradeoffs depending upon the end use mission, the sensitivity of the data involved, the
security profile, and the performance requirements.
The private sector currently has over a decade of experience working with cloud solutions. Like
government, many companies are in the early stages of integrating cloud offerings, but some
early adopters have started to realize the limitations of first generation cloud services. The
market therefore remains as complicated, fluid, and competitive as ever. Oracle encourages the
government to integrate the following high-level goals to take advantage of the continued
evolution of the cloud computing market:
Preserve choice: Cloud computing permits customers — including the government — ever
more flexibility in choice. In some cases, this choice can take the form of continuous
competition between cloud vendors by running the same workloads on multiple PIaaS
offerings. In others, it may mean considering the full range of on-premises, hybrid, and
cloud architectures as part of a proposal process. In all cases, government should be
conscious of preserving its choice and flexibility by avoiding long-term, single vendor
commitments whenever possible. In fact, if the alternative to one cloud option is to
remain on-premises, such commitments can even slow cloud adoption.
Enable portability: Government should preserve its ability to move workloads and data
between different computing environments whenever possible. In practice, portability
requires leveraging industry-wide standards. It also requires preserving the ability to
move workloads between on-premises, hybrid, and cloud computing environments,
which provide the government the ability to select architectures that best meet cost,
performance, compliance, and security requirements.
Consider the fully-loaded costs of software: The fundamental economics of IT systems
still apply in cloud environments, and sub-optimal decisions for cloud architecture can
result in increased costs for decreased performance. One reason why SaaS is cost
effective is the layers of technology required to support an enterprise application are fine-
tuned for the task at hand. Custom systems come with support requirements that can
easily make them more expensive — in both time and money — than comparable
commercial cloud services. Similarly, the costs of migration are an often overlooked
element of moving to a cloud environment that requires careful planning and preparation.
Look to and use multiple vendors: Pursuing a homogenous ecosystem through a single
vendor procurement deprives the government of the full variety of choice in cloud
computing. As reflected in the private sector, government IT systems will always remain
a mix of vendors and services. The rise of an entire class of services dedicated to
managing hybrid- and multi-cloud environments demonstrates that heterogeneity is not a
bug to be quashed but a feature to be embraced. The adoption of multi-vendor, multi-
architecture environments, which is recognized as an effective approach by the Cloud
Smart strategy, reflects this reality.
One of the most important features of cloud computing is its ability to make computing
continuous and dynamic. Vendors constantly update and improve their services without ever
requiring their users to install patches or buy new versions. Service can be constantly and rapidly
scaled up or down. In order for government to see the full benefits of cloud computing, it needs
to ensure its internal processes are adapted to similarly enable continuous change and innovation.
Oracle recommends government use the following targets to achieve this goal:
Foster simple, quick, and flexible access: Cloud computing is simple to start, rapid to
scale, and readily available to use. Unlike traditional IT systems, which require large
capital investments up front, cloud computing resources can be available at the click of a
button. Yet government procurement systems are still setup for large, one-time
acquisitions. Government must modernize its procurement system so that agency users
can simply, quickly, and flexibly access appropriate cloud resources from multiple
vendors through competitive task orders.
Modernize processes along with technology: Cloud computing is, by nature, a _
continuous process, but government procurement, security, compliance, and management
policies and processes were designed in an era of periodic technology purchases. Fully
leveraging the benefits of the cloud requires not just modernization of technology, but
modernization of the policies and processes surrounding and governing that technology.
Move to continuous security and compliance: Cloud-based architectures make heavy
use of software-defined system and networks, enabling continuous monitoring and
improvement of the entire system environments. F edRAMP approval requires a massive,
document based review process followed by periodic inspection. Combining the
continuous metrics from cloud services with tools such as the DHS Continuous
Diagnostics and Mitigation (CDM) program would ensure better awareness of the
govemment’s security environment.
With such a clear cloud computing vision and roadmap, OMB may have the opportunity to look
for further ways to enhance cloud migration. OMB has already identified FedRAMP as an area
of interest for further evolution. In support of this effort, Oracle has a few recommendations for
new, more streamlined ways of achieving government compliance and security goals:
Create a “FedRAMP Enhanced” approach to certification: FedRAMP was developed
to ensure security and compliance for commercial public cloud services, but most Federal
cloud services are provided from dedicated, govemment-only regions today. A
FedRAMP Enhanced regime that recognizes this reality could provide increased security
and visibility for government cloud workloads while also accelerating innovation by
reducing compliance burden on vendors. Oracle would welcome the opportunity to
provide an expanded proposal upon request.
Pilot real-time accreditation and monitoring: FedRAMP accreditation using
automated, real-time data feeds could eliminate many of the prepared documents used to
determine whether Cloud Service Providers (CSPs) are complying with FedRAMP
security requirements. Of the 98 controls listed as informative references for the
Cybersecurity Framework, 37 can be actively monitored in real-time or near—real time
with data fed to F ederal agencies. An additional 50 control groups can be monitored in a
data-driven reporting approach. Moving FedRAMP to a process that relies on such real-
time data would permit the government to verify compliance continuously through an
automated dashboard connected to vendor data feeds.
Launch an effort to develop a cloud computing profile and supporting tools for the
Cybersecurity Framework: Developing a consensus Cybersecurity Framework profile
for cloud would help to identify and better assess the security outcomes the government
is seeking to achieve through F edRAMP. NIST is best equipped to lead this effort in
partnership with DHS, GSA, and the private sector. Additionally, where necessary, new
standards and tools could be developed to address real-time monitoring of cloud security.
Eliminate FedRAMP approvals for infrastructure upgrades: Permitting vendors to
certify that they will continue to meet programmatic requirements when installing new
equipment, rather than requiring the complete resubmission of a FedRAMP package,
would simplify and accelerate the process of upgrading cloud environments. This could
be combined with continuous monitoring to verify the cloud vendor’s certification.
Conclusion
Oracle applauds OMB for developing such a forward-thinking strategy to guide Federal
implementation of cloud computing. Cloud Smart recognizes the realities of the market and sets
the government on a path to success. With Cloud Smart fully implemented, the government will
be well positioned to benefit from the scale and speed of cloud computing environments and
from the technological innovation that is occurring in the cloud computing market. Oracle looks
forward to supporting OMB in its effort to modernize IT across the US. Government.
Sincerely,
Kenneth Glueck
Senior Vice President
The text was updated successfully, but these errors were encountered: