Shared Services to Enable Future Network Architectures

Summary of Efforts to Date

A model for sharing services already exists within the Federal Government, allowing for the delivery of common administrative functions such as financial management, human resources, payroll, and acquisitions. The concept of shared services was first substantively addressed by the Federal Government in the early 1980s with the creation of the National Finance Center within the Department of Agriculture, which sought to reduce redundancy in the hiring of administrative staff. The value of sharing was self-evident, and, in the 1990s, a series of projects to share back-office services were established and made permanent. In addition, the Federal Government began laying the foundation to implement category management principles by establishing a team of dedicated senior Government executives to oversee the 10 largest areas of federal procurement. Specifically, the IT Category Manager established several interagency subcategory teams to further streamline and management of common IT commodities such as hardware, software, and mobility.

While there has long been interest in shared services for general IT needs, a perilous threat environment has resulted in a need for cybersecurity shared services as well as commercially provided capabilities, such as email and cloud. Not only would the widespread use and deployment of shared services in information security provide cost savings, they would also provide a more consistent level of security across the Federal enterprise.

Current State

Addressing security challenges is critical if the Federal Government expects to achieve strong security outcomes; however, the current model of distributed Federal IT makes tackling complex resource-intensive problems in a consistent manner challenging. Today, each agency must independently identify possible vendors, evaluate the security of the vendors, issue an ATO, integrate the solution into their own independent bespoke IT infrastructure, and allocate resources to monitor and operate that infrastructure on an ongoing basis. The combination of these factors does not achieve consistent high quality security outcomes.

The Federal Government is the world’s largest buyer. There is a critical need to change the way the Federal Government buys common information technology products and services. Significant contract duplication means that agencies award multiple contracts for similar goods and services, often leading to hundreds, if not thousands, of contracts for the same requirement with same vendors. Additionally, there are huge price variance for the exact same item, sometimes as much as 300 - 400 percent. Agencies work highly autonomously, with only occasional collaboration across organizations and little sharing of information, standards, and best practices. This degree of fragmentation, lack of common standards, and lack of coordination drives costly redundancies and inefficiencies in procurement actions, contracting vehicles, and customization of common information technology solutions.

The existing federated and distributed approach to IT is no longer sustainable in an increasingly mobile, cloud-based and complex digital world. Building or internally operating such security programs requires specialized cybersecurity talent and knowledge, access to a broad range of data sources to manage the latest threats, and sophisticated and costly emulation and static analysis technology. This is an immense undertaking for large departments, but even more so for smaller and non-CFO Act agencies who often struggle with basic security functions, such as vulnerability mitigation, due to resource limitations. Programs like CDM are taking steps toward deploying common tools across all agencies and integrating large and small agencies into a shared cybersecurity understanding; however, many of these programs, including CDM, have been mired by delays and have not yet yielded their full promise.

Future State & Objectives

In order to reduce cost, improve operational efficiencies and cybersecurity, the Federal Government must shift toward a consolidated IT model. This includes adopting centralized offerings for non-mission specific functions by default, and should comprise commodity IT, such as email, productivity, collaboration, and security tools. This approach is consistent with ongoing category management practices and will help the Federal Government rapidly deploy new capabilities that will enhance agencies’ abilities to perform their missions and secure their networks. The Federal Government must embrace the broader use of cloud services while working to develop cloud products that meet Federal cybersecurity standards. With the proper type of cloud offering designed with an appropriate focus on security, the increased use and consolidation of IT services in multi-tenant cloud services can provide the visibility and control necessary to deploy data-level protections and automated cybersecurity outlined earlier in this report. Agencies must leverage shared services and embrace commercial technologies where possible, building new capabilities only when shared services and commercial technologies cannot meet mission need.

In order to achieve the desired future state, the Government must address the current impediments in policy, resource allocation, and disparate agency interpretations of statutes and guidance, in addition to other considerations that are obstacles to agencies’ adopting shared and cloud services. The Government should work with cloud infrastructure providers to obtain systems that offer world-class levels of functionality, cost-effectiveness, and security based on the providers’ abilities to aggregate demand across a broad range of customers. Rather than relying on often outdated and agency-specific systems, the Federal Government could leverage these providers’ expertise to both save taxpayer dollars and increase effectiveness and security.

Implementation Plan

Both the short- and long-term steps outlined in this section will result in greater innovation across the Federal enterprise, decrease costs, and dramatically improve services provided to both agencies and citizens. These interventions will allow agencies, and particularly smaller agencies, to more easily acquire and adopt commodity cloud infrastructure products, while leveraging the Federal Government’s buying power to produce economies of scale. Additionally, these efforts will augment existing agency-specific technology to improve both visibility and security. This implementation plan focuses on three key areas viewed as pivotal for accelerating the move to shared services: (1) enabling the use of commercial cloud services and infrastructure; (2) accelerating adoption of cloud email and collaboration tools; and (3) providing additional and improving existing shared services.

1. Enable the Use of Commercial Cloud Services and Infrastructure

Major commercial cloud infrastructure providers offer excellent levels of functionality, cost effectiveness, and security because of their ability to aggregate demand across a broad range of customers. There are a wide range of ways each of the models outlined below can drive cloud adoption by Government customers; however, it is generally helpful to think about the options as one default approach and a second option when security requirements require it.

In order to ensure a smooth adoption of cloud technologies across the Government, it is important to understand the various models that are available for utilizing cloud services. The following two options describe the main approaches in which the Government has adopted cloud services and how these models could be adjusted moving forward.

Bring Government to the Cloud: Vendor-owned and -operated servers and applications — Software as a Service

This is the ubiquitous public cloud model used by the vast majority of private sector cloud providers, and is already in use by many Federal agencies today. Among other uses, this model is appropriate for modern cloud-hosted email, productivity, and collaboration tools. Government agencies also currently use Software as a Service for a wide variety of applications like online payroll services, applicant tracking systems for hiring, and travel booking and expense management systems. These services are typically accessed through secure connections over the Internet.

Many agencies have already fully embraced vendor-operated, cloud-based collaboration tools, and, depending on the agency, may have anywhere from dozens to hundreds of such tools in use today in their environment. It is important for the rest of Government to migrate from legacy offerings to take advantage of the increased productivity and innovation that these shared services offer.

Bring Government to the Cloud: Vendor-owned and operated servers and Government-operated applications with networks that utilize a secure connection — Infrastructure as a Service

Some service needs can only be met by developing custom software, or by buying software not available as a service. With this model, a cloud vendor owns and operates servers in a private sector data center, but connected through a secure connection. Secure connections could include HTTPS, TLS, peering, etc. This provides an infrastructure upon which agencies deploy applications that they create or acquire. This model can be utilized for secure, critical applications that are only available to Government users on a virtual private network (VPN) or other network-level isolation.

Because Infrastructure as a Service gives customers control over many low-level details, it can entirely replace the need for a traditional on premise data center. Agencies can often move existing services from legacy on premise data centers to cloud infrastructure with some software modifications.

These applications can be public services used by the general public or private internal services used by agency employees. In either case, agencies may consider cloud infrastructure as a service to be an extension of their existing private enterprise network, or they may treat it as a separate, isolated network. Regardless, users access the service through secure connections, which could include HTTPS, TLS, VPN, or a dedicated line.

Infrastructure as a service excels at providing a platform for creating and deploying the digital services that are core to an agency’s mission. These models are already in use by agencies in a wide range of use cases, including benefits processing for veterans, immigration, and healthcare, as well as data processing and software testing in the Department of Defense community.

Bring the Cloud to Government: Government-owned data center buildings with vendor-owned and -operated services

For certain applications where using the Internet is not a viable option, commercial providers can operate infrastructure in Government-owned facilities. This is attractive for classified systems, which cannot be connected to the public Internet. For example, the intelligence community was the original adopter of a model in which vendor-owned and operated services were based out of Government-owned data center buildings. An example of this approach is the Intelligence Community Information Technology Enterprise (IC ITE) Commercial Cloud Services.

This model is much more expensive than fully commercial cloud services, and cannot keep pace with the innovation of public cloud solutions. As such, it is only appropriate where the Government absolutely must retain physical control over the infrastructure.

It is important to be wary of on premise solutions that are sold with cloud terminology that do not actually meet the NIST Essential Characteristics of cloud computing. Often, products that claim to offer private cloud infrastructure fail to deliver on these promises, missing key aspects such as rapid elasticity, on-demand self-service, or resource pooling.

Bring the Cloud to Government: Vendor-owned and -operated data centers with servers dedicated for Government use**

Many cloud service providers offer Government-dedicated versions of their services, where the provider builds segregated space for Government use so that agency customers only share logical space (possibly including servers, buildings, networks, personnel) with other Government customers. This allows a provider to more easily meet Government-specific compliance requirements for securing sensitive data.

This model provides a middle ground between public shared cloud infrastructure and costly on premise infrastructure. It is used by many agencies today to house applications where legal, compliance, or security reasons preclude the use of shared servers.

This model, which is already in use, could be particularly useful and appropriate for hosting Government websites and services for infrastructure that may have sensitivities for which public servers would not be appropriate.

Recommendations:

Cloud is not a one-size-fits-all solution, and offers a multitude of options for agencies based on their needs and preferences. While it is important to ensure flexibility across the Federal Government, there are a few models that can cover the majority of Federal use cases. As such, the Government should invest in two to three cloud models to support the differing security and risk-tolerance postures of agencies.

In particular, the Government should expand its use of the “Bring the Government to the Cloud” models, as these best balance the benefits of cloud computing—including improved performance and cost-savings—with outsourced security and control. While the impending revisions to the TIC policy and guidance will affect some of the eventual business decisions surrounding cloud options, agencies should begin working to determine how best to use the models outlined above.

Next steps to support the above recommendations are as follows:

Upon Approval of the President and Within a Timeline of 30 Days:

Pursuant to its statutory authorities and in execution thereof, OMB will conduct a data call requesting that agencies identify systems that may be ready for cloud migration and can be migrated securely but have not yet migrated due to perceived or encountered difficulties. At the conclusion of this data call, OMB and GSA will review the impediments to moving to the cloud outlined by agencies and will prioritize an infusion of technical talent, capital, and updated security policy (developed iteratively to solve agency-specific issues) as needed to enable prioritized cloud migrations. This task is described in more detail in the following section.

Upon Approval of the President and within a Timeline of 120 Days:

Pursuant to its statutory authorities and in execution thereof, OMB, in coordination with DHS, GSA, and its Federal partners, will update the Federal Cloud Computing Strategy (“Cloud-First”). This strategy will provide additional guidance to agencies on the most impactful use cases for cloud adoption and how best to conduct appropriate operational security in cloud environments. This effort will be informed by the OMB-led efforts with the ATC work regarding reducing the time and complexity of ATOs, including ATOs specific to cloud infrastructure and platforms.

OMB, working with the Federal Acquisition Regulation (FAR) Council, GSA, and DHS will develop clauses that define consistent requirements for security, privacy, and access to data for use in cloud contracts. These clauses will ensure uniformity in contract language and provide rigor to standard Government terms, which would be particularly valuable to agencies lacking relevant technical, legal, or acquisitions expertise to craft, out of whole cloth, such language in their cloud procurements.

2. Accelerate Adoption of Cloud Email and Collaboration Tools

Email is an essential mechanism for collaboration and one of the most prevalent attack vectors for cybercrime in modern society. Targeted, email-based spear phishing attacks using malicious attachments and links are the primary attack vector for compromising individuals and organizations.

Accelerated rollout of cloud email and collaboration is urgent given the number of duplicative legacy systems and their associated cybersecurity risks. In addition, even within cloud-based email, there exists price variance due to the fact that agencies negotiate individually. Thus, consolidating buying power through Government-wide price negotiations has the potential to achieve further cost savings.

In order to support agencies in moving away from their own email servers and solutions, a set of secure, easy-to-maintain, and cost-effective solutions must be available. Industry is well positioned to provide effective security controls, especially when paired with NCPS capabilities and to enable agencies to leverage improved mobile, tablet, and productivity improvements. There are currently only two hosted solutions deployed in the Federal Government, though additional competitors could emerge. Regardless, a requirement to make better use of cloud-based email and collaboration services increases the Government’s leverage in obtaining better pricing.

While the benefits are worthwhile, ranging from cost savings to improved security, the migration itself to cloud-based tools can be costly and burdensome, particularly for smaller agencies. In order to support agencies in their migration, a set of secure, easy-to-maintain, and cost-effective solutions must be made available.

The Government must pursue new acquisition tactics for cloud email and collaboration licenses. In furtherance of this objective, pilots such as the example outlined in Appendix D may be executed to decrease the administrative acquisition burden, specifically for smaller agencies who cannot leverage large volume discounts or who have acquisition workforce constraints. Additional pilots may include the ability to purchase cloud services on a consumption basis and coordinated purchasing to obtain tiered-based pricing.

Successful execution of the pilot outlined in Appendix D will result in agreements with cloud email providers, which define volume discount pricing based on the total number of Government-wide mailboxes to be migrated while preserving the ability for agencies to compete with cloud email providers. This pilot will help determine what, if any, drawbacks or complications emerge from the creation of this heretofore untested model of volume pricing negotiations. This should result in shorter competitions (one to two months for acquiring cloud email licenses) as opposed to the months- to years-long process such procurements, such as establishing Government-wide acquisition contracts or blanket purchase agreements, currently require.

One of the fundamental advantages the Government has in seeking products and services is that its size should allow it to leverage competing market forces to drive Government-wide volume pricing and increase the overall speed of migration. The goal would be to incentivize providers through tiered pricing agreements that would produce publicly displayed price points to serve as the base license price for any licenses purchased by the Government.

This would mark a significant departure from existing acquisition marketplaces where existing models are laborious for both Government and industry and fail to truly capture volume spending as an aggregated value. In addition, the current process does not always offer sufficient transparency, allowing some agencies to pay less than others. Often, it is the small agencies, who can least afford higher prices, that are penalized.

Next steps to support the above recommendations are as follows:

Upon Approval of the President and within a Timeline of 30 Days:

OMB will conduct a data call to agencies regarding their current email contracts, prices, and number of mailboxes. It is imperative that the Government obtain an accurate measurement of the market size of agencies who have not yet migrated to cloud email. While there are clear data on the current need among CFO Act agencies, there is currently no definitive data regarding the adoption of cloud-based email solutions at small and independent agencies. Understanding the full size of the marketplace will enable the Government to maximize its leverage in negotiations with cloud collaboration vendors.

OMB will convene a task force of agencies to finalize a standard set of requirements for cloud email, including both low and moderate security postures for email and cloud collaboration. These requirements, which will build upon previously completed work, will be circulated to all agencies for comment and serve as the basis for acquisition.

Upon Approval of the President and within a Timeline of 45 Days:

OMB will issue updated identity policy guidance for public comment that will reduce agency burden and recommend identity service areas suitable for shared services. GSA will provide a business case to the Federal CIO on the consolidation of existing identity services to improve usability and drive secure access and interoperability. This action will enable secure access and collaboration as a service in a way that improves existing agency-specific implementations, which often have various levels of security and do not include interoperability.

Upon Approval of the President and within a Timeline of 60 Days:

OMB will establish a comprehensive strategy for driving the accelerated migration of agency email and collaboration tools to the cloud for departments and agencies who have still not adopted cloud-based email. This strategy should emphasize achieving both cost savings and improved security.

Upon Approval of the President and within a Timeline of 90 Days:

OMB will assemble an Acquisition Tiger Team (ATT), which will be charged with drafting and disseminating a “quick start” acquisition package that can help agencies facilitate rapid license and migration service acquisitions. This will make it possible for agencies to award licenses and services that may presently have difficulty doing so. The “quick start” package would include market research, acquisition plans, templates for requesting quotes, identified sources of supply, and Independent Government Cost Estimate calculation templates (based on already completed acquisitions).

The ATT, working through the appropriate executive agent, will send out Requests for Information (RFIs) or conduct other market research activities to find qualified small business and socio-economic concerns to leverage set aside programs and other authorities to streamline the migration acquisitions to the greatest extent possible. For example, using the 8(a) Digital Service Initiative or vehicles that have resulted from Category Management efforts in this space.

Upon Approval of the President and within a Timeline of 180 Days:

The Government should consider incentives for early adoption (migration in the first year following the formalization of the effort), including individualized assistance tailored to a given agency’s needs. To assist in such an effort, OMB will create acquisition/migration cadres, consisting of information technology and acquisition specialists that will be sent to early adopter agencies to help with license and migration acquisitions-related challenges. Initially, these cadres would draw from agencies that have already completed their migrations, such as the Department of the Justice (DOJ) and acquisition experts from the Digital IT Acquisition Professional Training (DITAP) alumni network.

Upon Approval of the President and within a Timeline of 240 Days:

OMB, with support from GSA, will pilot new acquisition tactics for cloud email and collaboration licenses including but not limited to those discussed above and outlined in Appendix D.

Other High-Level Actions:

Approved FISMA-Moderate cloud based collaboration tools currently exist. GSA will continue to work with existing cloud email and collaboration providers, and will prioritize approval of a FISMA-High offering. Process improvements will continue iteratively to enable agencies to accelerate adoption of cloud services.

3. Improve Existing and Provide Additional Security Shared Services

As cyberattacks have become more sophisticated, frequent, and easier for adversaries to execute, cybersecurity has continued to escalate as a primary responsibility for all individual agencies and for the Federal Government as a whole. Addressing cybersecurity threats holistically necessitates both a further consolidation of the Federal Government’s IT footprint as well as an expansion of shared, centralized services to better leverage Federal buying power, standardize security capabilities, improve the time it takes to detect and respond to incidents, and realize economies of scale from aggregating data.

Continuous Diagnostics and Mitigation (CDM)

DHS established the CDM Program in 2013 to provide Federal civilian agencies with automated continuous monitoring tools to detect vulnerabilities and potentially malicious network activity in near real-time.12 CDM Phase 1, which is currently being deployed, is designed to determine “what is on the network” by providing agencies with capabilities to identify and remediate vulnerabilities and ensure secure hardware and software configurations on their networks. CDM Phase 2 will focus on “who is on the network” and provide capabilities to detect and manage privileged user access and ensure that only authorized, credentialed users have access to information on the network. CDM Phase 3 will report “what is happening on the network” and provide capabilities to identify and assess anomalies that may indicate a cybersecurity compromise and to implement ongoing assessment and authorization. CDM Phase 4 will focus on expanding data protections for Government information. All CDM capabilities will feed information to both an agency- and Federal-level dashboard, enabling Government-wide visibility into the current state of Federal information security.

Up to this point, CDM has not sought to address cloud-hosted systems and has instead focused on helping agencies secure their on premise networks. While this does introduce some limitations, the program has nonetheless elevated the baseline of cybersecurity across the Government. Over the identified phases, the program will deliver capabilities through various mechanisms, including an “as-a-service model,” to ensure that additional capabilities can be provided in a more centralized and standard way.

A challenge in implementing CDM capabilities in a more cloud-friendly architecture is that security teams and security operations centers may not necessarily have the expertise available to defend the updated architecture. To support agency cybersecurity efforts, the Federal Government is working to develop this expertise and provide it across agencies through CDM. Currently, all CFO Act agencies (except the Department of Defense) participate in CDM, as do 44 of non-CFO Act agencies in the Federal enterprise. CDM will continue to grow and provide sophisticated tools and services to current agencies, while working to onboard the other small agencies not currently served by the program.

This is imperative for enabling the Federal Government to increase security throughout the Federal enterprise. Further targeted actions by DHS’s CDM Program Office and agencies can help expedite the modernization and adoption of CDM to identify, detect, and respond to threats in the Federal Government’s increasing move to cloud environments and mobile devices.

Upon Approval of the President and within a Timeline of 60 Days:

DHS, in partnership with agencies and GSA, will complete the acquisition strategy for new, long-term task orders to offer CDM lifecycle support to agencies and provide solution development and implementation for Phases 3 and 4 in addition to future work, including cloud security.

Upon Approval of the President and within a Timeline of 125 Days:

DHS will obtain FedRAMP assistance in developing a DHS ATO package compliant with the FedRAMP process. Upon completion of the authorization process, DHS will begin on-boarding agencies onto the CDM Shared Service Platform (SSP) to provide continuous monitoring as a service capabilities.

At the end of the 125 days, DHS will update OMB on the current number and status of remaining Memoranda of Agreement it has established with non-CFO Act agencies (above and beyond the current number of 44). DHS will also submit a plan to OMB that details the expectations and timelines for onboarding non-CFO Act agencies to the SSP.

Upon Approval of the President and within a Timeline of 150 Days:

DHS will complete the data exchanges between the agency- and Federal-level dashboards to provide enterprise-wide situational awareness of an agency’s cyber posture.

Upon Approval of the President and within a Timeline of 180 Days:

DHS, in partnership with the Federal CIO Council, will implement a concept of operations for the Federal dashboard to include procedures to manage cyber risks across the Federal enterprise, and other factors pertinent to the broader Federal CIO community.

Security Operations Center (SOC) as a Service

The Security Operations Center (SOC), which generally provides central visibility into the state of security on an agency’s networks, is an essential component of securing the Federal IT enterprise; however, many agencies lack the resources or expertise to establish their own agency-level SOCs. Given the vulnerability this creates, the establishment of a SOC as a service (SOCaaS) capability is essential to ensure appropriate enterprise-wide visibility, incident discovery, and information sharing among Federal agencies. Such a capability would allow agencies currently lacking such capabilities to purchase them from those agencies with sufficient capacity to offer such a service. This could allow for the creation of specialized offerings. For instance, agencies who have demonstrated expertise in defending cloud applications could expand their current SOC capabilities and offer a SOCaaS, focusing specifically on cloud applications. In addition, contracts can be let with commercial providers to provide SOCaaS offerings. Agencies lacking the requisite expertise could leverage these services to accelerate their migration to commercial cloud capabilities.

Over time, agencies offering SOCaaS could provide a full suite of capabilities to agencies that do not want or need to manage their own operations. This would align with the consolidation of existing networks. A more consolidated SOC would have broader visibility, easier communications, and the ability to add tools not available in a more distributed model.

Specifically, SOC as a Service capabilities could:

Upon Approval of the President and within a Timeline of 60 Days:

OMB, in coordination with DHS, will select agencies to provide SOC as a Service offerings for use across the Federal Government. GSA, in coordination with OMB and DHS, will lead contracting efforts to offer commercially provided SOC as a Service for use across the Federal Government.

Upon Approval of the President and within a Timeline of 90 Days:

Selected agencies will develop a pricing model in alignment with the cloud migration strategy and timeline outlined above.

Other High-Level Actions:

DHS will work with SOC as a Service providers to ensure that NCPS and CDM capabilities and outcomes can be achieved and that the visibility remains aggregated across cloud and on premise security capabilities. Additionally, selected agencies will create a pilot regarding their SOCaaS capability and identify initial agencies with whom they will collaborate to test access and visibility.