OMB’s ‘Cloud Smart’ Draft Policy Offers Path to Safer Cloud Migration

Suzette Kent, federal CIO

Only days after the White House released its new strategy to beef up federal cybersecurity, the Office of Management and Budget has followed suit with a security-focused draft proposal that aims to help agencies move to a secure cloud network.

“To keep up with the country’s current pace of innovation, President Trump has placed a significant emphasis on modernizing the Federal government,” U.S. Chief Information Officer Suzette Kent said in a statement. “By updating an outdated policy, Cloud Smart embraces best practices from both the federal government and the private sector, ensuring agencies have capability to leverage leading solutions to better serve agency mission, drive improved citizen services and increase cyber security.”

The draft Federal Cloud Computing Strategy focuses on the following three areas:


The evolution of the federal cybersecurity policy and capabilities is key to modernization, the strategy states:

To implement a risk-based approach to cloud adoption, agencies should transition to security and protections at the data layer instead of the network and physical infrastructure layers, as well as improve the governance of systems. Additionally, it is critical that agencies have comprehensive visibility of their data, both on-premises and in the cloud, and perform continuous monitoring in order to detect malicious activity. As agencies approach their modernization efforts, they should apply these capabilities to their high-risk, high-value assets first in order to take advantage of all that cloud has to offer.

The draft framework stresses agencies will have “to think in terms of intended outcomes and capabilities, not merely programs, in approaching security holistically.” Trusted Internet Connections, for example, will need a revamped architecture to keep pace with new technology and to overcome performance degradation challenges.

The proposed policy also emphasizes accelerating the pace through which cloud service providers become Federal Risk and Authorization Management Program certified. Plans for speeding up common Authorization to Operate agreements “and overall process improvements are in development and will be addressed in future guidance,” states the strategy.


Agencies need to use the federal government’s buying power and acquisition best practices to avoid jeopardizing information and data stored in the cloud. Approaches include:

. . .  employ[ing]category management to improve buying practices that support Cloud Smart strategies, increase adoption of proven cloud vehicles in the Federal marketplace, and develop new vehicles to address emerging demands.

. . . ensur[ing that any additions to customary commercial agreements focus on the goal of avoiding inconsistencies between commercial regulation and Federal law.

. . . releas[ing]an update to the previous High Value Asset (HVA) memorandum that builds on the previous initiative . . . to ensure that contracts for High Value Assets, including those managed and operated in the cloud, include requirements to ensure visibility into the security of the asset.


The draft strategy also stresses equipping agency employees with skills to keep pace with cloud technologies.

As agencies adopt and migrate to cloud platforms, the impact these migrations will have on the Federal workforce needs to be examined, along with identification of potential skill gaps. Agencies must forecast which new skills and programmatic approaches will be needed to address the gaps and skills evolution.

So, the agency CIOs and chief human capital officers should conduct a skills gap analysis to examine the agency’s current and future work roles as well as have an “aggressive period” during which employees are trained in cloud technologies. In addition, agencies need to have recruitment and hiring strategies that

leverage industry recruitment best practices, expanding the use of pay flexibilities, and removing bureaucratic barriers to hiring staff expeditiously. Agencies must build a pipeline to continuously feed cybersecurity talent into the Federal Government.

Agencies are encouraged to use incentives such as student loan repayment to hire candidates with desirable cloud skills.

Agencies have broad authorities under Title 5 of the United States Code to hire top IT and cybersecurity talent, and to provide candidates with superior qualifications or who address critical skill gaps with pay flexibilities and incentives. Agencies are strongly encouraged to use available hiring authorities, recruitment, and student loan repayment incentives to hire professionals with highly sought-after cloud computing skills.

The draft strategy is now open to public feedback, through discussions on GitHub, by creating a pull request and via email

Comments are closed.