fied, and you cannot upgrade.”
There was little argument, however, that the government adds value below the platform layer. “We don’t need to run the infrastructure as a service,” a participant familiar with the govern-
ment’s IaaS experiments said.
Split opinions on SLAs
Outsourcing to service providers — whether it’s for infrastructure, platforms or software — requires a clear allocation of risks and respon- sibilities, which the group acknowl- edged was still a work in progress. The government’s own compliance and reporting requirements have not fully kept pace with as-a-service realities, some participants said, but agencies are also struggling to craft appropriate service-level agreements with cloud providers.
One executive questioned the fun- damental premise of an SLA: “What’s the SLA going to accomplish? If the vendor doesn’t meet their SLA, the only thing they can do is give you credit. They can’t give you your money back. That’s against the law.”
Others questioned that interpreta- tion and argued that certain perfor- mance-based contracts can refund money without running afoul of the Antideficiency Act. But they agreed that, even for services authorized by the Federal Risk and Authorization Management Program, SLAs are not doing enough to simplify risk assess- ments or the required compliance efforts.
Although a limited set of physi- cal and maintenance controls can be inherited, one participant said, “for the rest of it, you’ve got to look at it line by line and ensure your por- tion of the job is properly done and accounted for.”
And although much of the founda- tional security is handled by the cloud service provider, another said, it’s the agency that must report on the status of those efforts. When the Department
of Homeland Security wants proof of appropriate patch levels, for example, “we turn around and ask the PaaS or SaaS providers. They are like, ‘Why are you asking about servers? That’s our business.’ But when they are asked, ‘Are you going to report it?’ the response is: ‘No, that’s not our job. DHS did not ask us. They are asking you.’”
Others, however, said negotiating the SLA can prompt those conversa- tions upfront. “It really forces you to think: What are your operational procedures for certain things?” one
executive said. “What is your incident response procedure? Let’s write it down and figure it out.”
Another participant, who works with a broad range of stakeholders on their cloud efforts, praised SLAs for a different reason.
“I use SLAs every single day, believe it or not, for engineering purposes,” the official said. “When they screw up that architecture, I can use their SLA number and calculate what the uptime is going to be. I say, ‘You are at 98 percent availability right now. Your architecture sucks.’” n
   PERSPECTIVES
PARTICIPANTS
Royce Allen
Chief, Enterprise Security Architecture, Department of Veterans Affairs
Surendra Babu
Information System Security Manager, Department of Education
Richie Balkissoon
Cloud Architect, Department of Homeland Security
Chris Chilbert
CIO, Office of Inspector General, Department of Health and Human Services
John Hale
Chief, Cloud Portfolio Office, Defense Information Systems Agency
Scott Kaplan
Chief of Cloud Security, National Geospatial-Intelligence Agency
Shashank Khandelwal
Acting Director, Cloud.gov, 18F, TechnologyTransformation Service, General Services Administration
Diego Lapiduz
Chief Information Security Architect, Azure Government, Microsoft
Alan Ning
Site Reliability Engineer for Department of Veterans Affairs, U.S. Digital Service
Crystal Philcox
Director, IT Services, Federal Acquisition Service, General Services Administration
Thomas Sasala
Director of the Army Architecture Integration Center and Chief Data Officer, U.S. Army
Ed Simcox
Deputy CTO, Department of Health and Human Services
Srini Singaraju
Chief Architect, Cloud Solutions, General Dynamics IT
Will Slack
Federalist Product/Business Owner, 18F, Technology Transformation Service, General Services Administration
Navin Vembar
CTO, General Services Administration
Note: FCW Editor-in-ChiefTroy
K. Schneider led the roundtable discussion.The April 18 gathering was underwritten by General Dynamics IT, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither General Dynamics IT nor any of the roundtable participants had input beyond their April 18 comments.
  May/June 2018
FCW.COM 43