Faster into the Cloud: Budgets, Contracting, and Incentives Working Group Paper

In addition to the main report, six working groups contributed specific ideas through separate papers. I co-chared the Working Group on Budget and Incentives with Michael Daniel and a stellar team, and re-post that paper below.

Introduction

IT systems enable federal agencies to achieve their missions. In turn, budgets, contracting processes, and incentive structures drive how federal agencies manage their IT assets. These factors set the parameters for action and shape decisionmaking. As such, budgets, contracting, and incentives will play a critical role in any federal government effort to better manage IT and move more functions to cloud services.

At a fundamental level, policies will not produce the desired results without adequate funding. Agencies need a sufficient IT budget to both maintain current operations and invest in future capabilities; otherwise, much-needed improvements will not happen. Gimmicks and false efficiencies will neither provide needed resources, nor will false metrics drive change.

However, simply allocating more money will not solve federal IT problems. Current budget, contract, and performance systems have multiple shortcomings, and they do not adequately incentivize agencies to modernize their IT systems. For example, under the current process, agencies can obtain operational funding to maintain legacy systems more easily than procurement funding to purchase modern ones. This structure incentivizes agencies to maintain insecure, outdated systems long after they should have upgraded them, thus reducing efficiency and increasing risk.

Recommendations

To address these shortcomings, this working group recommends that the next administration implement five overarching changes to the budget, contracting, and performance processes for federal IT:

1. Provide sufficient resources: Agencies should receive adequate funding to move functions to cloud services and refactor old applications.
2. Make budgeting rules more flexible: Even if IT budgets increase, current budget rules make it difficult for agencies to achieve the intended goals. Therefore, the administration should modify certain budget rules and processes to enable agencies to spend their resources in the most effective way possible.
3. Update contracting processes: The administration should review IT contracts to increase flexibility and to allow agencies to reinvest savings.
4. Use a portfolio management approach: Agencies should more fully embrace a portfolio management approach, complete with goals and metrics, to manage their IT assets.
5. Accelerate budget decisionmaking: Decisions should be made faster to enable agencies to shift functions to cloud services and modernize systems more rapidly.

Within each of these broad areas, this working group recommends several specific actions, detailed below.

Provide sufficient resources: Congress and OMB, working with chief information officer (CIO) and chief financial officer (CFO) councils, should reevaluate IT budgets to ensure that agencies have sufficient resources to achieve long-term strategic goals for modernizing legacy systems, shifting functions to the cloud, securing the resulting cloud services, and responding to changing priorities and evolving technology. This step may require working with Congress to adjust 302b allocations, especially if caps remain in place.

Make budgeting rules more flexible: Current budget scoring rules make it highly challenging for civilian agencies to make needed investments in cloud services and IT modernization. These rules could be made more flexible without losing the discipline they impose. Potential modifications include:

1. Give current-year credit for validated future savings: Agencies could be allowed to count future year savings from current-year investments if those savings are validated by an independent review from the Government Accountability Office (GAO), an inspector general, or a similar organization.
2. Adopt multiyear IT budgets for civilian agencies: The DOD and the intelligence community utilize multiyear budgeting, which gives agencies the benefit of accounting for future-year savings. Under the one-year budgeting approach most civilian agencies use, future-year savings provide no current-year benefits.
3. Provide multiyear availability for IT funding: Since large IT projects like cloud adoption take considerable time to execute, Congress should ensure that IT funding has multiyear availability. This change would avoid incentivizing a year-end funding rush and promote measured, meaningful buying.
4. Relax full-funding requirements: Civilian agencies often cannot fully fund an IT modernization project in a single year without disrupting current operations, an outcome that is neither practical nor politically feasible. Therefore, the next administration should consider incremental funding for certain high-priority cloud transition projects and prioritize existing flexible procurement procedures, such as those in Federal Acquisition Regulation (FAR) Part 39, to make that happen.
5. Present an interagency modernization and cloud budget as part of agency budgets: In addition to the presentation in OMB documents, the next administration could have agencies reflect a government-wide view of IT modernization and cloud spending as part of their IT budgets. Such a presentation would allow agencies to show how their investments fit into a broader picture that aligns with similar activities across the government. This presentation would include annual appropriations, working capital funds, and the Technology Modernization Fund (TMF), among other funds.
6. Budget for due diligence reviews and FedRAMP compliance: Agencies should be required to request sufficient funding to conduct due diligence of authorized vendors and enable FedRAMP compliance, to include sponsoring CSPs through the FedRAMP multiagency process. Incorporating these costs in budget estimates will provide a truer picture of the “total cost of ownership” for IT systems. This could also include assessing the full costs of initial authorities to operate (ATOs) and follow-on continuous monitoring requirements of cloud and hybrid systems.

Update contracting processes: In addition to the budget rules, current contracting procedures further constrain agencies from shifting functions to the cloud. The next administration should modify contracting processes to make them more flexible and useful for IT projects. Such adjustments could include:

1. Review current IT contracts: Under the Federal Information Technology Acquisition Reform Act (FITARA), OMB and the agency CIOs should review current IT contracts and then propose the necessary modifications to migrate those functions to secure cloud systems.
2. Expand share-in-savings contracting: This contracting method allows companies to invest in cloud services upfront with repayment from later operational savings from a cost baseline agreed to by the government and the contractor.
3. Link contracts explicitly to innovation goals (including small-business teaming): In order to maintain access to innovation, the federal government should ensure that IT contracts do not fund only large companies with patient capital and do provide incentives to introduce innovative reforms during contract execution.
4. Introduce enterprise-wide license agreements and performance-based contracts: Agencies should make broader use of this contracting model. Key service-level agreements in these contracts should be tied to secure cloud performance.
5. Increase training regarding secure cloud services: The procurement workforce needs to increase its ability to write, manage, and oversee cloud services contracts.
6. Support complementary legislative proposals: Relevant provisions could adjust the prohibition of advance payments to allow multiyear cloud contracting for reserved instances and discounted compute, as well as extend commercial solutions opening authority to all civilian agencies.

Use a portfolio management approach: OMB should lead this effort, working with CIO and CISO councils to improve returns on investment.

1. Establish goals and metrics for cloud migration: Achieving outcomes absent goals and metrics is difficult, if not impossible. The administration should establish government-wide goals and metrics for eliminating legacy systems, modernizing IT assets, and migrating to the cloud. OMB’s recent budget guidance provides one model regarding goal setting tied to investments.
2. Identify the actions needed to achieve the goals: OMB should work with the CIO council to identify any potential roadblocks to achieving the goals, the resources required to achieve the goals, and the timeline for completion.
3. Use consistent performance metrics for cloud implementation: While each agency’s cloud implementation will differ, the federal government should use consistent metrics to evaluate the performance of those cloud implementations across agencies. The administration should direct the National Institute of Standards and Technology (NIST) to work with the International Standards Organization (ISO), open-source groups, and federally funded research and development centers (FFRDCs) as appropriate to measure both technical and performance aspects of migration, refactoring, paying down technical debt, and running systems.
4. Assess current IT and cloud spending against agreed-upon performance metrics: Once the government adopts cloud performance metrics, it should regularly assess performance against those metrics and make adjustments as necessary.
5. Introduce new methods needed to measure spending: The government should introduce ways to track spending, in coordination with relevant organizations like the FinOps Foundation.

Accelerate budget decisionmaking: The Office of the National Cyber Director (ONCD), OMB, federal agencies, and Congress should enable faster decisionmaking with respect to IT, cloud, and cyber projects.

1. Improve governance of IT and cloud spending: Current budget decisionmaking is highly dispersed across agencies. Therefore, getting a holistic view of IT and cloud spending across the federal government is difficult and time consuming, often involving data calls and manual inputs. The next administration should adopt processes and tools to make oversight and governance decisions easier, such as through FITARA oversight or OMB IT dashboards.
2. Establish a Secure Cloud Spending Working Group (SCSWG): The administration should create a dedicated working group, including ONCD, OMB, General Services Administration (GSA), and CIOs, CISOs, and CFOs which will use the data generated by the previous recommendation to inform decisionmakers regarding the security of the cloud implementations. The projects supported by the FinOps Foundation provide a good example of how to establish such a working group and connect technical experts with senior decisionmakers. The SCSWG can advise OMB and Congress on government-wide efficiency efforts, such as a shared cloud service for common functions vs. agency-specific decisions.
3. Evaluate shared cloud service models: A shared service model may prove to be the most cost-effective method for obtaining the needed services while ensuring security. The federal government has experience with such shared service models, including:

• Eyesight/Diplomatic Telecommunications System model: A central fund for common services and agency-specific spending for unique capabilities, including a reserve for incident response or emergent opportunities.
• E-Gov model: Revenue is collected for common functions, with a lead agency.
• General security funds for cloud: DHS has appropriated funds it can use for cloud security activities on behalf of other civilian executive branch agencies.
• Technology Modernization Fund model: Funds are appropriated to a central account and then dispersed according to previously established guidelines, operating like a government-wide working capital fund for IT.
• Agency-specific working capital funds.

Taken together, implementing these recommendations would dramatically strengthen the federal government’s ability to improve IT systems and migrate to cloud services in a secure manner while maintaining budget discipline. More resources will be needed in the short run, but these investments should improve services, generate savings, and increase security over time.