Department of Veterans Affairs Cloud Strategy, FY18 & FY19 February 8, 2018 | Enterprise Program Management Office Providing Veterans improved services through cloud-based data and computing capabilities
Department of Veterans Affairs Cloud Strategy, FY18 & FY19 February 8, 2018 | Enterprise Program Management Office
Providing Veterans improved services through cloud-based data and
computing capabilities
OFFICE OF INFORMATION AND TECHNOLOGY Enterprise Program Management Office
Cloud Strategy | ii
Table of Contents 1 Introduction ..........................................................................................................................1
Purpose ................................................................................................................................................ 1 Policy, Guidance, and Instruction ......................................................................................................... 1
2 VAEC Description ...................................................................................................................2 3 Strategy .................................................................................................................................3
Goal 1: Build the foundation for the VA Enterprise Cloud capability .................................................. 3 Goal 2: Introduce new, innovative capabilities and services for Veterans faster ................................ 6 Goal 3: Expand enterprise computing capability while improving Veteran and VA data privacy and security ................................................................................................................................................. 9 Goal 4: Transform the IT workforce ..................................................................................................... 9
4 Critical Dependency: Network Modernization ....................................................................... 10 5 Next Steps ........................................................................................................................... 10
Appendix A: References ....................................................................................................... 11
Appendix B: Acronyms......................................................................................................... 12
Table of Figures Figure 1. VA Enterprise Cloud Architecture – Operational View .................................................... 2 Figure 2. VA Enterprise Cloud Strategy ........................................................................................... 3 Figure 3. Initial VAEC Common Services ......................................................................................... 7 Figure 4. Security Control Inheritance ............................................................................................ 8
OFFICE OF INFORMATION AND TECHNOLOGY Enterprise Program Management Office
Cloud Strategy | 1
1 Introduction The Department of Veterans Affairs (VA) envisions the VA Enterprise Cloud (VAEC) as a business enabler that will efficiently provide Veterans, their dependents, VA employees and contractors, and VA partners with innovative, Veteran-focused services, applications, and access to information on demand using Veteran-preferred devices and technologies. The VAEC will become the foundation of an agile, interoperable, scalable, and secure cloud computing environment that can adapt to evolving business needs. It will offer elastic, metered data storage and computing capability to support new approaches for the delivery of integrated services to Veterans. The benefits of an enterprise cloud infrastructure, platform, and software services characterized by costs shared across a broad customer base and supported by leading, external technology providers, will improve the VA’s ability to target its efforts toward key mission areas focused on the Veteran. This will result in more efficient and responsible stewardship of taxpayer dollars.
Purpose
This cloud strategy articulates the VAEC vision, goals, and objectives, and outlines derived actions necessary to realize the benefits of a cloud-enabled enterprise. It is intended to inform a broad audience of VAEC consumers and stakeholders. Working together, VA organizations will move forward to realize the Secretary’s priority to “modernize our systems,” beginning with establishing the VAEC.
Policy, Guidance, and Instruction
This strategy is in alignment with the VA cloud-first policy first articulated in VA Directive 6517, Cloud Computing Services (28 Feb 2012), and the cloud security policy outlined in VA Handbook 6517, Risk Management Framework for Cloud Computing Services (15 Nov 2016), and amplified in the joint Strategic Sourcing and Demand Management Division’s Use of the VA Enterprise Cloud (VAEC) to Host Applications memorandum (16 Jan 2018). These authoritative sources respond to mandates issued by the White House, Congress, the Federal Chief Information Officer (CIO), and the VA Secretary. This most recent memorandum includes cloud policy, guidance, and instruction developed in concert with the OIT Comprehensive IT Plan (20 Sep 2017).
The strategy implements VA Secretary Shulkin’s direction, published in May 2017, to “...modernize all ... IT systems to make them commercially viable and cloud-based solutions to the maximum extent possible.” It applies to all new and existing Information Technology (IT) applications used across the VA enterprise components, including the Veterans Benefits Administration (VBA), Veterans Health Administration (VHA), and National Cemetery Administration (NCA).
The Strategic Sourcing and Demand Management memorandum also contained acquisition instructions about strategic sourcing for VAEC use. That memorandum requires all VA programs
2
and projects acquiring cloud services to exclusively use the identified current and planned enterprise-level cloud capacity and services contracts. It also reiterates the VA cloud-first policy.
2 VAEC Description As shown in Figure 1, the VAEC provides hybrid, virtualized computing capability, including platforms, infrastructure, and software procured from selected commercial cloud service providers (CSPs).
Figure 1. VA Enterprise Cloud Architecture – Operational View
The internal VAEC website describes the VAEC as follows:
...[A] multi-vendor platform for the development and deployment of VA cloud applications. The VAEC provides a set of common, general support services (GSS) such as authentication and performance monitoring which each application can leverage, speeding and simplifying the development of new applications in or migration of existing applications to the cloud. The VAEC also implements many of the NIST-, FedRAMP- and VA-required security controls reducing the time each application should take to obtain a VA [Authority to Operate] (ATO).
Initially, the VAEC will include the two leading commercial cloud platforms: Amazon Web Services (AWS) Government Cloud and Microsoft Azure Government (MAG). Both have met stringent federal security requirements including a FedRAMP High authorization. The VAEC will also include an on-site, VA Private Cloud, for applications with data sensitivity, technical architecture or performance requirements that require them to be hosted in an on-premises cloud.
1
1 Internal VA Portal, VAEC website, https://vaww.portal.va.gov/sites/ECS/Pages/VA-Enterprise-Cloud-VAEC.aspx;
Accessed on 26 Jan 2018.
3
3 Strategy The strategy presented in this document identifies and describes goals, objectives, and derived actions to implement and operate the VAEC. Together, these goals, objectives, and actions will form the VAEC foundation for future roadmaps, concepts of operations, and standard operating procedures.
The OIT Comprehensive IT Plan identifies milestone schedule goals for implementing an overall robust cloud platform and computing infrastructure by the end of FY22. In furtherance of the OIT Comprehensive IT Plan, this strategy defines goals, objectives, and actions achievable in an 18-month tactical window. Collectively, they inform the selected route to successfully establishing the VAEC foundation, including governance, phased production system migration approaches, and cloud-hosted, automated services.
Figure 2. VA Enterprise Cloud Strategy
Goal 1: Build the foundation for the VA Enterprise Cloud capability
Objective 1.1: Establish a comprehensive suite of cloud capabilities and processes that serve all VA cloud business and IT needs
Action 1.1.1: Establish the Enterprise Cloud Solutions Office (ECSO) within the OIT EPMO/Demand Management Division
The Enterprise Program Management Office (EPMO) Senior Executive for VA Enterprise Cloud will establish a customer-centric Enterprise Cloud Solutions Office (ECSO) that will serve as the focal point for coordinating enterprise cloud initiatives and will assist components to coordinate and facilitate cloud service adoption within the VA. The ECSO will be staffed by multidisciplinary subject matter experts (SMEs). The office will also acquire cloud technical engineering services to accelerate cloud adoption. The ECSO will assist the VA enterprise to identify, acquire, migrate, and manage cloud services. It will maintain a VA Cloud Services Registry of cloud services and will develop
Identify candidate systems for the enterprise cloud
Migrate identified systems into the enterprise cloud
and build new cloud-enabled systems
Establish a managed, secure, agile, cost effective foundation for VA enterprise cloud
Grow, recruit, and contract for expertise to manage and operate cloud
Stand-up, align, and execute cloud governance
VA Enterprise Cloud IT Modernization: Efficiently, reliably
control diverse VA computing resources while quickly implementing solutions that benefit Veterans at a lower overall cost
Increased innovation: Rapidly experiment with new features to better support Veterans
Enhanced security: Enhance Veteran information security
Transform the IT Workforce: Strengthen the OIT workforce to better deliver cloud-based services
Govern
IdentifyMigrate/Develop
SetFoundation
ManageAnd Operate
4
and own the enterprise Cloud Services Catalog. In conjunction with the Technology Acquisition Center (TAC), the ECSO will also develop contract language and artifacts to assist teams in developing acquisitions that maximize use of cloud capacity and services.
Action 1.1.2: Architect and establish an Enterprise Hybrid Cloud Environment
Initially, the ECSO will instantiate two public commercial CSP environments. A private cloud will be created shortly thereafter to support low-latency data communication systems and unique system hardware configurations. These cloud environments will be implemented in accordance with the VA Enterprise Architecture.
Action 1.1.3: Operate, maintain, and support the VAEC
In coordination with the Demand Management Division standing up the ECSO, ITOPS is standing up a cloud service line that will directly support the VAEC by operating the General Support Services (GSS) and enforcing policies so that VAEC customers can benefit from the full range of National Institute of Standards and Technology (NIST) cloud characteristics in a secure, consistent, and reliable fashion.
Action 1.1.4: Implement Governance processes for hosting systems in the VAEC
The Senior Executive for VA Enterprise Cloud is the governing authority for the use of all VA cloud assets, including commercial cloud services, to ensure consistent utilization rates and execution in alignment with the VA Cloud Strategy. The Senior Executive will coordinate decisions with the applicable IT governance bodies. The Chief Information Officer (CIO) will approve coordinated decisions.
Action 1.1.5: Establish a Cloud Communications Program
The ECSO will establish a program to deliver on-going communications that foster understanding about cloud advantages among VBA, VHA, and NCA staff, who in turn will use cloud services for the benefit of Veterans. The ECSO Communications Program will build mutually beneficial relationships with other government agencies and private entities to leverage experience and cloud lessons learned, and generally advance the state of the technology. The ECSO will perform this action in concert with Goal 4.
Action 1.1.6: Develop Cloud Services Financial Management Strategy
Moving from a Capital Expenditures (CAPEX) model to an Operational Expenditure (OPEX) model will represent a paradigm shift in how VA acquires IT services. Proactive financial management of acquired cloud services will be highly important. The ECSO will develop guidance for tracking cloud service usage and for cost sharing known commercially as “metering.” The guidance will address concerns specific to CSP financial management such as activation, on-boarding, service fees, and invoicing.
Action 1.1.7: Establish a Cloud Performance Management capability
Each of the objectives listed in this strategy will result in measurable, quantifiable outcomes, with the sum of these outcomes resulting in the impacts that meet the
5
strategy goals. To track the progress made towards achieving these goals, ECSO will establish a Cloud Performance Management capability. Such a capability will be designed to ensure that what's measured improves, and ECSO will continually seek ways for the enterprise to realize the full benefits of adopting the VAEC. With cloud governance approval, ECSO will work to define a set of performance measures, measurement intervals, and reporting formats or dashboards to track progress. ECSO will design and apply the measures to assess actions associated with managing and executing decisions toward achieving stated goals.
Specific cloud benefits that will be measured include:
Decreased infrastructure operations costs
Shortened system development cycles
Rapid adoption of innovation
Enhanced security
Increased scalability
Improved reliability and resilience
Better visibility into infrastructure operations
Improved Veteran health enabled by mobile and medical device technologies
Objective 1.2: Transform enterprise systems using the VAEC first
Action 1.2.1: Migrate Commodity Applications to CSPs
ECSO will migrate viable applications, including infrastructure, collaboration, and storage, to CSPs.
Action 1.2.2: Develop an Application Migration Strategy, including VAEC migration criteria
A substantial number of VA applications can conceivably move to a cloud environment. ECSO will develop application-specific strategies to evaluate the advantages of replacing applications with a cloud-hosted software service, refactoring applications to function in a cloud environment, re-hosting (“lifting and shifting”) applications to a cloud infrastructure, and revising, rebuilding, or retiring the system. This action includes creating an application maturity model to transfer and transform applications for the cloud.
Action 1.2.3: Ensure new applications conform to the VAEC architecture
The ECSO will evaluate all future program starts for procurement or development as cloud-based systems. VA will apply a buy-first strategy for all acquisitions, focusing primarily on the procurement of managed services through cloud vendors. The VA will procure commercial-off-the-shelf (COTS) software solutions as a second option, followed by in-house software development as a last resort.
6
Action 1.2.4: Create the Post-Migration Cloud Service Management Strategy
The ECSO will develop or leverage internal support structures for applications after cloud migration. These structures will span both technical and non-technical services important to cloud consumers, such as help desk, software tool support, networking, and identity and access management, and various other Operations and Support functions.
Goal 2: Introduce new, innovative capabilities and services for Veterans faster
Objective 2.1: Optimize agile, timely processes
Action 2.1.1: Continually improve processes for acquiring cloud capacity and services
The ECSO, in conjunction with the TAC, will develop a streamlined process for acquiring cloud capacity and services. The office will continuously improve the resulting cloud acquisition process based on lessons learned.
Action 2.1.2: Streamline processes for provisioning environments
The ability to rapidly establish development environments will be a cloud enabler for providing new services to Veterans faster. At maturity, provisioning timelines prospectively can be shortened from the current schedules (e.g., weeks/months) to hours. This should further promote agile development methodologies.
Action 2.1.3: Provide common cloud services
Leveraging common cloud services will reduce duplication of effort across VA application teams, simplifying transition and enabling teams to focus on delivering services to Veterans. Additionally, the VAEC will house common services within a limited number of standardized enterprise cloud environments rather than in many project-specific environments, thereby reducing vulnerability and allowing personnel to refocus activities. Figure 2 depicts an initial set of VAEC common services.
7
Figure 3. Initial VAEC Common Services2
Action 2.1.4: Continually Improve Security Timelines
In conjunction with the VA Office of Information Security (OIS), VAEC common services will improve security timelines. Initially these services will target reductions in Authority to Operate (ATO) decision timelines through ATO inheritance from CSP Federal Risk and Authorization Management Program (FedRAMP) inheritable controls and VAEC General Support Services ATOs. Figure 3 depicts the inheritance of security controls.
2 Internal VA Portal, VAEC website, https://vaww.portal.va.gov/sites/ECS/Pages/VA-Enterprise-Cloud-VAEC.aspx;
Accessed on 29 Jan 2018.
8
Figure 4. Security Control Inheritance3
As VA moves toward enabling on-going authorization using Information Security Continuous Monitoring (ISCM), the ECSO will collaborate with OIS to optimize cloud security timelines.
Objective 2.2: Leverage modern technologies and innovation to deliver improved mission capabilities for Veterans.
Action 2.2.1: Enhance adoption and adaptation speed for third-party commercial or Government-off-the-shelf (COTS/GOTS) cloud capabilities
The ECSO will leverage and provision innovative COTS/GOTS cloud capabilities created by third-party developers.
Action 2.2.2: Provide the VA research community and external partners with ubiquitous cloud computing capabilities and data access
Working with the VA research community, the ECSO will develop policies for hosting the software and data associated with research programs that have specific security, privacy, and data ownership requirements.
Action 2.2.3: Enable applications for mobile devices; enable Internet of Things (IoT) medical devices
The realm of mobile and IoT technologies is rapidly advancing, and has significant importance to the future of healthcare IT systems. Because the VAEC will enable VA
3 Internal VA Portal, VAEC website, https://vaww.portal.va.gov/sites/ECS/Pages/VA-Enterprise-Cloud-VAEC.aspx;
Accessed on 29 Jan 2018.
9
adoption of a wide array of mobile devices and the storage, computing, and advanced analytics associated with IoT data, the ECSO will work with organizational stakeholders to develop policies for hosting such data.
Goal 3: Expand enterprise computing capability while improving Veteran and VA data privacy and security
Objective 3.1: Safeguard cloud services
Working with the Cyber and Information Security Officer (CISO), the VAEC will build a foundation for a safe, secure, and resilient VA cloud-based system that enables and supports the modernization of the VA IT environment.
Action 3.1.1: Leverage FedRAMP-authorized solutions
Most, if not all, of the CSPs contracting with VA will be mandated to meet FedRAMP and/or Federal Information Security Management Act (FISMA) compliance standards with a published set of security control mitigations. This will provide VA with a complete understanding of the security posture for its cloud platforms.
Action 3.1.2: Develop and execute the VAEC Security Strategy
The CISO organization will produce an authoritative, practical artifact to guide and coordinate cloud security activities across VA organizations and the system lifecycle based on the Framework for Improving Critical Infrastructure Cybersecurity developed by the NIST.
Goal 4: Transform the IT workforce
The most valuable VA resource is its people. This cloud strategy will promote the creation of workforce cloud literacy and the simultaneous development of cloud-based competency models.
Objective 4.1: Strengthen the current OIT workforce to enable staff members to better use cloud technologies to deliver services
The OIT workforce requires cloud skills to effectively and efficiently outsource IT computing capability to third-party providers. OIT will need more staff familiar with evaluating and selecting cloud services, negotiating Service Level Agreements (SLAs), and effectively overseeing CSPs. Cloud-based workforce skill sets will include IT and IT operations, software engineering, network engineering, cybersecurity engineering, acquisition and program management, and contracting.
Action 4.1.1: Repurpose, retrain, and redeploy staff to meet changing needs
In conjunction with the Education Office, the ECSO will develop a VA cloud curriculum and an on-the-job training program to foster cloud knowledge assimilation, expertise, and skills across VA OIT.
10
4 Critical Dependency: Network Modernization Network modernization and internal infrastructure upgrades are critical to VAEC implementation. As VA migrates applications to the cloud, network traffic that may previously have been confined to local area networks will traverse wide area networks to reach the CSPs. This will require network traffic to traverse one of the Trusted Internet Connections (TICs). Each TIC security appliance must process the traffic transiting it, and merely increasing the bandwidth to the TIC does not represent a solution to accommodating the greater throughput. Instead, appliances must examine the network traffic flows, where traffic originates and terminates, and dependencies on other applications. This requires end-to-end network capacity management.
To mitigate the potential performance latency issues that can arise as the result of increased network traffic, VA will have to establish end-to-end SLOs and SLAs and institute end-to-end network performance monitoring to ensure that CSPs meet the requirements. As a result, VA OIT will have to model the network and perform predictive network traffic engineering. Thus, one aspect of the cloud transition effort will require application providers to inform OIT network engineers about application characteristics so the network can be properly configured to support it. Further, VA will work with the Department of Homeland Security to modernize TIC policy, fully enabling the VA to benefit from its cloud strategy.
The network modernization efforts already underway as part of the IT Comprehensive Plan are key to the success of cloud migrations. The ECSO will coordinate closely with these activities.
5 Next Steps The strategy described above supports the overarching intent of the VA 2014–2020 Strategic Plan, while providing ample opportunity and justification to modernize the VA enterprise computing environment. Moreover, it will guide the development and refinement of more detailed implementation plans, which will be the key to executing the VA’s vision for cloud computing. By resourcing and implementing this strategy, the VA will set the foundation for enterprise cloud computing realizing its vision to “Modernize our Systems.”
Future activities will create a strategic roadmap laying out the goals, objectives, and actions identified in this strategy on a timeline. The VAEC Concept of Operations will provide guidance about how to implement the cloud strategy. Finally, the VAEC Operational Guide will serve as a tool to gain consensus among Information Technology Operations (ITOPS) stakeholders about the operations, support concepts, and capabilities of cloud services. The Operational Guide will focus on the delivery and performance of cloud services in the intended operational setting to illustrate how the OIT will use the cloud to support VA enterprise operations.
OFFICE OF INFORMATION TECHNOLOGY Enterprise Program Management Office
Cloud Strategy | 11
Appendix A: References Department of Veterans Affairs Memorandum, Subject: Use of VA Enterprise Cloud to Host
Applications, John P. Everett, Executive Director, Demand Management Division, EPMO (OIT), and Luwanda Jones, Interim Lead, Strategic Sourcing, Office of Information and Technology (OIT), 16 Jan 2018.
OIT Comprehensive IT Plan, 20 Sep 2017, pp. 2–5.
VA Handbook 6517, Risk Management Framework for Cloud Computing Services, 15 Nov 2016.
A Strategy for VA Cloud Adoption, DRAFT, v. 1.0, June 2015.
VA Directive 6517, Cloud Computing Services, 28 Feb 2012.
The Federal Cloud Computing Strategy, U.S. Chief Information Officer (CIO), 08 February 2011.
OFFICE OF INFORMATION TECHNOLOGY Enterprise Program Management Office
Cloud Strategy | 12
Appendix B: Acronyms ATO Authorization to Operate
CIO Chief Information Officer
CISO Cyber and Information Security Officer
COTS Commercial off-the-Shelf
CSP Cloud Service Provider
ECSO Enterprise Cloud Solutions Office
EPMO Enterprise Program Management Office
FedRAMP Federal Risk and Authorization Management Program
FISMA Federal Information Security Management Act
FY Fiscal Year
GOTS Government off-the-Shelf
IT Information Technology
NCA National Cemetery Administration
NIST Federal Information Security Management Act
OIS Office of Information Security
OIT Office of Information and Technology
SLA Service Level Agreement
SLO Service Level Objective
SME Subject Matter Expert
TAC Technology Acquisition Center
TIC Trusted Internet Connection
VA Department of Veterans Affairs
VAEC VA Enterprise Cloud
VBA Veterans Benefits Administration
VHA Veterans Health Administration