analytic services and the 
opportunity to move many of our 
legacy applications and systems 
into a much smarter streamlined 
environment. It was very it was 
a win-win all around.
You're going to hear not only in
our session but in later 
sessions about specifics of how 
you accomplish that in today's 
world, where you have the 
opportunity with public Cloud as
well .
Because of the complexity that 
you want to reflect in what you 
provide to your end users and 
customers, you want to reflect 
that complexity but do so in a 
clean, streamlined
ITR to architecture so that your
environment make sense and you 
still save the money. That's 
what our business does.
One last point, one thing you 
probably are anticipating
is what we already heard was the
pace of change. I want to 
underscore how important it is, 
and how refreshing to have a 
close partnership between 
government and industry.
Today, if you read headlines, 
you've seen just in the past 10 
days a lot of I think, sitting 
here in Washington DC, a lot of 
disturbing headlines about a 
growing gulf between
homegrown American Silicon 
Valley companies, and the U.S. 
government. We have had multiple
cases of controversy with Google
and Microsoft and others, 
Amazon, where employees, small 
breast roots efforts within the 
companies, to try and divorce 
those companies from doing work 
for the government. I have lived
both sides. I have been in the 
government and still advise the 
government as counsel. I want 
you to know that the reason we 
are here and companies like mine
are here, the reason we partner 
so closely
with the United States 
government is because it is 
really critical, the services 
you provide, is particularly 
GSA, do so much important work 
for all of the agencies, which 
are reflected there.
This is the cutting edge, the 
front of cloud computing, -- 
Cloud computing, what serves 
today as and to end  
virtualization of all services. 
VMware started selling 88% of 
the world's data centers, they 
use VMware. GSA has been using 
them for 20 years. Like my old 
agency. It started as 
virtualizing both x86 servers on
the basement, and it now has 
gone through virtualizing 
storage, and software defined 
networks, abstracting away the 
network architecture, and now 
doing endpoint management and 
global IoT management through 
abstraction. That is cutting 
edge. It is rewarding to see. It
is refreshing to see that GSA is
having this reverse industry 
training, because the commercial
world is making some exciting 
advances. I know that government
relies on those and I'm happy to
be here to help. 
>> Thanks. I'm getting some 
feedback that maybe
we want to make sure we are 
holding the microphone close so 
everyone can hear. 
>> No problem. 
>> My name is Noah Goodman. I'm 
with a small company called [ 
indiscernible ]. I sit between 
VMware and Microsoft so I bring 
a very different perspective. We
are a small business. We are 
under 27 [ indiscernible ], I'm 
the hub zone company. We have a 
very different perspective on 
some of these things. My 
background is within security. I
have been at DHS for literally 
from the inception, prior to the
department, I was with FEMA, the
Corps of Engineers, working in 
emergency management landscapes.
Coming to my company, we started
by physically moving 
infrastructure servers when DHS 
started doing data center 
consolidation. We had servers up
in coop sites, we have servers 
at the national labs, and one of
the things we first started 
working on was physically moving
things. U-Haul's, plugging and 
USB drives, physically moving 
things down to the data centers 
when the two data centers at DHS
up and everybody had data center
consolidation efforts going on. 
Much of what we have done since 
that time or deliver 
applications, we are a pure app 
dev company. We deliver mission 
applications. One of the things 
I was telling Dan earlier, yes 
we are small, but we are a small
business behind the scenes. You 
don't hear about us because we 
are the guys building the tools 
that are supporting national 
operations. We have client bases
across the entire department 
from super service to 
headquarters to FEMA to ice and 
so on. We have been able to see 
the transition of the 
department, the department is 
still very young. Compared to 
the rest of the folks around 
here. Watching the transition of
DHS, procure I.T. services, bill
technologies, consolidate them, 
now with many efforts, 
especially with the new [ 
indiscernible ] department of 
moving to the Cloud,  there is a
lot of an edict about getting 
out of data centers, there are 
milestones to get there. Working
with the department and being 
able to move systems, physically
move them, deploy strategies and
services and applications, into 
cloud service providers, is one 
of our big efforts right now. I 
get to sit on a number of cloud 
IPT's and TIO councils at the 
headquarters level across the 
department.
We talk about migration patterns
and adoption patterns, and it's 
interesting to see, because when
you look across the department, 
you have very fast adopters.
Trend 22 and FEMA came out very 
early. -- ICE and FEMA came out 
very early.  There is a large 
range of opportunity at the 
department from the acquisition 
and adoption sides. On how to 
get things going. One thing I'm 
very interested in today is to 
hear about adoption patterns and
migration pathways,
strategies to do things. As well
as hopefully get the chance to 
talk to you about some of the 
things we've been doing at the 
department, some of the things 
we have seen, the pitfalls. And 
talk through some of this in an 
honest and open form. Thank you.
>> Thanks. Susie? 
>>
Susie Adams, I'm the CTO for 
Microsoft federal business. I 
live in the Washington DC 
region. I have been supporting 
the federal government for 
almost
30 years and of right of 
capacities. I grew up as a 
technologist so I was a 
developer, worked on AV systems,
have done pretty much, I was in 
Oracle DBA, whatever the U.S. 
government needed. I was pretty 
much put in that role, moving up
through consulting
. I've been with Microsoft for 
about 20 years. Specifically 
I've been working with Cloud in 
the federal government since 
2010. How many people remember 
2010?  Matt? When we first 
started with the GSA Cloud,  
that was out there, I remember 
thinking, when we were all 
looking at the RP that came out,
wow, this looks like a 
traditional RP with just a 
sprinkle of Cloud.  And we were 
trying to figure out, how do we 
actually come what is different 
here? What is the difference 
between how you would procure a 
normal software product and 
Cloud? I remember discussions 
about, do we need to change  the
[ indiscernible ], I remember 
that. And everybody was really 
nervous that you could not buy 
Cloud without doing  something 
completely different. What we 
have learned over the last eight
years is that it is not the 
case. It is absolutely a 
different model. As Lewis said, 
it is virtualizing basically 
everything. You're going to go 
from a [ indiscernible ] model 
to a [ indiscernible ] model, 
that is different for sure. The 
pace of change is dramatically 
different. With our Azure Cloud,
we released new updates  20 
times a day. With new pieces of 
functionality, that you are 
going to want to be able to use,
without having to go and have 
some type of contract motion. 
That is hard to wrap your mind 
around. How am I going to do 
this? As we see, people are 
starting to understand that what
we are trying to do is, you have
to be almost more vague in the 
contracting language. You never 
know how much it will change 
during the period of the 
contract. That is tough. That is
not an easy thing to wrap your 
mind around. Hopefully today we 
will get to some of these other 
challenges. There are huge 
differences, what is the 
handshake
between the cloud vendor, like 
Microsoft, Amazon, VMware, and 
the government? Who is 
responsible for what? What 
happens if there is a security 
breach? How do you know where it
was? These are all very 
different things. We are used to
outsourcing. There is a single 
belly button to push. Now both 
sides have response to these. 
You -- responsibilities. You 
need to think about that and 
take care of those both 
contractually, and from a 
technology perspective.
The last thing I will say is in 
2010 I sat on a panel at a 
procurement conference,
and it was three technologists 
and a lawyer. And every question
we got caught when we got to the
lawyer he said put it in the 
Cloud and the lawyers will come.
What do you mean? We had no idea
what he was talking about. It 
should not be something you are 
scared about. The Cloud offers  
so much capability that we could
never get access to. Inc. about 
the datum and machine learning, 
and artificial intelligence. 
Only the big three letter 
agencies were able to have that 
type of capability. And on a 
very limited basis and it was 
super expensive. Now anybody can
go and create a bot. And you are
only going to pay for what you 
use on the consumption spaces. 
That is huge. Think about data, 
and what you can do with data.
Think about what you do from a 
cyber security perspective. 
Being able to find that needle 
in a haystack. Without having to
look at a run report, just look 
at net flow data. This gives us 
such opportunities and I think 
the opportunity is for us to 
figure out, how to accelerate 
that adoption inside the federal
government, so that we do not 
fall behind. The world is using 
the Cloud.  It is not something 
that is going to go away. We 
need to learn how to quickly 
snap into that model. 
>> Awesome, thanks to Susie. 
>> Maybe we can start out before
we get to the good stuff on best
practices, maybe we can start 
with from each of you, what is a
key challenge you have seen with
the Cloud migration effort?  Was
it the strategy or technology or
security? The workforce? I'd 
love to hear from each one of 
you regarding that. If you could
go back and do something 
differently, if something could 
be done differently, with 
respect to Cloud migration,  
from acquisition to delivery. I 
would appreciate your 
perspectives on that. 
>> I will start. There are a 
couple of things.
The first is, most people think 
they can procure the Cloud and 
connected and they are done.  It
is not like that. You have to go
and clean up your own house. You
have to make sure you have a 
good security strategy, that you
understand the handshake between
you and the Cloud provider that 
is giving you the services,  
some of the agencies that we 
have dealt with, had not looked 
at their active directory in 10 
years. Had not cleaned it up. 
They had not looked at their 
network infrastructure. They did
not have inventory of 
applications that were running. 
All kinds of integration issues 
occurred right off the bat. It 
stops you did. You really have 
to look at what is going on 
inside your environment today, 
and have a good strategy for how
to connect to the network. That 
is one of the biggest hurdles. 
The second disc I have a good 
strategy for how you are going 
to remain compliant. With 
FedRAMP. How you're going to get
applications through your in 
terminal FedRAMP approval 
processes after you're connected
to the cloud because these 
application, what we're finding 
is, once you get to the hurdles 
of connecting to the Cloud 
environment,  you have a 
directory, and identity 
approach. And you are looking at
building
apps so the next thing is, once 
you build the app, nobody can 
consume it because it is not 
compliant. You have spent a year
getting onto the Cloud,  and 
seeing little or no value. These
are things you need to think 
about. Right at the beginning. 
So you can make sure that once 
you are connected, you can 
easily take advantage and start 
to migrate applications. The 
last thing I think we see in 
agencies, or changing 
management. Helping your 
end-users understand what is 
different, make sure they know 
what the guidelines are,
and then make sure you have a 
management strategy. How are you
going to manage those resources 
in the cloud? Most every agency 
today is using at least one 
Cloud if not more. 
How many people are in an agency
that are using three different 
Cloud providers for different 
services?  Really? That many? A 
couple of hands.
I think we have ...'s is better?
-- Is this better? Okay. That's 
better.
What we are saying is, you have 
to have a management strategy. 
You have to understand how the 
billing and chargeback is going 
to work and put that management 
strategy in place. If you can 
work through those four things, 
those of the biggest hurdles we 
see for Cloud adoption. 
It is not necessarily 
acquisition as much as once you 
have acquired it, how do you 
implement it and start using it?
>>
I cannot echo enough what Susie 
just said.
The concept of technical
debt, you have legacy 
infrastructure, legacy software,
legacy applications and 
services. When you look to move 
to the Cloud,  you have to know 
that. You have to know that debt
ahead of time before you start 
planning. That gets into some of
the conversations about your 
strategies,
whether it is lifted shift and 
re-factor and reengineer and all
of these different things you 
can do with the applications, 
but you have to understand what 
you have in house right now. One
of things I will probably harp 
on a bunch this morning, or 
planning. I have the honor I 
guess, of living this right now,
we are moving major systems out 
of a data center, and we are 
going through a plan right now 
in understanding how to get this
thing out of there. It is a 
national security exemption 
system, it is a 24 seven 
operation. We have many 
challenges about how to get this
physically out of the data 
center and moved up into the 
Cloud.  Working with your 
security teams, your security 
assessment teams, your 
assessors, physically grabbing 
that, having them with you. You 
cannot do this without having 
people on board. Whether it is 
your program managers, your 
system owners, or your 
authorization officials. One of 
the things we dealt with last 
year was, we just got a 
three-year ATO, and then we 
said, sorry, we are moving it to
the Cloud in our security 
oversight 
what the hell are you doing? I 
just spent these resources ATO 
and you and now you are telling 
me you're going somewhere else. 
And I have to ATO you again. The
ability to take him and sit down
with him and talk through how we
are going to do this. The plan, 
the things we have to understand
about the system, these are 
critical. Don't short change 
yourself on a planning phase.
There are many things out there,
we want to get there fast, and 
we want to get adoption fast. 
Maybe we are time boxed and 
constrained. Somebody says you 
have to be out by a certain 
date. Do not shortchange 
planning. Do not shortchange the
effort that it takes to get 
people in the room. Whether you 
have to physically move people 
into rooms and talk to these 
challenges. Pay attention to 
that. That gets into 
understanding your system like 
Susie said. The concept of
debt, what are you bringing up, 
what do you have to reengineer, 
what can you just simply move 
into the Cloud?  Those are 
probably some of the biggest 
things we have seen over the 
past five years. In working with
some of these mission systems 
and moving them up. Again, I 
will say it again, planning, 
planning, planning. Do not 
shortchange planning. 
>> Everything they said.
To answer Dan's question, I 
think one of the biggest 
pitfalls is that we fool 
ourselves a lot. On Cloud 
adoption.  We do that in two 
ways. Number one, from a 
government perspective, we fool 
ourselves sometimes with senior 
management, closure ears here, 
I.T.
often ... inadvertently leaves a
misleading impression in the 
minds
of senior, senior leadership. 
This may not be the case with 
Miss Murphy. And other agencies,
we are going to the Cloud, we 
have decided to go to the Cloud,
we have adopted the Cloud.  I 
have a hunch that some of you 
who did not answer to Susie's 
question how many of you are 
using three or more Cloud's, I 
have a hunch  you might be even 
if you did not raise your hand, 
unwittingly. That may be 
inadvertent. Or it may be by 
choice, a function of the 
reality of the complexity of 
your enterprises.
I'll put it this way. When we 
talk with commercial customers, 
large-scale commercial 
customers, Wall Street, global 
financial enterprises, what they
ask for is, give me a unified 
digital platform. Help me have a
digital platform that is 
ubiquitous and is capable of 
supporting everything into and 
virtualize,
from on premise data centers, 
which I am still going to have, 
for at least a well, and in some
cases for security in other 
governors purposes forever. 
Through hybrid cloud and public 
Cloud integration,  notable 
Cloud environments,  multi Cloud
environments are not the enemy 
they are the reality.  What you 
really want is the ability to 
manage that complexity and gain 
the advantages of cost, and 
risk, and performance that using
Cloud services provides.  But 
understanding, don't kid 
yourself that you are going to 
be supporting a multivariate 
kind of complex hybrid 
environment in any case, and 
talk to industry, which does 
that. And provide that for 
customers.
We talked about procurement, 
Susie mentioned that the 
impossibility
of having ... transitioning 
legacy
rules to modern cloud 
acquisition and procurement,
I saw some of the other sessions
during the day, they are going 
to be talking specifically about
what acquisition officers and 
practices are doing in terms of 
new approaches
for paying for consumption based
services.
Another aspect of fooling 
ourselves I think is that all of
these cost savings, from moving 
to Cloud services,  can be 
immediately transitioned into 
other mission services. One 
thing to keep in mind, a best 
practice tip, that commercial 
practices use, or, anticipate 
what Noah was saying about 
planning, anticipate that some 
of the savings you reap from 
lower-cost services provided 
through Cloud,  some of that 
money you're going to want to 
retain within I.T. for 
innovation purposes.
I think of, if I am not 
mistaken, GS-8 budget is like 
$10 billion? $10.7 billion is 
next year's budget? That is 
roughly the same size as VMware,
it is nine billion-dollar 
revenue company. How much of the
I.T. budget, how much of that 
revenue, of that 10 billion,
goes to a standard industry 
metric for Silicon Valley for 
tech companies, RND? In RND a 
kind of best practice metric for
traditional corporate companies,
try to spend 3 to 5% of your 
revenue revenue on
R&D.  Amazon spends 12% of its 
revenue on R&D, Microsoft spends
about 13%. The kind of young,
really cutting edge companies, 
Facebook spends 19% this past 
year,  of its revenue, on R&D.  
VMware spent 21%. 21% of a 
budget about the size of GSA, we
are spending a fifth of that 9 
billion at one out of every five
dollars on R&D.  Can you imagine
what GSA services would be like 
if you were spending I don't 
know, $2 billion a year on R&D? 
You have the I.T. modernization 
fund, which is 110 million I 
think.
One of the things you will be 
able to do in planning, as you 
and your other agencies continue
to adopt Cloud services , and 
moved to the new paradigm, as 
you will be able to reinvest the
savings both to mission, but 
also
within your I.T. enterprises, to
be able to actually afford to do
true innovation. That is another
aspect were industry can help. 
>> Just add,
when I think of the term I.T. 
modernizations, I go back in my 
headline thinking, I'm going to 
take an application and I'm 
going to go get the 
requirements, and I'm going to 
use newer technology. To 
implement the same process. The 
way that we think about I.T. 
modernization is more digital 
transformation. It is not doing 
things the same way, you have 
new tools available to you, that
allow you to be really 
innovative in how agencies 
provide citizen services. How 
you secure the services. The 
capabilities really are endless.
We are encouraging agencies to 
look towards moving to the 
Cloud, is not look to take 
everything they have today.  
Using the same process. It is 
actually to try to be innovative
. Look at the new capabilities 
and technologies that are out 
there, that could help you 
deliver more innovative 
services. And maybe sunset a lot
of what you already have. Which 
will help you even save more. I 
do think that if you can think 
about that way, think of it more
as a transformation instead of a
modernization, and the 
traditional modernization type 
of contract that we usually see.
They should say digital 
transformation really. 
>> That's an excellent point 
Susie. Susie touched on it, 10 
years ago, Cloud ,
that hybrid cloud, no multi 
Cloud.  Can you guys talk to me 
about the pros and cons of a 
multi Cloud architecture versus 
maybe  a single commercial 
Cloud? Infrastructure?  
>> I think it was IDC last year 
that said that every labor
-- major corporation will have a
multi Cloud hybrid 
infrastructure by 2018.  Inc. 
about that. Every major 
corporation. Today I think it is
true across the federal 
government,
whether you are using salesforce
Amazon or Microsoft, or Amazon 
and Microsoft together, or have 
a dropbox, the list goes on of 
the different Cloud tools you 
can be using. 
The challenge with multi Cloud 
is what I call Cloud creep.  You
have the behind-the-scenes folks
using any Cloud they want to 
use,  which is a huge security 
problem, to not know where your 
data lives. What you are seeing 
now in the I.T. industry, is 
much emphasis on how do you 
manage
your hybrid infrastructure, how 
do you know what Cloud services 
your end-users are actually 
using? How do you know where 
your data is? 
Instead of securing your 
perimeter, your security 
perimeter has changed. It is no 
longer guards and gates and 
guns. And just your contractors 
out there, at the network edge, 
all data is protected. You now 
need to look at and follow data 
regardless of where it lives. 
That is a huge paradigm shift 
from a security perspective. 
What you are seeing now are 
tools coming out to help you 
manage that. The reason these 
tools are coming out, they are 
not expensive,
is because of the Cloud. Because
these tools live in the Cloud 
and they help you manage  this 
new digital estate that spans 
data in your data center, and 
legacy systems, data in the 
Microsoft cloud, Amazon cloud 
the VMware cloud, regardless of 
where it lives, on any device. 
It gives you that perspective
of, who is using what, where 
data is going, and it helps you 
manage that environment. Is 
everything you need to feel 
safe, we have work to do in the 
industry to make these truly 
enterprise cop for very large 
organizations, there are still 
some gaps out there. But they 
are not big gaps. Those gaps 
will be closed in a matter of 
months not a matter of years. 
You're going to be able to see, 
this is not a big deal. You will
be able to visually see where 
your data lives. And be able to 
manage that. It will be 
ubiquitous. It will not matter 
anymore. I truly think that 
multi Cloud, we are already 
here.  I think you are going to 
see the challenges understanding
how to manage it. And getting up
to speed on the new technologies
out there. 
>>
That was an interesting 
statistic. We are a 120 person 
company. We run Office 365, 
salesforce, we have our dev 
sites and Amazon.
That's crazy, right? Where 120 
person company yet we are in the
multi Cloud environment.  The 
same can be said for many of my 
customers. Especially on the 
mission side. Look at FEMA, FEMA
deploys people to the edge.
We have to send data to those 
people at the edge. One of the 
things we look at when we are 
building some applications or, 
how can we get the services, 
this content, this data, both at
the consumption side and the [ 
indiscernible ] side as far out 
as possible and still in a 
secure mechanism. One of the 
things we work with at FEMA is 
around damage assessment.
Post-disaster you are sending 
thousands of people into the 
community to do damage 
assessment. They are using 
mobile tools, they are in 
network limited environments. 
How do you secure the in just as
well as the dissemination of 
data?
And multi cloud environments one
of things we have to look at is 
not just the hosting of 
infrastructure and applications,
and how are we moving the data 
out? How removing the data to 
the edge? We see this daily. We 
live this daily. In the security
apparatus that has to fit around
this is absolutely instrumental.
As the services advance, as the 
security apparatus advances, and
we can take advantage of multi 
cloud solutions, you are going 
to see more capability being 
able to push farther and farther
out. That is one of the things 
we are very interested in. I am 
very pleased to hear about this,
and listen to Susie talk about 
the big industry side. These are
the things that I have to take 
advantage of as application 
owner and developer,
working with my clients. I have 
to rely on these capabilities 
and the services gusto as they 
come out, is up to us to figure 
out how to implement them and 
use them insecure them. How do 
we work with our acquisition 
teams to get there? How do we 
work with our security officials
to secure them? And so forth. It
is a very interesting dynamic. 
Moving away from traditional one
Cloud environments and now this 
multi Cloud environment.  
>> Thank you.
I think the best advice to 
anybody asking themselves about 
whether or not we are going to 
have a mulit-Cloud environment  
is to embrace the reality that 
Susie and Noah talked about. 
Embrace the reality. When we 
walked in here, people were 
setting up the slides. And we 
saw that GSA uses Gmail. Google 
suite. And also PowerPoint. And 
I would suspect that somewhere 
here in the building, or at 
least in the app dev world of 
GSA, and certainly its 
customers, that there is a lot 
of open source app development 
and app support. That is the 
reality. That's what I mean 
about not fooling ourselves. 
Embrace the complexity because 
it provides the flexibility that
you need to provide the kinds of
diverse and multivariate 
services that your customers 
need. It is kind of the GSA way.
GSA is the unseen electricity
providing a variety of real 
estate, and acquisition, and 
technology, and a wide variety 
of mission supporting services. 
Ubiquitously across the 
government. When somebody comes 
to you with what they think is a
unique and new and exotic 
request, you have probably heard
it before. You already do that 
somewhere else in a corner of 
the government. That is what you
want to be able to architect and
construct and manage,
in your hybrid cloud 
environment. That is the kind of
thing ... the roots of VMware 
are in this very construct.
VMware, if you think back, it is
20 years old. 20 years ago it 
was exotic to be able to have, 
on a single piece of hardware, 
on a single server, to have a 
processor running multiple 
operating systems.
To be able to boot up two 
instances of Windows, or one of 
windows and one of Linux, or 
MacOS. That became exotic. It 
was emblematic implementation of
Moore's law were all of a sudden
you could do multiserver 
virtualization on a single piece
of hardware. It skyrockets
in terms of the complexity you 
are able to manage, the 
flexibility you can offer. The 
vast performance that you can 
provide at increased levels, at 
lest costs that's where the 
magic of technology, that we all
love, embrace that. There are 
new tools and methodologies to 
be able to provide managerial 
automation for the management of
that kind of complexity. That is
what industry is doing. And 
using machine learning, that is 
where most of us see, on the 
VMware research site and the R&D
team that's were we are spinning
the investment,  is putting 
within the automation of all of 
the complex orchestrations of 
the services. Automating as much
as possible. The phrase that VCs
like to use, I think Mark 
Andreasen, software eats the 
world, everything is becoming 
software. The answer that 
question is embrace that kind of
aggressive new opportunity of 
new managerial automation, and 
virtualization through software.
It is really exciting. 
>> A good stuff Lewis. I heard 
each of you talk about Cloud  as
this enabler for digital 
transformation. I heard you talk
about multi cloud and different 
architectures and 
infrastructures, to address 
different services that are also
needed for that digital 
transformation.
We think about moving to the 
Cloud, and thinking about 
embracing it,  there are 
different approaches. There is, 
we could lift and shift, move 
our workloads over. Or we can 
take this far to the right 
spectrum, going from Cloud ready
to Cloud native,  I will start 
with you know is and she's 
talked about planning. And maybe
then Susie also since you tucked
on touched on change management.
How should an organization think
about, here is my portfolio of 
stuff, here is my asked,
what should I lift and shift, if
anything? How do I go down that 
road map of actually moving my 
workloads and how do I go to 
that decision process? I would 
appreciate your perspectives on 
that. 
>> Short. Again, I am living 
this in real life. One of the 
things we have to deal with with
some of our systems, and I said 
this earlier, were time 
constraints, the time box. 
Working with my product owners 
and system owners, my PMs, in 
the federal space as well as on 
my teams, what we have to do is 
a constant deep dive -- deep 
dive and dialogue and decoupling
of what we are trying to do in 
the Cloud.  If it is a race, it 
is a race. I have an edict to 
get to the Cloud as fast as 
possible.  I don't want to 
sacrifice quality. I don't want 
to sacrifice performance. Part 
of that planning phase is trying
to understand not only the 
models, but the concept of
debt. Look at your application, 
understand what it is, what do 
you have, both of the 
infrastructure and services and 
security levels, and that how do
you decompose that into what you
need in the future? How do you 
migrate that? In typical data 
center operations, nobody else 
is responsible for that.
Somebody is your network 
operations team, your security 
operations team, somebody is 
providing Internet and firewall 
protection. Now that is your 
job. You have to plan for this. 
You have to figure out how 
you're going to do this. One of 
the things we have been 
challenged with or time 
constraint. That is the way the 
world is going to be.
But we have to constantly work 
with our team members, our 
product owners and system 
owners, to help them understand 
what that means. If lift and 
shift is the fastest way, it is 
the fastest way. But you have to
understand what you are going to
carry with you when you do that.
And the security side, I will 
harp again again on this. Again 
and again on this. One of things
we are challenged with is the 
concept of tenants. You have a 
general support services, GSS, 
and you have tenants that have 
to plug into this. There has to 
be a security mechanism for 
people to do it. Working with 
security officials and the 
assessment teams, and being able
to say, I have to plug in, I 
have to do all of these things, 
how do I decompose my systems 
and applications to be able to 
do that? What is the speed and 
scale?
It is going to vary. It will 
vary at the portfolio and 
maturity of agency as a 
department, maybe you have 
mature programs and migration 
strategy, maybe you don't. Maybe
you have time constraints or 
physical constraints. It is 
trying to get to the bottom and 
decompose the why you are doing 
this, what you are trying to get
out of it, what you are trying 
to do in the Cloud,  and that 
approach is going to help you 
understand whether it is true 
lifted shift,
Cloud native, containerization, 
taking advantage of services, 
all of these great things that 
we can do with our applications.
Because of you don't understand 
that, you're going to be saddled
with the debt in the future. 
You're going to sacrifice 
quality. You're going to 
sacrifice something in the 
future if you rush to the 
judgment of decisions and so 
forth. 
>> I completely agree with Noah.
As I was working with a large 
branch of the military, and this
one group, we went in to talk 
with them and they said we have 
600 systems of record. That we 
all think have authoritative 
data in it. I'm like 600? Do you
know what they all are? No. We 
are documenting that now. When 
you think about that concept 
alone, when it comes to, getting
your own house in order. I think
it really starts with, you have 
to do that inventory. You have 
to know where your data is. Who 
is using the systems of record, 
are those systems is still 
needed? Is that process even in 
place still today? Many times it
is not. You don't have to do 
this all manually. That was 
probably the most shocking 
piece. This mirrors my 
background as an architect, and 
countless agencies, you document
the systems.
You drop nice little flowcharts 
and Visio and say this is where 
the data flows. And you have a 
big notebook about the. And this
is how we used to do documenting
I.T. systems. In today's world, 
you can automate a lot of those.
You can run tools on your 
network that will tell you what 
systems are connected to what 
data stores, are they being 
used? What networks are they on?
Have they been patched, or 
updated? The list goes on. We 
encourage our government 
customers to take advantage of 
automation as best they can. 
This can be a cultural 
challenge. People, especially 
security professionals, are not 
happy with running these tools 
that they don't really 
understand on top of all the 
systems. It is, it gives you so 
much more intelligence about 
what is going on as opposed to 
just trusting somebody that 
might have just started work 
last week. Get all of that data.
Do the I.T. inventory. And I 
think you have to go through, 
just as Noah said, that process 
of trying to, what am I going to
transform? From a technical 
perspective, there are better 
candidates than others for lift 
and shift. Some you can't. It 
just won't work. Some would cost
you more. You have to look at
, obviously, security reasons 
not to move things.
There are business 
justifications not to move 
things. Is the application 
end-of-life so you can go Cloud 
native? On the next tool?
To help that process. It is not 
a one size shoe fits all. There 
is not a cookbook for just 
migrate this if it does this, 
and go down to go through a 
checklist. You have to go and do
the work. And sit down.
We have a process, I am sure 
VMware everybody has a process, 
out there, that pretty much 
looks similar. We just name it 
something different. To actually
walk you through that 
application rationalization 
process knowing your hardware 
inventory, understanding
what the value would be, from 
both a business and cost 
perspective of migrating 
something to the Cloud.  Who 
remembers the edict about
XML, everything has to be 
eczema? Remember that? That's a 
long time ago. An analogy I like
to use and I'm not getting, I 
can't tell you how many agencies
took running applications, 
perfectly fine, in production, 
and said we have to XML enable 
when it gave no value 
whatsoever. To the application. 
None. No value whatsoever. It is
the same thing here. There may 
not be any value to moving one 
piece or one application to the 
cloud. -- Cloud. If that's the 
case, don't move it.  You're 
going to live in a hybrid world.
It is not an all or nothing type
of thing. You have to sit down 
and analyze your portfolio, and 
make both a business 
justification for the move as 
well as making sure that it is 
technically feasible, and that 
you are getting some value. 
Business, or innovation value, 
out of moving it to the Cloud.  
>> I have a
20-year-old eczema for dummies 
book on my bookshelf. Somebody 
came in my often separately? -- 
A 20-year-old XML for dummies 
book. I do want to
start was loose. Everyone has 
talked about, maybe the Cloud is
not right for some workloads.  
For some applications. I 
appreciate your perspective on 
that. 
>> In the interest of time, 
absolutely, of course not. I do 
much work on the DoD space and 
they are going to at best use, 
on premise, if not individual 
server-based provision of a 
service, of a capability, but 
you want that data to be within 
the enterprise and addressable 
within security parameters, you 
went that data and the results 
of whatever data exploitation 
are going to be, so embrace the 
complexity of being able to 
manage the full enterprise,
where you certainly have to 
admit to yourself and to 
leadership that in our 
acquisition and procurement 
decision, we are not doing 
anything for 100% of the 
capabilities that are 
enterprises going to provide. We
are providing the flexibility to
support all of that. But as you 
have heard today, embrace the 
hybridity of your environment. 
>> To piggyback on that as a 
follow-up,
I know many cloud service 
providers -- Cloud cloud service
providers , and impact, at 
FedRAMP, is that not 
appropriate? 
>> It is appropriate. That is 
what we are targeting for this 
year. How many people here are 
in the DoD space? Not that many.
It is a large proportion of 
the federal I.T. spend, but in 
terms of the services that GSA 
supports, it is like big data. 
Not every government enterprise
has the needs for the kind of 
algorithmic scale and complexity
of Facebook, which has 2.4 
billion users around the world. 
Big data for the rest of us, 
Cloud computing for the rest of 
us.  You want to be able to 
manage the universal digital 
platform that includes on 
premise capabilities, as well as
in a mulit-Cloud environment.  
>> Questions from the audience?
I will take the first one. When 
you move to a Cloud's  --
Cloud solution, what is 
important to consider, so that 
data from legacy systems are so 
usable?  
>>
Will see if that still works.
>>
In the security world, we deal 
with sensitive PI, 
law-enforcement data, all of 
these caveats around data. One 
of the challenges we face right 
now is the ability to physically
go down to a data center, and 
get our data off. It sounds kind
of silly. That's a challenge.
What data to move, when it comes
to the world I live in, it is 
mission systems. We know the 
data, and a lot of it is fairly 
static, but there is in transit 
data. For us, it's an easier 
game to understand. When you 
start looking at big platforms 
like SharePoint and content 
stores, that game gets 
different. In our world, knowing
what data to move
is going to be, what data has to
be protected, how do you protect
it, how do you protected in 
transit. It might be a little 
different than the other guys. 
>> One quick point, in your 
planning, on data, many people 
know this, only think -- 
databases, that's where we all 
were 10 years ago, a lot of 
system still today. What we see 
a lot increasingly in the 
government space and certainly 
ubiquitously in the commercial 
space, or an interest in all of 
the data reduced from endpoints.
GSA supports
hundreds of thousands of 
government employees, all of 
whom are walking around with 
computational devices that 
produce and store and use data. 
And we have the Internet of 
Things, and the ability
, through
mulit-Cloud environments, and 
the analytic services that can 
reside on them come  flexibly, 
the ability to do health 
management, and real-time 
monitoring of events across the 
broad enterprise
of facilities, and locations, 
and devices within all of those 
locations. I would think for GSA
it will be important, it's a new
way to think about the full 
environment of data you will be 
able to support through a 
multi-cloud environment. 
>> Awesome thanks. One less 
question, and then we will 
break. Is there something we can
do to improve the FedRAMP 
process for industry? It feels 
like some agencies are still 
challenged getting to that ATO 
eight. 
>>
With Matt sitting in the front 
row ...
I will be candid. We work a lot 
with Matt, and we are very happy
with where FedRAMP is right now.
And where they are going. And 
how the process has changed 
since the beginning. It is a 
challenge. If you look at the 
controls, sometimes the way 
people want to interpret them is
traditionally old-school. When 
you look at the cloud, 
everything is virtualized. 
Everything is software defined, 
everything. We don't have 
hardware lit bouncers.
When you read our security 
package, I think the biggest 
challenge for agencies, is not 
the FedRAMP process itself, it 
is how to interpret how cloud 
providers are implementing those
controls. Because the technology
we are using is so different. 
Than what was used in the past 
on premise. That is the biggest 
challenge.
And the biggest hurdle to 
overcome. When you start reading
this thousand page document, and
it is 1000 pages, a traditional 
system security plan might have 
been 20.
In the past. For something on 
premise. And it was something 
you could touch and go look at 
and unplugged from the network. 
You now have to trust, you have 
to read the document, look at 
new software defined firewalls, 
networking that you have never 
seen before, at a hyper skill 
level, with data centers that 
are all over the country, and 
interpret that, and interpret 
how we meet that control. All 
while reading 1000 pages. That 
is the biggest challenge right 
now.
With the Cloud security 
controls. Or how do I make heads
or tails out of this?  And then 
people taking a literal 
interpretation of a control. In 
thing, you did not implement it 
this way. That is because you 
don't do it that way in the 
Cloud. It does not make sense  
to do it that way in the Cloud. 
Here's why.  We spent a lot of 
time doing that. It is been a 
learning process for the Cloud 
providers and for government.  I
remember the first time we went 
through with Azure , I can 
remember the conversations we 
had, painstaking,
with GSA, over each control. I 
am not kidding. Each control. It
was unbelievable. It was both an
educational experience for our 
compliance team, as well as the 
people on the other side to it 
never really understood, how 
hyper skill clouds run. Behind 
the scenes. I think that is the 
challenge. I don't think there 
is a process problem there. I 
think it is more of a learning 
type of thing. 
>> Great. Hank Susie. 
>> I want to thank Susie
and Noah and Louis. This was 
energizing and educational for 
me, and I hope it was for you 
also. You to GSA. I hope folks 
got a lot out of it. Thanks for 
your time everyone. 
>> [ Applause ]
>>
Panel thank you so much. Again, 
as always, audience, thank you 
so much. As I mentioned before, 
we had a boatload of questions 
come in and we ran out of time. 
But we are going to post a Q&A 
document with a recording of the
event in the media library with 
the other reverse industry 
training recordings. Right now 
we do not have a formal break. 
We are essentially shuffling the
characters for presentation. 
While that happens, I will slow 
down and speak more slowly to 
give us a little bit of time. 
But then introduce the next 
subject that is coming up. That 
is, buying the Cloud.  You know 
this last panel discussion was 
thick with knowledge about 
technology strategies, 
surrounding cloud adoption. No 
doubt about it. And as agencies 
develop and execute
an overall Cloud acquisition 
strategy, or Cloud adoption 
strategy,  translating those 
technical strategies into 
acquisition strategies can 
result in an awful lot of 
confusion between industry and 
government throughout the entire
acquisition process. Like I 
said, the last panel introduced 
a thick amount of knowledge and 
information when it came to 
those technology strategies. [ 
Captioners transitioning.]
Fax back throughout the entire 
acquisition process and
a thick amount of knowledge and 
information when it came to 
those various technology 
strategies and for these -- this
reason it always comes back to 
clarity in our solicitation 
where the Contracting Officer 
contracting specialist, the 
Project Manager the contracting 
officer's representative really 
need to work closely with one 
another in defining the 
requirements in the performance 
work statement in the statement 
of objections that objectives 
whatever it might be clarity is 
going to be the key. And for 
these as a service offerings, 
there is also important legal 
and budget planning 
considerations. Industry experts
here in our next panel are going
to share their interpretation
of the typical requirements seen
in solicitation and of course 
provide suggestions to improve 
our future solicitations. So if 
I may introduce again to lead 
our panel please welcome Joe 
Cloyd Director of national 
security solutions at Northrop 
Grumman.
>> [ Applause ] 
>> Thank you John I'm used to 
being called Cloud by most Mr. 
Cloud by most telemarketer so 
it's one time it would be 
appropriate. I will invite our 
pandas to join us at the table.
As they are doing so I will do 
some brief introductions and 
John did mine on the Director of
national security solutions 
operating in Northrop Grumman 
focusing on system modernization
for a lot of our federal 
civilian national security 
customers and John did note is 
that a Tech fellow emeritus 
primarily because of interesting
Cloud Computing and so I'm 
thrilled to be up here with the 
panel. So for some brief 
introductions, on my immediate 
left we have Shannon Silverstein
and Shannon leads the DHS and 
Department of Justice portfolio 
at Claude Eric government 
solutions where she's assisting 
those customers of Lady Big Data
initiatives and transformation 
to Cloud Computing. Next to 
Shannon is Mr. Jonathan album 
and he's public-sector CTO or 
cheap technology offer at 
Veritas technology worry
guides his team and federal 
customers implement a 
multi-Cloud data management data
protection and storage 
optimization solutions prior to 
joining the private sector, 
Jonathan was CIO at the USDA 
where he led IT modernization 
efforts and then finally Jay 
you'll hear more from Jay 
shortly this afternoon as well 
for an additional session but 
Jay is CEO of practical 
solutions
where he has led IT 
modernization and Cloud adoption
for federal clients including 
the Small Business 
Administration and that will be 
the specific topic of the next 
session as well. So with that, I
will try to put us on sort of a 
rapid pace here because I want 
to make sure we are able to 
cover questions from the 
audience and questions from the 
eight or 900 folks online. So I 
will tee it up with a quick 
question and start things off I 
will be the first to admit that 
we are all guilty of lots and 
lots of acronyms and terms that 
we use
and don't always know they mean 
that we especially appreciate 
that maybe everybody in the 
audience does not know that so 
if you hear skidding on the 
wrong side of an acronym, shoot 
your hand up and that will be my
cue to pause us to get some 
definition. So the first 
question and maybe we will start
with Jay taking it too initially
and that is just can you give us
a brief overview of your 
background as it relates to 
experience and bidding and 
delivering Cloud services and
the piece out there out there is
keep in mind we are from an 
industry so we don't always 
write the solicitation but we do
spend time reading them that is 
for sure a lot of the context in
which we will address things is 
that industry perspective on the
government acquisition process 
in government solicitation NJ 
with that? Back
>> Thank you Joe and thank you 
for GSA and the rest of the 
audience my name is J and I 
started practical solutions 
about 20 years ago this month 
and we focused purely on 
strategy technology engineering 
and management a lot of times we
are brought in is to pick 
something that as difficult and 
rightly so actually there's 
theme through practical 
solutions about chaos -- a lot 
of times it's brought in because
it's challenging environment and
to actually do it in step in 
with both deep technical 
engineering and technology and 
even taking the management as 
well as strategy so we structure
the strategy, help be a trusted 
partner with typically in the 
CIO and management team and then
take it from a basically 
addressing the solutions 
addressing the issues what they 
are and then work through the 
implementation's and lately we 
do last 18 months Small Business
Administration where they 
journey to the Cloud and spend 
an interesting journey because 
we have to actually develop a 
very quickly strategy that would
turn it into
execution and try to worry about
the different multi-Cloud 
capabilities the small business 
administration hasn't tried to 
get out of the data center 
there's a lot of challenges and 
trying to keep the themes to 
focus on acquisition and 
acquisition of the Cloud itself 
is also a challenge by itself as
we throw lots of terminologies 
in trying to figure out how to I
procure a Cloud it is not one 
thing that is called the Cloud. 
Analogies a lot of times help 
trying to figure
out what the differences between
infrastructure as a server and 
platform as a service of 
software as a service and 
hopefully following answers I'll
be able to
what our interpretation of these
particular procurement is in 
trying to actually educate the 
leadership as well as educating 
the procurement officers what 
and how to acquire the Cloud. 
>> Think it will work our way 
this way so Jonathan next. 
>> Thank you. As Jay mentioned 
in Joe Cloud mentioned I spent 
-- new at Veritas technology CTO
I was previously
an employee of the federal 
government a senior executive I 
worked in a number of jobs that 
USDA including the CIO for USDA 
but I worked at GSA where I was 
the Deputy CIO for the Federal 
acquisition service and had a 
number of other positions at GSA
over my time here. So my 
perspective on the panel might 
be a little bit unique because I
was the buyer Cloud services 
like many of you are. And having
spent time in GSA was very Cloud
focused when I was here and I 
returned to USDA once or twice 
we were beginning to adopt Cloud
a lot of ways as well. The last 
job I had at USDA was as the 
deputy senior contributed 
executive and I worked in the 
procurement field deeply to cope
and I had experienced by Cloud 
on the industry side and been on
the industry before but it was 
much more management consulting 
and sort of pre-Cloud but a lot 
of looking at RP's and such and 
I think now we see that a Cloud 
is much more of an expectation 
as part of a solicitation and 
that it is almost become I don't
want to say dumb down because it
is complicated but is like of 
course you're going to use a 
Cloud, well it so much more 
complicated than that and I 
think as Jay was saying Cloud is
not just one thing it is a lot 
of things and as buyers we need 
to be really thoughtful about 
the questions that are asked of 
vendors in pre-solicitation and 
questions that come up during 
source selection panels and 
other things because it is much 
more complicated I think then --
is much more complicated and I'm
hopeful that during this 
conversation today we can 
highlight some of those areas 
that make Cloud hard to buy 
where it is not clear at a 
certain solution works or how 
something is priced or how 
prices might escalate over time 
or what are the drivers of that 
price as buyers I think you are 
really required to know those 
things and the folks that you 
are supporting
in programs and IT need to know 
those also because it's a great 
opportunity to kick control cost
and have a longer-term buying 
power and those are some things 
I like to talk about as we have 
our conversation this morning 
and it's great to be here and 
thank you for the opportunity. 
>> Shannon? Back I'm Shannon 
Silverstein from Cloud Eric 
government solutions I've been 
supporting the government for 
about 20 years and as I look at 
the Cloud transformation and 
digital transformation I think 
back of when I started and I 
think of anyone remember Y2K?
So it is similar it is the fear 
and uncertainty of what's going 
to happen in the future with 
data and what your environment 
will look like and what it will 
look like 10 years from now as 
the technology advancement 
between now and 20 years ago is 
astonishing. The data that has 
aggregated in your agencies over
the last 20 years, some people 
taking it off of the manila 
folder and with the rims of 
color-coded highlighting which 
is where you knew how to file 
things, that is how long I've 
been supporting government. So 
what it is though is this whole 
evolution of how to transform to
the Cloud what is best for your 
organization, it is a scary 
factor some of these data 
centers are closing and 
everybody is thinking we have to
get right into the Cloud and how
will we do that or let's put 
everything in and Susie made a 
good point earlier, don't put 
everything in. Take this time 
and make good decisions on what 
needs to go in, what will make 
your agency more efficient and 
effective in the coming years, 
and as a technology changes how 
are you going to's that to 
remain consistent with 
technology and the adoption rate
that your agency has to evolve 
to.
>> Great thank you. 
>>
The title of our panel is your 
agency is moving to the Cloud 
and is more of it. We are 
starting from the perspective of
the decisions been made but 
often at times I think the 
drivers for the Cloud are 
different and based on what 
those drivers are, the type of 
solicitation or exactly what's 
being sought can vary a lot so I
wanted to have each of our 
panelists and start was Shannon 
--
that start with Shannon and 
specifically what have you seen 
as a primary drivers for 
adoption of Cloud from the 
agencies you are working with 
and accordingly how easy does 
that make it to move into the 
Cloud? 
>> By the way the company I work
for is Cloud era not a Cloud 
company we got that name over 
back 10 years ago when we 
started an open source platform 
data platform and so we are 
about the data in I bring a 
little bit of a different 
perspective to this panel where 
we are about the data, what you 
want to do with the data, and 
the things you have to be 
thinking about a crush 
organization is what data -- 
what you want the data to do 
when it's in the Cloud. It's a 
lot easier for when people say 
the biggest thing I've seen I 
support the law enforcement 
portfolio DHS and DOJ, being 
told their data centers are 
closing and I have some 
organizations who can't put all 
the data in the Cloud and what 
does it look like and you have 
to assess your data, assess the 
legalities of the data and the 
PII, the personal information 
that goes along with the data 
and what you want to take to the
Cloud with you? Oftentimes it is
going to be as we talked about 
it a lot earlier it will be a 
hybrid environment so then how 
do you centrally manage that. I 
think the push to the Cloud is a
good one. The technology will 
help adapt and evolve over time,
I think don't be scared by it, 
but also you need to do an 
assessment of your data and 
don't bring everything to the 
Cloud that is on your existing 
infrastructure today from tools 
and technologies to the data 
assets that you have. You need 
to make sure that you're 
bringing the right things to the
Cloud when you go. Just because 
the data centers closing doesn't
mean that you have to run scared
and put it all into the Cloud as
quick as you can to check the 
box off so think through the 
strategy.
>> That is a great point 
checking the boxes is usually 
the not the right answer that 
want to build on Janice points 
they were good, what Jenna 
described is a strategy for data
management managing your data 
which you need to do whether you
set in on the Ms. data center or
in the Cloud you know where your
data is we heard that on the 
last panel several times and 
once you understand your data is
you much out you have a much 
better foundation on which to 
build a migration plan to the 
Cloud. Whether it is PII or just
data rot that is redundant 
obsolete or trivial you don't 
need to necessarily take all the
copies of the older dark data to
a Cloud environment. That's 
really going to drive up your 
cost. Cloud's price sort of as 
you use it and it sounds well 
that's great I'm only going to 
pay for what I use well 
oftentimes you use a lot more 
storage than we think we as and 
oftentimes we have a lot more 
data flowing over the lines that
we think we do because we don't 
understand what data we have in 
our environments. So the 
panelists you moved to the Cloud
not take issue with the title 
but I think everyone has made 
some investment in the Cloud at 
this point I think we are 
overcome that in now that you're
embracing this in the government
as a foundational technology,
how do we use it in the best way
possible how do we use it in the
most cost effective way possible
and you are all buyers of this 
and it's really something that I
think you'd all care about. As 
the users within your agencies 
programs and IT organizations 
they care also because they want
to fund innovation and
other modernization activities 
and when infrastructure and I 
think we think of Cloud as 
infrastructure related caused, 
maybe don't necessarily go down 
or don't go down as much because
we are using it in a way that is
not as cost-effective because we
have too much data that we moved
and we haven't taken the 
necessary upfront work because 
we're in such a rush to create a
good understanding about what 
data we need to operate our 
organizations on, those things 
really end up costing a lot 
more. I've worked with a lot of 
customers and we do things when 
I worked at USDA we think about 
moving Office 365 or other Cloud
email solutions really 
understanding how much data you 
will migrate from your existing 
email system to another or from 
file shares to SharePoint or 
some other kind of online 
storage. It's important. The 
expectation is unlimited storage
well it might be unlimited 
storage but that's what you have
access to but is not that 
unlimited storage is free 
storage cost money everyone will
charge you for it and it will be
based on how much you use. Use 
what you need and not more than 
that. As you make this journey. 
Shannon made good points. 
>> Thank you Jonathan. I like to
take a different angle of how we
interpret this from the strategy
perspective as over the past 18 
months working with the CIO and 
leadership at USDA given insight
more how the challenges of 
procurements are is a bridge 
between procurement officers 
Contracting Officers, the CIOs, 
and the Deputy CIO and CT trying
to translate that into a 
procurement and a lot of times 
instead of working on the 
terminologies the data and 
everything else I'm trying to 
actually simplify it. By doing 
simplification is basically 
saying what are we trying to 
buy? At the end of the day Cloud
is not such thing you go to the 
store and I want a Cloud and 
bought the Cloud -- it is about 
the drivers behind that. The 
drivers a lot of times is not 
clear. Modernization is a very 
ambiguous term very broad and in
the essence you can put a lot of
things in it not something could
just say I will go modernization
acquisition. I will take the 
analogy of everybody knows when 
you move into a house you 
actually there's a kitchen, 
anticipated to have a working 
kitchen and the water 
electricity and an oven and 
before you start any meals you 
need a working kitchen obviously
if there's a creek involved in 
that is for you to do a meal you
will have stuff that you have to
click with, whether you buy 
groceries whether you are buying
the meat and dairy and 
everything else those are what I
call in on print solution you 
have to create a meal you have 
to have these things placed 
before you can actually have an 
actual meal. Depending who you 
are certain if you're just doing
peanut butter and jelly sandwich
you have your self a meal but it
gets more complex. As the 
complexities in the on pram data
center this is the kitchen a lot
of ingredients gets washed when 
you come up with the right 
solutions or write procurement 
and you're struggling with it 
and in especially via 
multi-different kitchens in the 
house a large house you have to 
actually keep different data 
center the upstairs kitchen the 
lower stairs kitchen trying to 
make sure you are using cooks 
and everything else the 
complexities for the Contracting
Officers becomes complex. And to
simplify it is basically we 
understand how to buy hardware 
and software it's something you 
get on and procure it you can 
compete and it's easy to compete
there. If you're trying to bind 
this is like email as a service 
obviously you have to schedules 
70 has a Cloud service provider 
and you can purchase on that but
there's more to it than that so 
if you are trying to actually 
purchase in this case harder 
that hardware is offered for the
data center we want to make sure
it is there and however he but 
in a lot of groceries in the 
freezer and never get to it for 
six months and try to take it 
out, after a while it is Dale I 
don't know if you can use it you
need something that keeps fresh 
and keep buying more stuff and 
you don't just only bite for one
meal for the day you buy it and 
store it. A lot of times you end
up not using it. Infrastructure 
as a service is if you actually 
go to a buffet like in Las Vegas
when you actually have all kinds
of things that are already 
prepared this is your 
marketplace that you purchase 
and you want to be able to 
create a meal for your kids or 
be able to get a steak 
everything is there and how you 
bite becomes basically a choice.
It depends on the meal you are 
trying to actually serve and who
you're serving it to. So 
infrastructure as a service is a
buffet. What you will pay for 
what you consume at the end of 
the day when you walk away from 
that infrastructure as a service
you don't take anything back 
except your data in this case 
and having Cloud capabilities 
sometimes you only try the 
buffet here and sometimes it's a
different buffet. And that's the
contracting officer challenge is
if I buy on the Amazon or into 
Azure or salesforce, how will I 
commit the money across all 
these things, do I have to 
compete that for every single 
activity and then call that for 
the drivers of it and in this 
case the modernization or trying
consolidate data center 
consolidation or migration all 
that becomes a driver in how you
compete that among these things 
that becomes the challenge. It 
goes back into the education, 
the CIOs in technologist happen 
to be able to work with the 
Contracting Officers, how to put
the proper proper strategy for 
acquisition sometimes you can 
start at a zero dollars for 
implementing the Cloud in this 
case infrastructure as a 
service, and then once you 
strategies becomes more for -- 
more realized you will build on 
it and acquisition will grow and
relationship between the 
technologist in the Contracting 
Officers and the CIO and the in 
this case the industry helping 
putting the strategies together 
will take shape. If you try and 
put millions of dollars on a 
contract says I'm just going to 
buy lichen infrastructure as a 
service today, you don't know 
what you will consume or what 
kind of stuff goes into it or 
how many meals you will prepare 
this for and who will be serving
it, because you are paying this 
as utility and if you don't 
consume it
the data is not necessarily 
going to go away other folks 
will come in and purchase that, 
so what you serve your cost 
rates and education about the 
drivers between the industry 
between the CIO the 
decision-makers the management 
team and the contracting officer
and that is a challenge of doing
any kind of acquisition 
regardless of what you call from
a Cloud [ Indiscernible] 
>> The food analogy may have 
made folks a little bit hungry I
think there's a break after this
a couple minutes and you can run
a get a snack, I wanted to throw
before moving to the next 
prepared question of folks two 
of questions they would like to 
submit these submit them online 
or else we can take questions in
the room and at this point we 
actually I think I've covered 
all the questions we could 
answer that is been submitted 
online and if you submit a 
question for Pam Winton like it 
to be addressed in panel to 
please resubmit. I wanted to tie
into what Jay said he started 
talking about how Cloud 
acquisitions are hard for 
industry to respond to because 
of the variation in
the range of services that can 
be offered. Jonathan I was 
wondering if you could touch 
specifically on what types of 
information need to be 
articulated by the government 
during the acquisition process 
to really help us understand and
for the government to specify 
the right type of Cloud offering
the right type of Cloud 
Computing environment and the 
other things I need to go along 
with that. 
>> Yes thank you. I like to 
think about the concept of 
performance work statement and 
what are you trying to 
accomplish a statement 
objective, what we are trying to
do at this agency is X saying we
need I Cloud Solution I think 
jobs a little bit to
a way of accomplishing what you 
want to do in my experience is 
that industry has some great 
ideas and experiences that you 
don't always have within your 
agency or office and you are 
better off asking for great 
ideas. By beginning with the 
idea that our agency needs to 
accomplish the thing and how 
should we do it? So I looked as 
industries opportunity
to suggest the right kind of 
Cloud solutions. I recognize is 
not always that simple one 
sometimes the acquisition is for
a particular kind of Cloud 
service or it is for a software 
as a service that is also Cloud 
maybe even platform as a service
where you're buying 
infrastructure plus operating 
systems and other kinds of 
things. And you can't be as open
to industry suggestions
about how to solve a problem but
that's where I would start in 
the best case scenario. I think 
when it is a little more to find
and prescriptive I think some 
the questions that industry 
wants to understand is revolves 
around data what our 
responsibilities and around data
, what are requirements for 
protecting data at levels of 
security, from a government 
perspective I think that goes 
back to what we talked about 
before really understanding what
kind of data you have in your 
agency or within a particular 
application how is that data 
used is it shared amongst other 
environments is it shared 
between clouds, and from an 
agency perspective right always 
suggest that the or buyer 
perspective that you have some 
forethought about how you're 
going to get your data out of 
the Cloud. Cloud is often very 
easy to get your data in and 
hard to get your data out I 
think there's been some 
procurements across government 
over the past two years where 
that became a real issue when 
agencies had to back out of 
approaches or cancel projects 
because they didn't maintain 
ownership of their data and 
having clear ownership rights of
the data and privacy 
requirements around the data 
really is very important. Also 
to the extent that you're going 
to select a Cloud provider today
it is not that different than 
selecting another set of 
technologies yesterday
. They work for you now but they
might not always work there 
might be a better solution for 
your requirements because 
requirements will change in the 
new providers on the market and 
you want to figure out or be 
thinking about how do I move my 
data between these Cloud 
environments over time or maybe 
even bring the data back into 
your office because of the 
changes and that is what is 
important. So having a clear 
understanding about what you 
need the data to do, what you 
need relative on day one and 
understanding what might occur 
over the future and Roma 
procurement the what if 
sometimes becomes hard but you 
have to think about them because
those options that flexibility 
is important not just on the 
government side but on the 
industry side also industry 
needs to be considering the fact
that industry want to serve the 
government very well for a long 
period of time they have to be 
thinking about flexibilities 
that can be conceptualized into 
a solution. In summary I'd say 
thinking about and understanding
the data requirements that you 
have, who owns it where it needs
to be, what are acceptable uses 
of the privacy requirements as a
government what you do when you 
want to move your data to 
another environment and how do 
you protect that data, data 
protection is very important and
it may or may not come at the 
way that you needed in your 
particular Cloud solution and 
going back to the very beginning
of really very clearly 
articulated to industry what are
you trying to accomplish and I 
think you need to be clear about
that. You have a good foundation
for a strong procurement and 
good [ Indiscernible]
>> Shannon or Jay anything to 
add? You may want to take a 
while because we have questions 
that are starting to come in 
from online and they are hard. 
>>
To second what Jonathan was 
saying is actually data is a 
very important one but securing 
the data is yes second, but 
there's a lot more to it from a 
Cloud just the data especially 
the challenge of trying to 
actually run an organization or 
run a whole agency. There's a 
lot of pieces that need to come 
together not just the data 
elements of it, maintaining the 
mission,
availability, responsiveness, 
mobility, and then also drivers.
Newer technology you are trying 
to implement to improve the 
collaboration of your team to 
try and actually have a cross 
communication
if you're talking about Citizen 
Engagement in this case or 
you're talking about causation 
she's relationship technology 
needs to be there. In this case 
are we trying to actually 
standardize on the specific 
Cloud or are we cost Cloud when 
you bring data into the Cloud a 
lot of the CSDs actually don't 
charge you for when you try to 
get data out of the Cloud there 
is the ingress and egress cost 
so sometimes where your data 
resides can actually reside 
across clouds in this case 
whether it's in the past or I as
an that's a challenge we are 
trying to address within the 
industry we have multi Cloud 
capabilities and we can actually
move the data and have the data 
actually be
almost instantaneous having 
access between these Cloud 
provider and try to minimize the
cost. Cost has become a 
challenge for procurement and 
contracting officers when they 
commit money
at the beginning of the period 
of performance it gets consumed 
and have to go back and add more
money it's a consumption model. 
Managing that it is a 
partnership between the 
Contracting Officers and the 
management as well is back at 
the industry itself. You have to
look at it from our perspective 
of what C strategy new driver 
behind the and yet can we 
sustain it and keep the lights 
on when nobody is there that is 
a waste not efficiency. How do 
you actually make the Cloud to 
be more you effective to what 
you need to do -- DevOps for 
example is not running 24 seven 
and there's no developers that 
actually around-the-clock who 
are doing that. A lot of 
unessential and nonessential 
core infrastructure needs to 
also take into consideration 
sometimes you have to figure out
if it is an infrastructure or a 
path or was the model what's the
Contracting Officers challenge 
trying to keep up with all that 
spin and how to spend is 
actually across Cloud and right 
now you have to compete every 
single one and there's not say I
will purchase one Cloud credit 
for example that's going to go 
toward across clouds and is not 
actually available today for 
Contracting Officer to be able 
to utilize so we actually worked
with the GSA to come up with 
some kind of a solution to allow
and make that happen. Those are 
challenges that the Contracting 
Officers will be faced with and 
we've gone through these in 
trying to simplify and actually 
have some kind of a strategy 
for. 
>> I want to add one thing to 
have. There's some good points 
there and from not buying 
perspective and understanding 
what you're buying it is very 
important that we start -- you 
are working with your IT 
organizations who are all now 
working with
OMB and I think GSA around 
technology business management 
TBM and TBN is an approach to 
understanding IT cost is it used
throughout industry we are 
adopting it in government and 
when you are purchasing Cloud or
any other service, what kind of 
requirements you need to put in 
the solicitation so the data 
about what things cost and how 
those costs are driven by 
different capabilities or 
requirements have those 
translate into the TBM cost 
column because categories that 
we are trying to track and 
manage.
Not that Cloud will be vastly 
different than maybe another 
telecommunication service you 
are buying but I believe that 
there may be some language or 
requirements on the vendor that 
you need to be considering as 
you begin to or continue to get 
your Cloud. 
>>
Shannon something to add? 
>> One last thing I would say 
before specifying the right 
Cloud type of Cloud environment 
you need is to really get your 
security people involved in this
decision as well because there's
a lot of risk around data if 
it's going into a commercial 
Cloud or if it's going to a 
private data center all of these
have to be addressed in getting 
them engaged early is a good 
idea. And defining where the 
data governance and audit and 
lineage will fall
is going to be with the Cloud 
provider or is it going to 
remain with your agency so I can
really good things to think 
about as you decide what Cloud 
is right for you or what 
environment will be right for 
you in the future. 
>> Great points. I know we had 
one hand that went up in the 
auditorium I want to cover one 
of the questions I came in on 
before we do that and I will put
a different twist on it since
J you already touched on it I 
think in the question is -- how 
can Cloud service providers and 
authorized resellers I'm sure 
Cloud usage does not exceed 
available funding on existing 
contracts and the reason I want 
to go back to that is you sort 
of alluded to a J but at the end
of the day that is one that is a
challenge when it comes to the 
model. Anything to add? 
>> Actually I personally get 
involved in this because at the 
early stations -- stages the 
consumption wasn't there as we 
increase the demand and this is 
a daily exercise not something 
that you just leave it and 
forget it. The assumptions that 
your Cloud consumption and 
specific workload you expect 
that to be a set price and you 
figure out later that it is a 
combination multiple things in 
working with the vendor the CSDs
and working with the contracting
officer says okay we need to go 
back and make an adjustment to 
the invoice because there's 
something at the beginning 
didn't match versus what we 
actually see and so it is a 
daily exercise because otherwise
you'll make an assumption that 
your Cloud spend dollar amount 
and find out you may have 
overspent and overspent because 
of simple change that actually 
happen or being deployed that 
wasn't taken into consideration 
or completely spelled out. So 
having that as under control is 
very key and it is not something
that you just completely ignore 
and previously we buy the 
hardware and software and leave 
it on the shelf or use it so it 
is an assumption that if you 
don't pay attention to it you 
will be over budget. 
>> I would sicken those or 
question that you will need to 
be asking as buyers how does a 
vendor monitor that and how are 
you alerted, to usage or spikes 
or overages because I know from 
first-hand experience that 
overages occur. They just happen
because we don't understand 
exactly how we are using some of
these technologies at times or 
that the users of them don't 
understand the cost drivers of 
the technologies.
So overages will happen I think 
the question is what can the 
vendor do to prevent it in the 
next question you have to ask 
and or how can they alert you 
when you've reached a certain 
threshold so you can make 
adjustments and this happened to
me in the government side in 
multiple agencies, you get a 
Bill from a vendor with an 
unexpected dollar amount you 
have to pay because you use the 
service and suddenly it impacts 
your plans across the enterprise
to do other things. It's the 
last thing you want is an 
operator of IT a CIO or Program 
Manager when you suddenly you 
cannot add programmatic 
capabilities functionalities and
drive the mission because you 
have an unexpected 
infrastructure cost that through
better communication and 
planning could've been 
controllable it is really a bad 
situation and unfortunately it 
happens but I do believe it is 
preventable. 
>> The one thing I would add is 
we are often used to dealing in 
quarterly reporting monthly 
reporting if we are expecting 
technology to be moving at the 
pace of something that is an 
order of magnitude faster than 
that, then the idea of monthly 
reporting when it comes in as an
expenditure isn't necessarily 
one that fits consumption-based 
models and I think the point 
Jonathan J brought up really fit
that up as well because there's 
a timeframe aspect for us to 
consider. Should Shannon 
anything to add? --
>> One thing to add to this is 
that there's ways around it if 
you're actually developing a 
strategy to be able to remedy 
some of these changes so it 
won't necessarily impact 
overages but allows you to 
prevent future overages.
>> It's a risk with live 
questions you have to make it an
easy one but I saw a hand and 
you have a microphone? Back 
>> Hello I'm new to Cloud 
technology in the question I 
have for you is what systems can
you give an example of what 
systems are not appropriate for 
the Cloud or the type of work 
that we would not be appropriate
and based on that how do you 
know which Cloud is appropriate 
to buy? And the last point I 
would like for you to address is
can you give a best practice 
example of a very clearly 
written solicitation for Cloud 
technology? 
>>
Three great ones there. 
>> Let me take the first one we 
can split it up. What's not 
appropriate for Cloud, so I 
think this has been covered in 
last panel but there are legacy 
applications in all of our 
environments and I take issue 
with the term legacy a little 
bit because as soon as you put a
system in production it is kind 
of legacy so no one has been 
able to give me a clear 
definition of what legacy is but
the fact of the matter is there 
systems across the build over 
number of years and they work. 
Otherwise they wouldn't be in 
our environment they may not be 
the latest and greatest 
technologies but they work. 
Oftentimes there is an 
assumption that they could run 
in a more modern technology or 
Cloud for less money. I would 
challenge that assumption 
because
things are never as cut and dry 
or simple as that. And 
especially some older 
applications, we might say that 
they are quote unquote not Cloud
ready and by that we mean they 
are architected in a way that 
doesn't take advantage of some 
of the scaling capabilities of 
Cloud or they have challenges 
sending data between systems or 
movie data in ways and sometimes
doing it in ways that can be 
very expensive. So a system that
might not be a Cloud ready would
be one that is not a good 
candidate and how do you assess 
Cloud ready? I think that there 
are definitely checklists out 
there you look at US digital 
service or 18 at kind of 
organizations see what it the 
attributes of the Cloud system 
if it's Cloud ready or there 
might be some systems that have 
data requirements that don't 
necessarily fit in the Cloud 
because of either national 
security or
they are FSMA high systems those
kind of things that we don't 
want to take that risk at all 
though some organizations are in
somethings like a Private Cloud 
that the DoD and the Intel 
community are using Cloud for 
these kind of system but they 
did it with a lot of forethought
and planning inside the 
organizations it is not a 
commercial
platform technology I look at 
the age of the system that might
be an indicator and what or the 
foundational technologies that 
the system is built on and what 
are the data requirements 
privacy requirements security 
requirements are on the data 
things like that. Starting 
points for wondering whether or 
not the system is a good 
candidate for the Cloud. 
>>
A choice between government 
Cloud commercial Cloud sometimes
will come up on a regular basis 
and identifying basically the 
race and the wrists in adoption 
of that particular environment 
even in their -- not everything 
is supposed to be a government 
or high Cloud candidate so 
depending on the workload 
depending on the solutions you 
can a multi-Cloud capability 
where you have commercial and 
the government Cloud and have 
that properly segregated so you 
can choose whether you want -- a
specific environment that is. 
Lee in the interest of the 
mission and the risk's if it's 
going to require [ 
Indiscernible] commercial Cloud 
capability the other aspect you 
can take a look at is the 
capabilities a lot of times the 
application takes full 
capabilities like we are trying 
to do with the Chat Box or 
trying to do with mission 
learning capability a lot of 
these capabilities and features 
certainly get available or to be
available later on down the 
Cloud provider in the high 
environment. So so we chose 
specifically working with a lot 
of the engineers and a lot of 
the management leadership in the
case for SBA to move an 
environment from the high 
environment Cloud environment 
infrastructure in
move it down to the commercial 
Cloud and that is a federal 
moderate and a lot of the 
workloads within the SBA was 
particular trailer to the 
modified environment and at some
point we actually had the high 
as well as the moderate 
environment running and 
sometimes taking a risk in the 
applications in the platforms to
utilize Yammer not -- excepting 
the risk becomes the 
responsibility for the 
leadership in the CIO to assume 
and as we are say that
doesn't looked an orange 
jumpsuit so try to keep out of 
that
it's a management team between 
the leadership and having 
synergies between industry 
between the Cloud provider the 
procurement officers the 
management and the CIO to be 
able to actually make those 
decisions and moving forward on 
this. And I think cost as a 
driver. A lot of times. Having 
put a workload in the high 
environment is very costly 
versus the moderate and the 
consumption of it and then
there are some workloads 
completely it's not good fit in 
any of these environments 
especially if it's an old legacy
like Solaris environment to be 
able to be specific workload 
that doesn't have a fit within 
the Cloud industries and on perm
and you start become a hybrid 
between multi-Cloud as well as 
on print solution -- 
>> A hard-won online payment 
that we touched on cost savings 
a little bit the question 
specifically is around the idea 
that with relatively small 
number of Cloud service 
providers out there there's a 
pretty developed ecosystem of 
resellers and managed service 
partners and others so that are 
essentially brokering the
Cloud service of the question 
had to do with economies of 
scale and how can an agency 
think about having both 
competition across numerous 
providers knowing that there's a
relatively small number of Cloud
service providers but at the 
same time get those economies of
scale so they're trying to both 
split up acquisitions and at the
same time realized economies of 
scale and I realize that might 
be a very tough question to 
answer but I think there's a 
correlator to it as well we I 
hope we can touch on was the 
best approach is it better for 
the agency to consolidate by 
when it comes to the 
infrastructure may be separate 
out some other services or try 
to keep the acquisition of those
Cloud services pegged to a given
application or something along 
those lines. Any thoughts from 
the panel there? Back I'll 
>> I'll offer at the beginning 
the idea an organization doing 
everything together sounds great
but is very hard to accomplish 
especially at a large federated 
agency. All agencies are 
different some are centralized 
already even if there large some
are smaller but have a lot of 
pockets of buying and to buy all
at once and to buy in a 
enterprise way requires change 
management it requires the 
hearts and minds of the people 
that are
making those procurements are 
running the different IT 
organizations across a very 
large complicated organization 
to want to do it. So you can get
there and I think you can buy a 
large agency at DHS or HHS kind 
of organization could 
conceptually buy altogether but 
you need all these very large 
and complicated organizations 
within those large complicated 
organizations to want to do 
that.
So if you've had the environment
that supports people coming 
together I'd say yes go for it 
and see how you can come up with
corporate solutions but if you 
look at recently in the DoD and 
Jedi procurement and the idea of
moving to a single provider 
which was the plan, that met a 
lot of resistance at different 
levels of government and 
industry so it is easily said it
is hard to do but it doesn't 
mean that we should not try hard
things in copperplate how we can
make them -- -- contemplate how 
we can make them dance back I 
would 
>> I would say a couple things 
to think about is that when you 
go to -- I don't think any 
organization that's large 
incapacity would agree all in 21
way or another to one way or 
another -- the organization and 
the policies and politics that 
go around that it's important to
have options and there's options
out there. You have your public 
commercial Cloud providers, 
you've got your you can do and 
on pram Cloud on print Cloud 
Solution that might depend on 
what will fit within your 
organization and specific needs 
and be able to address them and 
I don't know if all in one is 
going to ever be an option but I
think that's why we talked a lot
about multi-Cloud environments 
and hybrid Cloud environments I 
think that's the reality of all 
the data assets we have and all 
the applications that are 
running and all the legacy 
applications that are running. 
You just don't want to put that 
all in one.
>> The challenge for having 
multi-Cloud procurement is
as strategies change in this 
case if you put all of your eggs
in one basket let's say Amazon 
or Microsoft or salesforce, 
moving at the speed of dynamic 
decision-making, it's very 
difficult. Because you put 
yourself back when you do permit
as hardware software were trying
to be agnostic in this case I'm 
trying to help the mission and 
try to figure out what makes 
sense do we have a single bucket
of money we can actually spread 
across these Cloud providers, 
what is how easy it is to 
actually move funny between 
those particular call providers 
Cloud providers from our 
position it's -- in a specific 
Cloud with the procurement 
challenges is very difficult 
moving that money between one 
provider in the next. And 
there's a consumption model and 
it's a utility at the end of the
day it is a challenge that you 
run out of the period of 
performance and you still have 
money left on the contract and a
lot of times that period of 
performance and and that 
committed money goes away and if
you do licensing if it's SAS 
solutions and you have to 
actually commit and as a 
strategy and adoption takes a 
while so if you start with 3000 
users for specific SAS 
environment that you end up and 
up having five or 10 users 
consume that that's money left 
on the table for the government 
that can never get it back. So 
GSA from a procurement schedule 
GSA has the schedule seven or 
CSV 132 -- 40 and allows you to 
be able to procure these Cloud 
service providers one things 
says was the best way to procure
that and allow for the 
multi-Cloud span inability to 
move funny between Cloud is a 
key for this to succeed 
otherwise you'll end up really 
committing a lot of money in a 
single provider and have no way 
to prove that especially if you 
strategy change and the decision
to actually shift between Cloud 
becomes a key so if you find out
that a workload is better in 
Amazon Cloud versus Azure Cloud 
you cannot switch the workload 
you are pretty much committed to
it. 
>> The fact of the matter is 
that Cloud is somebody else's 
data center effectively. It will
go down all clouds go down and 
Amazon
has gone down in the past and 
Microsoft has gone down in the 
past and salesforce has gone 
down these are outages because 
as technology like outages in 
your agency today may be less 
frequent but they are outages I 
think Amazon in ADS is like 
99.9% of time if I recall it's 
about 72 hours of program in 
downtime per year. But don't 
quote me on that
is not necessarily what they say
but it works out to something 
like that and it is a reality of
technology things break so 
there's
business continuity is an 
important concept in all of our 
environments presently in 
business continuity in the age 
of multi-Cloud in some ways is 
actually a little easier if you 
have technologies that you 
procure with your Cloud 
initiatives that allow you to 
fault over to another Cloud 
environment or run in a 
multi-Cloud environment as Jay 
is subscribing because you'll 
have an outage and when that 
outage happens AWS or another 
provider Microsoft or Google 
whoever it is they service level
agreement is around
getting their infrastructure as 
a service backup in a timely 
manner in there very good at 
that but if you read the fine 
print off and you're responsible
for your data you are 
responsible for your systems you
are responsible for the security
of the system that is not on the
provider per se and
the reality is if something goes
down if it is not a well 
architected application or if 
there's a lot of dependencies 
sometimes it can be very hard to
bring that application back up 
sometimes data can get corrupted
so you need data protection when
you are using the clout you need
business continuity you need the
same requirements you have today
in your agencies when you 
operate IT and that you need to 
buy when you are buying 
technology. Apply if you are 
buying data center services 
effectively Cloud services 
computer services in the clout 
from another vendor. They aren't
going to do all those things for
you they might feel like they're
doing something for you because 
that's the way it sounds or is 
sold but that's where you have 
to really read the fine print 
and ask a lot of questions and 
in my opinion.
>> We have one question in the 
audience. We have a couple more 
minutes left. 
>> Thank you I think Shannon 
mentioned we have to move
[ Indiscernible] I would like to
know are these Pacific examples 
of the writings and how these 
writings are secured in the 
Cloud environment? Back
>>
The question sounds like 
specific to Cloud security for 
specific documents that may be 
moving into a public Cloud 
environment? 
>> How the secured Cloud 
environment
>> Those will have to be open 
discussions with the Cloud 
provider that
you are talking to and again 
goes back to the open 
communication as what are you 
looking for as an organization 
and again to have those security
staff your security officers in 
the room that actually are going
to help you to ATO and all of 
those things along the way as 
the sooner you get them involved
my point was at the happier 
everyone will be. The checks and
balances will be there as you go
down that path. From a security 
perspective, you have to figure 
out
it will have to be an open 
conversation with the service 
provider that you're talking to 
-- is how are they securing your
data, who has the key or owns a 
key management aspect of that, 
are you supposed to be in 
control of that and some of the 
organizations have very 
sensitive data and they want to 
obviously hold onto the key 
management structure so they can
own it and not have the 
commercial Cloud vendor on that 
aspect of it. And then the 
security around audit and 
lineage who is accessing the 
data when you need to figure out
how you're going to implement 
that and how you will do that 
when it is not in your data 
center in her more -- anymore --
>> We are about out of time and 
have a quick lightning round if 
we can no pressure maybe 15 
words or less and see how we do 
in terms of just what final 
thoughts do you want to leave 
with our attendees today in 
terms of how to make a lot more 
agile in sort of future proof 
acquisitions so that 10 years 
from now we are not thinking 
about the challenges backwards 
looking that we had 10 years ago
when it comes to how 
solicitations looked and how to 
future proof the requirements? 
Back
>> I would get all your 
components together and start to
define your future goals as an 
organization and what that might
look like and how much data 
consumption is going to be in 
the future based on historical 
numbers, the sensor information 
coming in from all over the 
place is going to be crippling 
in the next five years so 
account for that and account for
if
a Cloud service provider starts 
to raise the rates on you and 
you can no longer afford that, 
how will you move and transform 
and transition your data over to
something else? Be cautious of 
where you're going to
put your data assets, how your 
data assets are going to grow 
and how your personnel how are 
they going to be able to access 
this data in the future with 
mobile devices or everything -- 
will they be remote work from 
home and the office and how they
access this data and is that all
going to make sense with the 
future roadmap so map it out and
don't go into this quickly or 
hastily, just make sure you 
define all of these requirements
and set the stage. 
>> I knew lightning round would 
not be easy. 
>> Like lightning thunder a 
little more lightning -- real 
quick Cloud everything Shannon 
said plus Cloud is a very 
important to in your toolbox 
software as a service 
infrastructure service all these
things have the opportunity to 
change the way organizations by 
technology and we are 
effectively outsourcing a lot 
more things that we used to do 
we did internally. One day in 
the future it will be about the 
data Shannon is talking about 
and most technology will 
infrastructure kinds of things 
and applications even through 
the salesforce and Microsoft and
others will be in the Cloud 
largely and you as leaders in 
your agencies need to have 
strong control over your data, 
understand it able to use it in 
the word is and how to move it 
around and pull it back when you
need it move it across multiple 
calls because when it comes time
to use that data to achieve 
great outcomes in your agency it
doesn't matter where it is the 
people that wanted want it when 
they wanted where they wanted 
how they want and it's up to you
to enable your IT organization 
through acquisition to be able 
to have tool to move that date 
around own it and have mastery 
over it. That is the long-term 
thinking it long-term strategy 
will achieve success not just 
government and not just federal 
government but across IT. 
>> I keep it very fast agile 
acquisition is a key it is a 
terminology that would be here 
and a lot of the Contracting 
Officers out there are trying to
figure out how to do agile 
acquisition and I would say 
start with GSA schedule I think 
there's a good opportunity for 
you to leverage but situational 
awareness agile acquisition.
>>
Thank you to all of our 
outstanding panacea for the 
great questions I came in online
alternate back over to John. 
>> [ Applause ] 
>> Provide instructions for very
quick break. 
>>
Panel again thank you so very 
much and you again our audience 
now we will actually take a 
formal break but it will be 
extremely brief I think will get
back together at about 1135 
Eastern daylight Time. In the 
auditorium and virtually. In the
auditorium and virtual e-
--
>> 
>>
All right ladies and gentlemen 
thank you for returning I 
appreciate that it we have a 
case study on public sector the 
public-sector point of view on 
implement the Cloud strategies 
and clot adoption in public 
sector we are going to 
experience the process of 
walking through the end to end 
implementation cycle identifying
project gaps and managing the 
metrics and return on investment
and if you would welcome please 
the individual leading this very
intimate conversation is David 
President and CEO of practical 
solutions.
>> [ Applause ] 
>> Thank you for inviting us 
here to present. It was a 
last-minute -- I was asked about
3:00 yesterday to actually step 
in and do this use case. And the
intent initially was to present 
the use case of the commercial 
and the government and our 
experience to the whole journey 
of to the Cloud and opted to 
actually instead just focus on 
the government implementation of
the Cloud and I have invited Ms.
Mary the CIO for small business 
administration to join and have 
this candid discussion and I 
touched on earlier is that the 
TB partnership between the 
industry and the government or 
in this case any organizational 
management leadership to have 
the Cloud migration to be very 
successful. So hopefully good to
enjoy this and we will have a 
more interactive and take some 
questions and feed in and you 
get to actually see how things 
actually work, how it should 
work properly to be able to have
a successful adoption to the 
Cloud.
>>
Our last 18 months of engagement
has been to actually help the US
small business administration as
you know Small Business 
Administration is focused on 
addressing their whole mission 
is about addressing small 
business owners and 
entrepreneurs of trying to make 
sure in this case be competitive
advantage and actually 
supporting the small business as
most businesses they grow from 
small to large. And help them 
through that journey. Had the 
pleasure actually supporting Ms.
Mary bowed in previous 
engagement we do a lot of 
strategy for FSMA back in US CIS
and
she's a very known figure in 
this case and has been talking 
to a lot of different stages so 
it has been a great use case to 
actually present for you Ms. 
Mary she has different titles in
the past and 30+ years of 
experience in the technology
and been a CIO, CIO now and been
a CTO, she's been Chief of 
Staff, been Program Director it 
GSA so she's been instrumental 
to make sure that our Cloud 
journey is successful.
>>
At this potato time before we 
dive in and how the Cloud 
journey began I will turn it 
over to Ms. Mary to introduce 
yourself or to be able to just 
lead us into the use case of the
Cloud journey. 
>> All right good morning. I 
want to walk you through a 
little bit of what I walked into
at SBA in October 2016. There 
had been a lot of turnover in 
CIOs before I got there. So on 
Monday morning when I reported 
the weekend before I got there 
there was water coming in the 
>>data center, not a lot, any 
water coming in a data center is
not good. That was the weekend 
before I arrived there
in a big storm in DC in the 
construction on the 
Representative and a long story 
but there was water coming in  
that in a data center. My very 
first weekend there the air 
handlers went out in the data 
center. Welcome aboard to SBA. 
Throughout that week I got 
nothing but complaints and 
service in all of those kind of 
things and immediately jumped in
with both feet tried to figure 
out what's going on. Not only 
that I had Workforce I was down 
about 30% in Workforce so my 
immediate staff in the CIOs 
office I had a lot of vacancies 
going on including key 
leadership positions and did not
have a CTO, a deputy CIO, 
Director of operations, getting 
ready to hire I had a sister 
that was brand-new ministry that
only been there for two weeks   
two months and Workforce gaps 
and walking in 20
environment long story short I 
was there about two weeks and 
asked what was running on a 
number because nobody was in my 
office and they screamed at me. 
Welcome aboard SBA. I had 
somebody literally come in my 
office and already about how bad
the Network was all bad 
connectivity was, as a team I 
said what is running on her 
Network give me Network 
utilization of what are the top 
five things running on her 
Network they could not tell me. 
This was her Network operations 
or no one could tell me what was
really running on our networker 
in our data center I asked for 
an inventory what's in our data 
center I got four different 
inventories. I asked what was 
running in the SBA environment 
SBA's berries don't type very 
separate because of the turnover
in the CIOs file Program 
Officers had done many of their 
own things and just by virtue of
getting things done I cannot 
necessarily blame them. But 
walking into an environment like
that and not knowing what is 
running I got my arms around the
contracts this is when Jay 
started working with us,
to stabilize the data center 
understand what was in it so 
that was one of the very first 
things. The pictures up. I 
actually I think about my third 
weekend I came in
early one morning with a camera 
and walked through the primary 
data center and took a pile of 
pictures printed them out put 
them up on a wall and see it up 
there was before. And that is 
where we started back in the 
fall of 2016 there were three 
things I told the T by 
mid-November so about six weeks 
and I said one we are going to 
Iraq are said data center, we 
will move our entire Network in 
our entire infrastructure which 
was -- more than 30% completely 
saturated and not architected 
correctly in three getting our 
entire environment moved to 
Windows 10 and office 16 those 
with the three things I said 
were articles and that's where 
we were headed and remind you I 
still had to take care Workforce
and get a deputy hired in those 
kind of things but with Jay's 
assistance we took on getting 
arms run the data center and 
stabilizing that and I will turn
it over to you. 
>> Can you touch on the Cloud 
funding before the aspect Cloud 
funding I had no money to go to 
Cloud when I said we are going 
to for racks in our data center 
I don't think my team understood
what that meant I knew what that
meant I'd been working in the 
space for a while and knew 
exactly what that meant my team 
did not know what that meant
, I don't think anybody outside 
of my team whether it was 
acquisitions or HR or anything 
like that really understood what
it took to get to for racks in 
the data center I did that with 
no funding. I ate out of my 
budget I looked as part of the 
assessment that we did I looked 
every wreck that came through 
for funding why if I'm going to 
shut down a data center am I 
going to buy UPS batteries? Why 
am I going to spend money I had 
38 different security tools why 
do I have those tools? Why am I 
doing that?
Looking at how we are spending 
when those requisitions came in 
for hardware for CDM phase 1 I 
said I'm not spending more than 
$300,000 on hardware for CDM we 
have a Cloud environment as part
of our enterprise licensing part
of our enterprise agreement we 
have a Cloud footprint why do we
just use that we are the first 
agency to put CDM in the Cloud. 
We did it because I refuse to 
pay for the hardware I did not 
have the money. With the cuts 
that I did for the software not 
buying any hardware I told the 
team as well she's familiar with
this no new hardware in the data
center. I'm going to hard light 
and that's how we got the CDM in
the Cloud and the money that we 
cut from all of that I 
reinvested into that 
architecture and engineering 
services that is how I 
self-funded by having the 
successes throughout into FY 17 
I proved with the team not meet 
the team proved with a deputy I 
hired CTO with a partnership 
with our contractors we showed 
number of successes and we were 
able to reinvest those dollars 
so I did not go to the CVS -- 
CFO for another penny. --
>> Thank you, Mary this is the 
stage of moved into actually 
walked in and so reality would 
take on a challenge like this as
easy as basically it's a day to 
day operations strategy and 
vision of the CIO. Drives the 
mindset where are we going and 
headed, so
reality you don't see all the --
some of the challenges there's 
text on this on the slides that 
so October when we walked in to 
the data center
the very first thing from a 
strategy perspective is trying 
to get a handle a lot of you 
heard earlier that there's an 
inventory that you have to know 
what you got since we didn't 
have an inventory so we didn't 
have an actually way too be able
to figure out exactly where our 
assets is within the data 
center. First thing that we took
on is to actually do the 
stabilizing very immediately 
there is a lot of infrastructure
within the data center and a lot
of them were turned on but not 
been used so a lot of them taken
electricity consuming a lot of 
obviously HVAC was a key when 
they were shut down so we worked
trying to first thing we walked 
in is due the technology 
assessment.
>> And I say how we do that? 
Back yes. 
>> Used for those in acquisition
Workforce we applied agile 
methodologies to our data center
to get in our data center 
stabilized this is what Jay is 
not saying that we had daily 
standups with the meetings we 
turned up during the Cloud we 
are using that to track 
everything in it was a big hard 
push and we had a culture change
that we needed to take on to 
address it so we applied agile 
methodologies we had series of 
sprints all of those things 
daily standups to get to 
stabilizing the data center and 
getting that inventory. 
>> So this is before we actually
had the targeting the initial 
objectives was to actually show 
value show stabilization from an
agile perspective when you stuff
is are being turned off in 
electricity shut down exactly 
falling apart is you get to 
address it right away and that 
was an initial task and we did 
take months trying to do this 
and we took literally a couple 
weeks to be able to get to that 
stage in the next consolidation 
basically a lot of environments 
and multiple different racks 
that need to be in a single rack
and a lot of the steps actually 
tagged for that's being utilized
or not utilized we got some 
servers that used to be 2003 
servers that were completely out
of warranty, so we had to do a 
very effective key 
accomplishment right away to 
make sure that we have a 
stability within the data center
consolidation and then the 
forming of the entire team. The 
objective is to actually get to 
the for racks as a main driver 
for us to get to the Cloud. So 
if we had hundreds of different 
racks within the data center 
trying to get to the four it was
a core strategy did not happen 
overnight.
The first thing is to actually 
get the whole management team 
onboard and between the time 
that Mary had to basically hire 
the federal staff the CTO, the 
CIO deputy, and try to get 
everybody in the same room and 
in the same looking at the same 
view to make the right decision.
And we formed the Tiger Team 
that's a mix between the federal
staff in our staff and try to 
make the every single decision 
tried to get to the Cloud. So 
the period you see here is this 
is before February 2017. Between
October and February, we had to 
stabilize consolidate and to 
form the team and then jump to 
the Cloud and I think our star 
performing the team was about 
February first week of February 
and 2017. To get from February 
to May, literally 82 days to 
make sure we stand out in 
environment in the Cloud 
environment and that is gone 
from zero to basically have an 
ATO within a Cloud environment. 
That meant the agile methodology
is the key and we have to make 
agile decisions, and to be able 
on the -- cannot be an 
individual we have to actually 
be empowered from both the 
contractor as well as the 
federal staff to actually work 
together in making these 
decisions. Initially it's about 
education educating everybody 
onboard so
Mary knew about the cloudiness 
capability of the Cloud and the 
rest of the federal team did 
not. Till she hired the deputy 
CIO, and got help it was an 
impossible task to be able to 
consider going to the Cloud. [ 
Indiscernible - Audio cutting in
and out ] environment we decided
against that have to get to the 
Cloud and get for racks. And we 
initially educator the team I 
Cloud it took a lot of 
relationship with the Cloud 
service provider and our team as
well as the federal team to be 
able to educate about the 
infrastructure of the servers 
and identify them the platform 
and what things they that would 
be helpful to stand up and 
Cloud. 
>> The team that was formed with
executive sponsor at the time 
Geiger Bala is an executive 
sponsor in you can see the CTO 
assigned as well as myself and 
the team to be able to relief 
manage multiple Scrum teams to 
be able to focus on a lot of the
things that we didn't know but 
we know that we need to have at 
least a starting template of the
team structure. The service 
management, the engineering team
the automation team, even the 
migration team as well as the 
operations team, those were all 
involved in the decision-making.
Embedded among all these teams 
is actually security. Security 
is not a team by itself it is 
actually is the objectives for 
the Cloud has to address 
security at every step of the 
way. In order to be able to get 
to an ATO within 82 days it was 
a very key having those 
partnerships across the team as 
well as securities actually 
involved in it.
>> So this is the initial 
concept for the Cloud. It made 
very generic structure 
perspective brought a lot of 
previous work that Guy has 
actually done it TSA in the past
so we borrowed a lot of these 
concepts to put in place and 
here on paper it is almost a 
napkin drawing of the what the 
Cloud Network infrastructure is 
going to look like and we didn't
know a whole lot but said let's 
take a stab at it in it should 
be the initial architecture 
having Enterpriser plot 
architecture it is not something
we started with having a full 
detail of it so based on that we
actually worked with case 
Microsoft management team and 
the Microsoft training centers 
to be able to educate the whole 
team and be able to get the 
connections to the Cloud. We had
connectivity's and AT&T and BLS 
Network as a way to connect to 
the Cloud so we worked with AT&T
in thought that's connectivity 
to the Cloud would take months 
and must to do it. And it was a 
lot easier a lot easier it took 
only a couple is trying to get 
connected with the express the 
multiple ways you can connect to
the the Cloud and have a 
interconnection between the 
center Cloud as we migrate to 
the Cloud he connect levity in 
high-speed connectivity so we 
stood up to extend our 
environment to the Cloud and 
include that as part of the 
whole ATO package?
>>
>> [ Captioners Transitioning ] 
>> 
>>
cloud infrastructure. Those will
have different challenges 
altogether. The other aspect of 
of it is security. Security is 
the main key. A lot of times you
think if you 
put it
in a secure cloud environment, 
it's all going to be secure. 
There is a lot of other pieces 
that you have to take into 
consideration. That to me is a 
constant feed from the strategy 
although we downsample 
mentation. You can't just do a 
strategy once and forget about 
its. The capabilities of what is
actually being released into 
this cloud is fast. Sometimes 
you need to take advantage of it
to actually help you out. The 
last thing I'm going to end up 
with is the last slide about 
what I just mentioned, you have 
a lot of competing efforts that 
are used 
to take into consideration when 
you go on the cloud. Consider 
actually doing the strategy 
session, but is continuously 
making decisions, and you can't 
just make a decision at the 
time. It is a constant change. 
Constant change is going to 
require 
constant decision-making. I'm 
going to stop here and actually 
take a lot of your questions. 
You're going to run into a lot 
of these similar issues, and not
necessarily as complex or as 
difficult as it is and other 
agencies because they may have 
the funding. Mary, what is your 
funding for? 
>> My budget is a rounding error
compared it to some of the 
big agencies. Even if I have 50 
Kaoru hundred K or something 
like that, that is big dollars 
for me. I can do something with 
that. I am pretty creative when 
it comes to that. I want an 
acquisition community that is 
with me. The contracting 
officers and others that are 
helping me 
and creative just as well and 
just as innovated so that as we 
are pushing the envelope and 
trying out new technologies and 
really trying to move to the 
cloud and trying to be quick and
fast, I have to be responsive to
my 
program offices.  As new people 
come in and out, as the vision 
of SBA and the things we need to
do,  I have to support that and 
be responsive to that. I need an
acquisition community that is 
just as creative and flexible 
and able to move things through 
as quickly as I would like to 
run. 
>> I will take questions. 
Jenelle, I can see the 
questions. If any questions in 
the auditorium, I will take 
those questions. 
>> Hi I'm from the national 
credit Union administration. My 
question is for you, can you 
talk a little bit about or speak
to how given that aggressive 
timeline in which you went to 
the cloud, can you talk about 
how you Boettcher [ 
Indiscernible ] or 
your existing CIO staff along 
with you to the journey to the 
cloud? That seems like it would 
be an aggressive transformation 
of skills to some extents. 
>> For 
bigger picture, the first year, 
October 26 scene last fall was 
incredibly focus on a ton of 
behind 
scenes things. A lot of that 
wasn't completely visible to the
rest of the organization, that 
they knew services were getting 
better. For the workforce piece 
of it, last summer we did a 
whole series of once a week 
lunch and learns. I have not 
turned on any request for 
funding for training at this 
point. There has been some that 
have come in that we have 
redirected 
people to for cloud-based 
training or something like that,
but I have not turned down any 
training. We are taking 
advantage of the lunch and 
learns because there is a lot of
free trading 
out there. I deputy actually let
this. He took a look at the 
courses and a lot of the free 
things that were out there. We 
opened it up, we had a lunch and
learn, I would go to those as 
much as I could. That's how we 
got to some of the 
training that you asked about. A
lot of it is on the job, and 
some of it is that we are not 
doing this or that anymore.
>> Any more questions? 
>> My cloud budget? My actual 
overall budget in my office is 
probably about 26 probably about
26 million. This is all publicly
available. I budget 
for cloud, probably what we are 
spending on cloud and what we 
are burning, probably around 1 
million, 
I think. We have actually been 
doing a lot of tweaking this 
year as far as what we are 
burning. We are actually 
questioning everything certainly
with J and my contractor, we are
monitoring the 
monitors -- contractors. We are 
not passively monitoring it, we 
are actively monitoring and 
managing to be able to manage 
our 
spend. It's in totality for 
environments. We have to watch 
what we are doing and turn 
things off as it is not 
being used. 
>> My name is Mona, I am from 
the United states department of 
agriculture. Clearly there is a 
reason why people have started 
working around your 
organization, you came and took 
care of the stuff behind the 
scenes. At some point, the 
client has become a driver of 
the business. It will take Dick 
-- change that made people 
distrust for a matter of time. 
How are you moving converts as a
seal moves from the back office 
to the driver. How are you 
changing lines to know that is 
no longer something just 
happening in the back room. 
Actually 
showing success, the first year 
we showed a number of successes 
moving into the cloud and 
packing up some of our systems 
to the cloud, then doing the 
migration. Those users are 
seeing the results of in a more 
stable environment. Having more 
capacity and more capability, 
being able to 
show people that you don't need 
to buy these tools. We on these 
right now. 
For that staff that is outside 
of my office, some of it has 
been for the technology folks 
are out there. They are sitting 
back there going great, another 
CIO, there has been 12 and the 
best 15 years. I have had to 
overcome a lot of those cultural
things. We had to prove, show 
some successes internally, then 
people start paying attention. I
will tell you that I have an 
awesome partnership with Tim 
Griffin who is 
our CFO, working with him on the
finance piece. Anything that is 
over 50 K, I have final approval
and sign off on. Last fall, I 
sat through all the budget 
reviews side-by-side looking at 
all of the agencies spend. That 
is a lot of work, but I set that
to every one of those. We took 
all the spreadsheets, dump them 
in power be I and every time I 
walked into a meeting I put them
up on the screen and said, this 
is what the tools 
can do for you. We were able to 
show how the spread was. Not 
only for just that particular 
program our office, but across 
the whole agency. By showing, we
were able to do that. Is 
a matter of demonstrating, 
showing success with 
my CFO. 
>> I think we are almost out of 
time. At the end of the day, 
partnership eternally at the 
federal staff and stemming from 
the strategy down to the 
implementation is the key for 
success. 
>> As we are working together as
a team, I look at my CIO team as
a team whether they are feds or 
contractors. There are things 
that have broken as we have 
moved along this journey. Things
that have not worked, and I made
it very clear to might seem that
we are not pointing fingers 
because there are things that 
happened before I got there, 
that when we make a change over 
here the impacts something over 
here, they should be mutually 
exclusive. As we are moving 
through this, we are doing 
different things. I made it very
clear to the team that we are a 
team and working through this 
together. When Jade showed you 
the chart of their, that was a 
complete mix of my contractors 
and feds on 
those teams. We are trying to 
build that and we are not in the
business of pointing fingers and
telling people you broke it's. 
There is things that happened 
before I got there and there is 
things that are going to happen 
is you're trying new things. 
>> [ Applause ] 
>>
Thank you so very much. Once 
again, let's do a quick set 
change and get ready for a 
Faneuil -- final paddle. Our 
final paddle -- panel, cloud 
management evolution and what is
next is going to provide insight
on what comes after the 
successful implementation. Error
panel members are going to 
discuss the challenges to 
express, and of course, 
the great taxes for operating in
this new cloud environments. 
This session is going to 
conclude with strategies and 
next steps to enhance the 
journey, and a 
sneak peek at some up-and-coming
technologies that are going to 
play an increasingly important 
role in the cloud evolution. If 
you would, please welcome Moses 
[ Indiscernible ] to leave this 
final panel. 
>> [ Applause 
] 
>>
You pretty much said everything 
I wanted to talk about in terms 
of introducing the session. Good
afternoon, everybody. Welcome to
the final session. 
Cloud management/cloud 
evolution, and what is next. You
heard the previous panels take 
it to the cloud attorney 
starting with the whole 
cloud strategy. What you need to
buy, how do you procure it, and 
how do you migrate your 
workloads. Again, what we are 
going to do is a focus on what 
comes next. What happens when 
you actually implement your 
workload into the cloud. How do 
you actually operate in the 
cloud. Again, my name is Moses [
Indiscernible ], we have a great
panel over here for you for 
this event. Starting with [ 
Indiscernible ] on 
my left, she is the chief 
solutions architect at [ 
Indiscernible ]. [ Indiscernible
], 30 seconds, what is your 
favorite cloud acronym or 
buzzword? 
>> My favorite buzzword 
is transformational.
>> Next up on the far right's is
Adam Claytor, and Adam is the 
chief architect at the North 
America public sector 
division. 
>> I think one of the things 
that I have heard is when your 
cloud bill gets to around 
$200,000, your cloud salesperson
never stops, you. When he gets 
to 
1 million, they never call you 
back. Is just a idea of how do 
we put the control back in the 
consumer of cloud, rather than 
having folks locked in. We are 
going to talk a lot about that 
and how to make sure our 
workloads are portable, and we 
are smart consumers of cloud. 
>> Finally, we have Dan [ 
Indiscernible ]. Dan is the 
strategic executor from a small 
company 
called Google. They make search 
engines. Dan, what is the 
airspeed velocity of [ 
Indiscernible ]? 
>> I had to Google this, 11 
meters 
per second. 11.15 meters 
per second. I don't know if it's
so much a story, but I think 
given the composition of much of
the audience today, I think it 
is important to realize the 
brave New World that we are 
entering. The federal 
acquisition registry includes 
the word cloud exactly 0 times. 
If you extend 
that search to the D far, the 
word cloud shows up 
six times.
I was at the White House at the 
time on the national security 
council staff. I helped push 
that document else. Times 
are changing, and that is really
the focus of the conversation 
today. It is not just about 
understanding tech, it's about 
understanding the impact on 
business and culture of 
that tech. 
>> Folks, we have some really 
smart people on 
the stage. Without any further 
ado, let's jump into the 
discussion over here. Let's 
start with an important 
milestone. Some of you have 
already crossed it, some of you 
are getting over there 
very soon, and that is deploying
your first application in 
the cloud.
[ Indiscernible ], let me start 
with you. You successfully 
deployed your first application 
and no one is complaining. In 
your experience, what are the 
important things that one should
be thinking about at this stage?
What do you need to do our 
strategic and operational level.
>> First, I will 
start with admitting that it is 
a bit of a hypothetical question
because given the size and 
organizational structure of the 
agencies, there won't be one, 
there will be many. One per 
program office or center or 
service or 
business unit. They will all be 
going to the cloud. This 
question, when the panel 
selected it was intended to 
be a table center for the 
conversation that follows. Let 
me try to start off that 
conversation. Folks do a lot of 
stuff after they 
achieve -- a lot of stuff has 
already happened before you did 
that. At this point, when your 
first ATO is granted, I would 
strongly urge people to use this
first experience as a 
learning experiment. They should
gather and leverage those 
lessons learned across the 
entire enterprise. How do we do 
that? We do an enterprise 
retrospective. You can get some 
coaches, acquire services to 
help you along with the 
activity, but at a minimum, your
group of people who are engaged 
in is retrospective are your 
system developers 
and owners. I.T. operations and 
infrastructure, and 
absolutely acquisitions. There 
are some critical lines of 
inquiry here as to what we 
do next. How was our experience?
How long did it take? How many 
groups 
did it involve? Where their 
shortcomings in our system, 
culture, and configurations that
we had to overcome? Does this 
meet 
performance requirements? Was a 
process of deployment automated?
If we keep to our current 
process, how many updates and 
appointments can 
we do? What changes do we need 
to make in 
our operations? When do we know 
something happened to that 
system? What is our contingency 
plans, disaster recovery, 
recovery 
time objective? How long did the
ATL process take? Two expects 
all systems to follow the same 
process, or are we going to 
somehow 
change it. How do we update our 
check model? There is this new 
reality of there being a cloud 
in our environments. What 
security events do we need to 
now monitor 
and address? Are you seeing the 
cost savings that you perhaps 
expected to see? Why and why 
not? Finally, we are trying to 
do this because we want to learn
lessons on how to do this faster
and cheaper. That's a pretty 
significant lists. The question 
naturally arises as to why 
should we do this? For that, we 
have to kind of step back a bit 
and tell 
a story. 
After all, we have been 
developing systems and running 
infrastructures for decades 
sound. Why do we have to 
suddenly change everything? 
What happened? To 
answer that, it is necessary to 
take a step back and talk about 
a particular story. First of 
all, everybody knows cloud is 
the thing 
right now. Everybody is doing 
it, everybody's going to the 
cloud. We had a little 
discussion in the morning about 
clop -- 
cloud adoption. To me, the 
question was why. Why are people
going to the cloud? We started 
looking and obviously, what 
happened was we found out 
capacity and elasticity 
on-demand 
and cost-effectiveness was a top
two reasons why people were 
moving to the cloud. There were 
a whole bunch of 
other reasons. Then, another 
thing that caught my attention 
was sudden leadership 
in industry. They understood the
cloud platform to be that 
transformational technology that
allows them to change 
their organizations. It allows 
them to transform their 
organizations to what they 
always wanted. What you folks 
want is nothing different than 
what those guys want. More 
organizational responsiveness to
the mission. More business 
agility. The stories are no 
different, everybody is really 
looking for that responsiveness 
in the 
business agility. That was a big
reason for why they finally 
recognize cloud as an 
enabling technology. For me as a
person who has been dealing with
the cloud for a while, I note 
that most of the basic 
technologies within the cloud 
exist in your enterprise right 
now. Virtualization containers, 
all that stuff, disc, block 
storage, every base technology 
that exists in the cloud exist 
in 
your technology. What the cloud 
really did was put that in a 
smart 
new package. If the Internet 
gave us the global communication
infrastructure, Inc. of the 
cloud is given you the global 
compute infrastructure to go 
along with it. 
All that, you get to go to a 
website, present your credit 
card, and use every one of these
ideas that we put together in 
the package. That is new. How we
deliver is back to the 
end user. What was really 
almost transformational, CEOs, 
and leadership have completely 
revamped their business models. 
They have created entirely new 
business models, and they have 
bought about the kind of 
transformation they were looking
for. That is why you have to 
live lesson, because 
the package [ Indiscernible ] to
enable cloud [ 
Indiscernible ]. Timesharing for
your cost-effectiveness and 
pay-as-you-go. It doesn't make 
much sense for anybody to 
go adopt a new awesome package 
of old technology, and then go 
about doing the stuff the way we
have been doing it all along. 
You can't take your old info 
structures and the way 
develop systems. That's why we 
have to learn lessons. That is 
why we do enterprise 
retrospective's. We learn how to
change all the processes from 
development to deployment to 
operations 
to security. That is the first 
step that I recommend the 
organizations take. 
>> Transformation is a keyword. 
Very 
good. 
>> That was my buzzword, 
transformation. 
>> We talk about transformation,
I'm sure people have heard about
buildings faster, 
better, cheaper. There was the 
old joke about picked two of the
three, I think with the cloud we
can get all of 
the three. Is or anything that 
is different when you move to 
the cloud from moving from 
physical infrastructure to 
the cloud, you just finish your 
migration, you, the next day. 
Are the things that are going to
be 
the same? Does anybody else on 
the panel have any opinion about
that? 
>> I think we need to take a 
little bit of a step back and 
think about when we began to 
talk about cloud, what aspect of
cloud are we really talking 
about? Infrastructure is a 
service, which is the classic 
design of I have a virtual 
machine or a physical machine 
within my data center, I want 
somebody to take on the [ 
Indiscernible ], and I just want
to move that out to someone 
else's data center. There are 
other models that I think we 
would talk about later on Mike 
platform as a service, function 
as a service, and finally, 
software as a service. I think 
what I have seen have been 
focused on the two extremes of 
that retrospective. For a lot of
organizations, that was actually
the first foray into the cloud. 
Now, we are looking at some of 
these lift and shipped type of 
models. I want to move out of my
data center into someone else's 
data center, so I drop that, I'm
no longer in the real estate 
business, which these are 
intelligent decisions for CIO to
be making. Many times, that is 
closely aligned to Morava 
manage services contractor. If I
haven't reflected my application
to exist in the cloud, I'm 
really just entering into a 
managed services agreement with 
the cloud provider, and then 
obligate myself to pay by the 
minute or by the hour for that 
service as I 
do that's. I think we need to 
carefully examine the cost 
benefits of making these 
decisions. Often times, that 
movement is quite valuable. We 
do that to stem so that 
short-term hemorrhaging of 
cash. If it is more valuable for
us to enter into a traditional 
services agreement, 
I wouldn't necessarily be afraid
of doing that. I think you have 
to look at what level you are 
willing to attack, and what the 
goal of the organization is 
beyond moving to cloud, which I 
think has been a big driver. 
>> I want to pick up on that, 
and also pick up on [ 
Indiscernible ]'s comments. Once
you get your toe in the water on
cloud, I think it 
is important not to focus on the
technical aspects of it, but as 
some of the other panels said 
before is, focus on the business
applications of it. If you ask, 
why am I doing this 
cloud project and what benefit 
is a having, it will tell you 
whether you are taking full 
advantage of what the cloud can 
offer or not? Am I doing a cloud
project simply to 
save cost? Perfectly valid 
reason. There has been a push 
for years to improve cost 
management, but that is sort of 
the most 
basic proposition of the cloud. 
You could go further and say, am
actually getting significant 
performance improvement? That is
a more 
strategic view, you could go 
further and say, is it 
transforming my approach to 
security because I am now 
no longer responsible for what I
move to the cloud for the patch 
management or lifecycle 
management, and that is now up 
to the CSP. The final most 
strategic sick days 
configuration is does actually 
help me modernize? Does actually
help me innovate? Those are 
different value propositions 
from cloud. In my view caught 
the big push to cloud that we 
are in right now actually has a 
very specific point 
in time [ Indiscernible ]. I 
think the focus on cloud, in my 
view, stems from the aftermath 
of the OPM breach. That is the 
first time that all of these 
formally 
separate conversations, they had
tended to be treated separately.
OPM but all of those together, 
and OPM said wait a minute, you 
can kill each of these birds 
with the stone, and that stone 
is shared services or cloud. The
big push to say it is okay to 
outsource key functions 
around I.T. happened under the 
tale of the Obama 
administration. This 
administration has actually 
picked up the ball and been 
pretty continuous and has 
shifted more and more to cloud 
unbalance even more so than 
shared services. Once you dip in
the toe in the water, step back 
and say how is this project 
setting us on a journey to take 
full advantage. 
>> Let me start diving and a 
little bit deeper to [ 
Indiscernible ]. Let's start 
talking a little bit about cloud
management, and managing your [ 
Indiscernible 
]. Adam,
[ No audible content ] 
>> 
I spoke a little bit about the 
ongoing ON M cost whether that 
be in your data center or 
whether that be in a cloud 
environments. The reality is, if
we decide to buy some technology
and it cost us $100,000, but 
there is $1 million on the 
backend of man-hours and 
operational costs in seeing that
technology diversion, that is 
a pretty significant cost. We 
need to make evaluations about 
should we be buying this as a 
service rather than really 
trying to build this technology 
on our own or building this upon
an infrastructure stack or we 
have to be responsible for all 
of that management. I think 
Maria did a really nice job in 
the last session of illustrating
the value of monitoring, and 
having an understanding of all 
the things that you're 
deploying. She said when she 
first got there, they couldn't 
tell her what was on the 
network, what was the top five 
consumers in network traffic? 
Now, she has capability in a 
cloud environment to have that 
charge [ Indiscernible ] and 
say, we need to turn the lights 
off when we 
are done. The potential for run 
of of those costs is quite 
dramatic. What I would say is 
that yes, management and 
management tools are critical 
components of being successful 
in the cloud, but I think the 
tenant that we have to really 
take with this is that it is 
automation of that management. 
If we have human capital 
individuals managing resources 
rectally within our cloud 
environments, it is an 
incredibly expensive way to 
do that. If you have a human 
deploying a server in a cloud 
and it takes them an hour to 
execute on that task, that would
be really great if one 
individual could do that in an 
hour, that is a task that could 
be automated to happen within 
seconds. That is a fully secured
implementation of the 
infrastructure. I really think 
the security of implementations,
the deployment of our 
technologies as we look to move 
into cloud, that is the tool 
that needs to be one of the 
biggest parts of that. I think 
the good news is that learning 
the skills and the practices of 
automation are something that 
you can do within your own data 
center. You can began to 
automate within your existing 
infrastructure and really not 
make a huge expenditure and 
learning how to automate the 
cloud. What I would say 
is that using as an opportunity 
to get your internal house in 
order and begin to automate 
those workloads internally, and 
then automate the deployment to 
the cloud. I believe that once 
we have executed on that 
automation, we begin to figure 
how are you going to automate 
ourselves out of the cloud. In 
the next generation of cloud 
consumption, the portability of 
workloads is going to become 
really important. 
Our ability to move those 
workloads between the clouds is 
going to be the only way that we
can realize those financial 
opportunities. 
>> [ No audible 
content ]
do you have to bite new 
technology when you are [ No 
audible 
content ]
>> I think the vendor 
community has been pretty adept 
at cloud enabling. I think are 
getting much closer to cloud 
enabled tools that may 
be were a few years ago when the
focus was on 
cloud washing. Yes, I would say 
that there is a lot of maturity 
in the 
toolsets today, but there are 
also going to be new tools that 
you're going to seek out and 
that you're going to use. You're
not going to 
necessarily deploy a complex 
monitoring system into cloud in 
order to get a lot of the 
information. You're going to use
some sort of subscription 
software as a service monitoring
tool and then consolidate that. 
I think one of the daunting 
tasks of a CEO is going to be 
how to integrate the things in 
the cloud with the technologies 
that are within my data center. 
There was some discussion today 
on what workloads are or are not
appropriate for cloud. For 
certain agencies, there are 
workloads that may not ever work
to a cloud. I think those 
expectations are constantly 
evolving. The workload may not 
move today. In the meantime, the
integration of exposing the 
business value that is available
in 
the cloud to whether that be our
internal data or even are 
internal applications is 
certainly one of the tasks that 
I CIOs are going to be 
responsible for moving 
order. 
>> One other concept that I keep
hearing about for cloud 
management, that is [ 
Indiscernible ]. This means 
very interesting. Can you tell 
us a little bit about that? 
>> Has anyone else heard 
the term? The idea is that if we
have a server in our data 
center, it is 
really important. We know 
exactly what the workload is 
that is running on the server 
all the time. In fact, we name 
these servers. When I started 
out at the patented trademark 
office nearly 20 years ago, we 
named all of our servers after 
dead rock stars. They were 
really our pets, and someone 
hey, and just went down and 
McCartney is not into this or 
that. That was a real part of 
how we knew 
our infrastructure. We knew all 
these things about these 
servers. We really treated them 
like pets. In the cloud 
environments, we don't 
do that. The idea is that if you
have a herd of animals and one 
gets sick, you don't necessarily
take it to the vet to get it 
fixed, you may just cycling out 
of your production system and 
bring in another Cal or Mule or 
what have you to fulfill that 
spot. Rather than making that 
investment on an 
individual basis, we 
really just have this idea that 
we can build a brand-new server 
with 
this capability instantaneously 
in the cloud. I think that 
really speaks to the automation 
story as well. As we automate 
that, we are able to guarantee 
consistency across all of those 
servers. Hopefully, without too 
much of the gore I illustrated a
bits. I realize Paul McCartney 
is 
not dead. 
>> Let's come back to 
automation, and more 
specifically, [ Indiscernible ].
Who on the panel would like to 
define [ Indiscernible ] 
for me?
>> [ Indiscernible ] is not a 
complicated definition in my 
mind. It is best defined as a 
cultural collaboration between 
your developers and your 
I.T. operations. When we start 
inking about [ Indiscernible ]? 
My suggestion is before you was 
the cloud. If you're going to 
define [ 
Indiscernible ] in the 
collaboration between teams, who
doesn't want that? Start 
thinking about it before you go 
to the 
cloud. Also, I do not know any 
way to do cloud effectively 
without [ 
Indiscernible ].
I tend to think of automation as
the implementation. You can 
asked a question, what form does
is collaboration take? Do 
we talk a lot about each other? 
We already do that. We rewrite 
automation software to automate 
stuff. We want to do a few 
things. We want to [ 
Indiscernible ] and 
automate our [ Indiscernible ] 
lifecycle as much as possible to
actually develop the systems. We
call those [ Indiscernible 
] pipelines. That is typically 
all the code 
that goes and allows the 
automate station. Is an engine 
that integrates all of your 
development processes and 
enables automated testing, and 
it continues delivery pipeline 
which lost of software 
is written. Is about 
continuously delivering software
to 
your environment. When we 
operate in the cloud, we tend to
think of delivering software, 
not in three month increments 
and the big deployment where 
everybody stays up at night, we 
do every day. Our code goes from
our development environment go 
through all the testing, passes 
all the security checks, and it 
is delivered to 
the cloud. We don't want Big 
Bang organization efforts. We 
are organizing 
every day. What do we have to do
to enable this? I told you about
the continuous 
organization pipelines. When we 
write organization for 
deployments, what we are doing 
is let's look at the steps in 
the 
deployment process.
Enterprise services like logging
and monitoring. Then, it comes 
the part about updates and 
patch management. To keep on 
putting patches on it. We write 
code for its. We don't do it 
manually. It is written 
automation so that none of these
instances that we are deploying 
and applications, we 
are handcrafting them, no. It is
part of an automation pipeline 
they get it done. The goal in my
mind is to take our workforce 
from what is considered lower 
level activities to higher value
activities in 
your operations. I don't have to
spend hours and hours taking a 
disk with me or whatever 
mechanism we had of updating my 
servers, I would rather be doing
something else. I let my 
automation engine handled 
the updates. When we build the 
automation, developers, 
operations, security folks, why 
do we need 
this collaboration? Back of the 
date somebody asked me, why do 
you define as collaboration. 
What I did at the time, I was 
stumped, but I 
when asked, give me your top 
five or seven concerns that you 
are managing. I asked from all 
the different [ Indiscernible ].
The list I got back 
is completely different. They 
are managing different concerns.
Of course, that is why we had 
different groups. Now, since we 
have to enable this fast [ 
Indiscernible ] of software, we 
have to develop a mechanism to 
do this better. Automation is 
the answer. That is my 
definition. 
>> I will piggyback on that's, 
and also introduce the concept 
of [ Indiscernible ]. This 
speaks to what the cloud 
can enable. 
Basically, Google and the other 
[ Indiscernible ] are 
increasingly offering cloud 
offerings where you really don't
have to worry about the 
infrastructure upper dating the 
infrastructure 
to automate all the above, that 
is all handled in the background
by cloud service providers. That
is particularly valuable for 
cases like working in databases 
and analytics. It allows an apt 
developer to 
just code. When they need more 
capacity, it automatically 
speeds up and the environment 
has a tool to allow them to 
focus on the coding. A lot of 
cases in our instances, 
allows automation of labeling of
data so that you can focus on 
what the data is telling you, 
for example, to improve a 
business process. The analytics 
folks and applications 
developers don't have to worry 
about all things in the 
background. In 
that case, neither do the I.T. 
operations people inside the 
enterprise. You have the 
opportunity to outsize -- 
outsource 
that provisioning. With.com I 
want to pivot because this is 
one of our questions. In those 
instances where you rely on the 
CSP for more 
the functions, there is an 
increasing opportunity with 
cloud providers to really figure
out what your security 
model is. Do you take your old 
security model from your legacy 
environments and replicate that 
in the 
cloud environment? I have the 
same number of service, but I'm 
still responsible for managing 
all the security. There is more 
value than saying I need to come
up with strategy where are rely 
increasingly on the CSP for 
security. One of the largest 
impediments to cloud migration 
continues to be is the cloud 
provider secure? We provide a 
public cloud in Google and that 
is exactly the same 
global infrastructure that 
YouTube runs on. The 
question is, actually, the 
proposition is that Google's 
interests are completely in line
with yours in terms of the 
network and cloud services 
being available. Our global 
infrastructure 
provides up. We discovered at 
some of the biggest recent 
security flaws because we have 
security researchers in the last
3 years, we 
have put $30 billion into our 
own infrastructure. In 2016, 
Amazon, Microsoft and us put $30
billion in. 
That relieves the burden of 
investing from you, and it 
believes a law of the blocking 
and tackling 
security functions. The 
benefit of relying on this is 
that they are constantly 
upgrading the infrastructure and
the patches and updating 
environments. Similarly, [ 
Indiscernible ] requires 
in-transit encryption. There is 
a long history of challenge 
products in government of trying
to implement 
multi-factory encryption.
We are now in an environment 
where you don't have to run 
those kinds of projects because 
what you moved to the cloud is 
encrypted. Really, I go back 
again to the far this is when 
you write acquisition proposals,
you have to think about the 
benefit to government of what 
you are requiring. The role of 
the acquisition community is as 
a full and 
equal player in an environment 
with the CIO, with the CFO, with
the secretary. You guys play an 
equal role in enterprise risk 
management. If you think about 
that as your mission, 
not it -- as learning about all 
that [ Indiscernible ]. What can
I do to an 
more innovation? What can I do 
to buydown more obsolete 
technology that is expensive 
to maintain and hard to secure. 
When you think about risk 
management, don't just think 
about the acquisition process, 
think about 
risk management to the 
enterprise, the agency got the 
department that you are part of,
and how using acquisition and 
procurement to get cloud 
services can improve your 
risk-management posture. That is
the right way to think about the
role 
of acquisition, because it is a 
multi-stakeholder support. 
Everyone has the same 
objectives, you can no longer 
put I.T. and business in silos 
or acquisition and I.T. in 
silos. You are all part of 
trying to buydown expensive and 
hard to secure requirements. 
>> How do [ Indiscernible ] 
guidelines play 
a role? 
>> The federal guidelines were 
established with a view to 
making the process of thinking 
about security around cloud 
providers more agile and more 
efficient. The Fed ramp office 
has made a lot 
of changes. The important thing 
to do is to look at the fed ramp
requirements. On one hand it's a
complaints received, on the 
other hand it does it provide 
actual security. I would say get
familiar with the fed ramp 
controls, understand what they 
are trying to achieve from a 
security respective. I have seen
instances where acquisition 
professionals put on 
the contract
hundreds of pages of additional 
security appendices. That isn't 
necessary. I think you have to 
build up a level of knowledge 
and trust about what fed ramp 
rings you from a security 
perspective. Try not to bring a 
bunch of additional requirements
on top of it because that 
basically defeats the 
timed market and benefits of 
cloud. Also, think about if you 
are going to being in anything 
specific, is it going to achieve
[ 
Indiscernible ]. Think that 
through. Just because something 
is located in the United States 
doesn't necessarily mean 
advising more security. 
Advisor security and an old 
version of physical space and 
physical borders, but that is an
outdated view of security. If 
you have a zero trust network, 
like the network that Google 
provides, if you have strong 
encryption, the guidance in many
cases is if you're data is 
encrypted and you lose the data,
you didn't actually have a 
breach. In that situation, ask 
yourself what does location 
specific by me, or do I have a 
out motor view of security where
I 
can increasingly rely on 
encryption or on strong identity
and not just rely on traditional
perimeter views of security. 
>> I'm going to shift gears a 
little bit and talk about 
agencies that are further along 
in their cloud journey. Adam, 
question for you, should 
agencies institute a cloud 
center of agency -- excellent to
focus on things like governance,
standardization, 
ongoing training?
Working 
>> Establishing a cloud center 
of 
excellence, absolutely. I think 
the guidance that I would give 
is that we should start small, 
we should start with an 
application that is far away 
from our data. Something where 
we can iterate quickly and 
really learn what these things 
really mean to consume cloud and
implement [ Indiscernible ]. 
What an ATL 
looks like, what the security 
process really is. I think 
every organization, every 
application, every cloud 
implementation is going to be 
incredibly different. There is a
ton that can be learned by going
to the process, whether you take
eight [ Indiscernible ] type of 
approach or what have you. There
is a variety of ways that you 
can execute, observe, make some 
decisions, and reiterate through
your decision. Yes to all of 
those things. I think the other 
thing that I would think about, 
especially from an acquisition 
perspective is try to buy as 
many large components of this as
you have, as are available in 
the marketplace. If we think 
about the 
Postal Service, they have a 
pretty unique mission. The are 
really responsible for that last
mile of delivery, and they have 
some pretty unique things that 
they do in order to do that. 
They have these really funky but
iconic right hand drive vehicles
that are all over the place 
delivering mail. Those are 
pretty unique at least in the 
North America marketplace. Not a
lot of folks out there are 
buying a vehicle that they can't
take through 
a drive-through. The post office
had a unique requirement, they 
are a government agency, they 
needed something that wasn't 
really available in 
the market place, and they did 
not go into automotive 
manufacturing. I think a lot of 
I.T. organizations within the 
government are in a very similar
state. They have some unique 
requirements, they are 
the government, and they are in 
many ways going into the process
of manufacturing technology. 
Instead, the Postal Service 
found that they could buy this 
in a marketplace. They 
are iconic. We are all aware of 
these right have vehicles in our
society, and they really are the
only ones that are using them. 
Rather than build a 
manufacturing facility for them,
they were able to buy that 
from industry. I think we need 
to be very critical about the 
way we go about these 
acquisitions. We don't need to 
build our own technology over 
and over again. Ultimately, it 
makes a 
lot of sense sometimes for 
single agency to do that. There 
are some very specific 
environmental requirements where
you need to build your own 
technology. What we are seeing 
is in the aggregate across all 
the government, it becomes a bit
of waste. Not in the W, I'm 
going to call somebody an alert 
in IG, but in the hay is a 
really good effort. As we talk 
about dev ops, is about the 
elimination 
of waste.
I would just say, think 
critically about that's, should 
we building technology, or 
should we be buying technology? 
>> On that last point, when you 
are making I.T. investment or 
doing new I.T. part six, you 
need to thoroughly determine 
whether the same capability is 
out there. If it is, you should 
not be out there trying to 
build, own, and operated 
yourself. 
And cloud, cloud is constantly 
evolving. 
Really dramatically. That 
clause inside a 130 is really at
the forefront when you think 
about cloud services versus 
trying to continue to roll your 
own I.T. 
>> On 
that topic, what are your 
thoughts about sharing best 
practices and lessons 
learned. 
>> First of all, what we are 
seeing across 
the engagements that we learn 
lessons from is that the 
agencies that are ahead, are 
actually ahead in about 
four axes.
These four axes is where they 
have gone or taking significant 
steps to increase the 
capabilities, that is where the 
axis maturity is for the various
agencies who are slightly ahead.
Should they share? Yes, but I am
a little hesitant to say that. I
say that because that is a good 
goal, and you can definitely 
leverage lessons learned other 
agencies. However, agency 
missions are very typical, the 
organization is very typical, 
the way they deliver I.T. is 
very typical. Two things are 
very different. Point solutions 
don't 
really carryover. Good ideas 
will always carryover, but not 
point solutions. It has to be 
thought through if there is 
going to be a formal exchange 
mechanism to be set up. How does
this operate? What is the level 
at which it operates, and what 
is the kind of stuff that we do 
share? I think there will be 
some need for that. Agencies 
that are ahead are also ahead 
and acquisition processes. They 
have learned the lessons 
of how and why are the 
intricacies of the cloud? It is 
not just about requiring 
resources, they are ahead in 
terms of how they deliver to the
end-users. We have this great 
new package. We acquired it, and
now how do we deliver to our 
users. Looking at that, 
those mechanisms, certain 
organizations have made 
progress. I have in my mind a 
evolutionary path that I 
personally have seen agencies go
through in terms of delivering 
to 
the user. If we don't make it 
easy for [ 
Indiscernible ] to consume these
resources that we are acquiring,
your adoption rates are going to
suffer. People will do their own
thing. One office will start 
coming up, whatever we have to 
do to deliver the mission will 
happen. Credit card purchases 
get done, lots of other things 
happen. As we make it easier and
we impose the government and 
security policies that the whole
enterprise would require, and 
how we deliver that without 
being a barrier to agility that 
system owners would like to see 
in their teams, that is the 
maturity -- good ideas will 
always transfer. I have 
witnessed and listen to some X 
public servants who are doing 
exactly that. That exchange 
happens at the highest levels as
well as to the operational 
levels. I am not quite sure if 
the question was to set up a 
formal mechanism to do its. 
Informally, it is 
happening. 
>> I'm going to pause real quick
and see if anyone in the 
audience has questions at 
this stage.
>> This is a question for the 
panel, security is a shared 
responsibility. Also, with the 
evolution of 
the cloud, one of the challenges
that we have is as we try to 
bring those solutions to the 
communities, we are faced with a
shared responsibility of 
securing information assets. In 
a cloud platform where you have 
different service providers 
providing 
different capabilities,
do you have 
any suggestions for how that can
be leveraged to help the system 
owners and the administrators 
move faster to get an 
authorization 
to operate? 
>> There were two questions 
rolled up in there. One is 
security strategy which we have 
addressed a little bits. I think
it would be a mistake if you 
moved to the cloud and say look,
I'm going to keep all my old 
security stuff. You are not 
getting the efficiencies and 
effectiveness of capital 
expenditures and technical 
capabilities of the cloud 
providers. In terms of ATO's, 
that is a separate question. Fed
rap and the provisional ATO's 
were meant to speed the issuance
of ATO's by the agencies and 
departments themselves. The 
overall push has been an attempt
to increase 
ATO reciprocity.
When I was still in government, 
and I left 
January 2017, we still had it 
reached the ideal state. You 
still had a lot of 
CIOs saying yeah, I know what is
going on with fed rap, but I'm 
going to redo some of the 
evaluations on my own. 
Similarly, we have had 
meetings with some component 
CIOs at certain departments 
where there is an tension 
between the CIO and some of the 
traditional I.T. staff. At some 
point, you have to trust that 
they are fed ramped and not try 
to ladle 
on it a bunch of additional 
security requirements because 
that makes you comfortable, or 
because it gives you a level of 
visibility that you think you 
need. This, more than anything 
is a culture change then a 
security issue. I do think it is
important for anyone in the 
audience here to increasingly 
understand the capabilities that
the CSP's provide and to build a
into 
your strategies. 
Google, for example, there are 
really robust dashboards and 
visualizations that showed you 
who access your data and when. 
There security capabilities is 
built-in from and to and. 
Basically, I authenticate the 
user, I authenticate the 
machine, and I authenticate the 
purpose every time they 
are accessing a piece of data. 
Options on key management, do we
manage the keys or do you? 
Again, these visualization 
dashboards to give you status at
any moment, who is pinking my 
data? Then, encryption. And many
of these cases, a lot of state 
laws and miss standards, if your
stuff is fully encrypted, when 
you lose it, you do not have a 
breach. Really, if you can focus
on that and not spend all your 
time on what people call 
hygiene, it really dramatically 
and strategically changes your 
security posture. 
>> Any 
other questions? 
>> I have a couple of 
interesting questions 
over here, I would like to hear 
from all of you on the panel, 
really quickly, what are some of
the real-life challenges of 
working in the cloud? Are there 
any brick walls that you expect 
agencies to bump into at a 
certain point in their journey, 
and how they can prepare for 
that? 
>> I think the two that I see 
most frequently our culture 
and cost. Maria mentioned the 
need to turn the lights off when
you're done, or to shut down 
workloads. The traditional 
workloads that we have in our 
data center today are not really
optimize for working in a 
cloud environment. They are not 
well suited. I think you have to
be intentional about how you -- 
whether it's a re-factor or 
adapting that application to 
work in a cloud environment 
where you have to have that 
horizontal capability. The 
standard implementation has 
always been 
in +1. Fork lifting that model 
into a cloud provider is 
incredibly expensive and is 
really not the way that that is 
designed to work. I think that 
is the intersection of cost and 
culture. We have this idea that 
we have more than we are going 
to use. It's really focusing on 
the application and determining 
that horizontal scalability. 
Long term, as I mentioned, once 
you have a workload that you're 
able to scale horizontally and 
decoupled from a specific [ 
Indiscernible ], you have a lot 
of choice about who is going to 
be your cloud provider. If you 
get it for four cents, let's 
have the ability to move our 
workloads. Today,
when you flip on a light switch,
you don't think about where that
power is coming from, whether it
is hydro-or solar or even coal 
or nuclear. When you go and buy 
a television, you don't think 
about where that is coming from.
As an 
I.T. organization, when you go 
to build a piece of 
functionality, you are thinking 
about how that is going to be 
serviced to you. Ideally, we get
to a point where there is no 
longer a something block. 
>> I do want to get to one final
question over here. 
>> Again cost and the huge 
culture change that 
eats up 75% of your I.T. budget.
Cloud is a completely different 
cost model. To have it work 
inside the business, it requires
close 
collaboration between I.T. 
professionals, CFOs office, 
acquisition professionals. This 
is a huge change in how you 
think about budgeting, dollars, 
cost controls, is important for 
acquisition officials to move to
a period where they're looking 
at risk to the enterprise and 
not so much risk of the I.T. 
project. I think some of the 
other barriers, everything goes 
to cloud. The reality is, for a 
long time you will end up being 
a hybrid [ 
Indiscernible ]. To be honest, 
for resilience and performance 
issues, you will want multiple 
cloud vendors. There is a 
maturity level that comes from 
managing a hybrid 
environment. Yes, that is a new 
kind of expertise that needs to 
be developed to manage a cloud 
environment that is optimal for 
you. I do think that [ 
Indiscernible ] dramatically 
increases costs, and 
it dramatically reduces risk to 
the enterprise, but 
that is the place where you need
to invest. The other thing is 
that to take full advantage of 
the cloud environments, you have
to re-factor the applications. 
Sometimes, you need to spend a 
penny to save a nickel. That 
also raises questions with the 
things that are out there to 
help transition people. Those 
are some of the things I think 
that are important. 
>> What is next in the cloud 
evolution cycle? What are some 
new technologies that we should 
be getting excited about? What 
is the future 
hold? 
>> It is eight now code that by 
the time you are done in setting
up your enterprise environments,
the state of the art, as far as 
the vendors are concerned has 
already gone ahead. What is next
for cloud 2.0 
in government? Generally, we see
a certain state of the art 
across agencies. Obviously, the 
question is what next? In my 
mind, operationally speaking, 
cloud 2.0 in government is 
simply a self-aware, 
self-healing, autonomic 
environment with an eye towards 
cost transparency. It has 
certain features, 
self service. We would like our 
end-users to go up to a portal 
and acquire the services they 
need. Automated deployments, 
automated onboarding. We want 
our I service management 
included into 
our platforms. Serverless 
management services. Security as
a service with active defense. 
We want to be proactive with 
their defense. Automated 
governments and policy 
enforcement, we would like that 
to be automated. We want a full 
environment monitoring with a 
machine running in EI-based 
response to those events 
that happened in their 
environment. This is where you 
start putting in more 
intelligence to your environment
itself. These are some of the 
features that I see coming. 
These are some of the 
technologies when we were 
dreaming about this a few years 
back. The base technologies. 
Every one of 
these things is in one form of 
the other available in the 
market, and it is a matter of 
crafting a solution to bring it 
to government. 
>> 30 seconds, Dan, 30 seconds 
Adam. 
>> I think Nick made a really 
good point, and that there is no
and stay in technology. I think 
that as we enter into 
these acquisitions, we have to 
be aware of the changes on the 
horizon. We need to think very 
differently about how the time 
frames and the methods in which 
we are making these 
acquisitions, and the reality is
success will not be defined by 
the technology acquisition that 
we make. It will be defined by 
how well we prepare ourselves 
for the change that is imminent.
>> I think we have to move from 
the idea that the cloud is 
simply move my data center to 
somebody else owning it. That is
not the promise of cloud. The 
promise of cloud is further up 
the value change. For example, 
analytics. It is true that 
inside government enterprises 
there is an enormous amount of 
trapped data about programs, 
about customers, about 
enterprise performance that if 
in my view, unloved properly 
using inexpensive computer power
analytics has 
the ability to to transform how 
government does 
its business. You will not get 
there if you put a glass ceiling
on yourself and say, all he him 
doing is lifting a shifting. The
reality is to get much better 
insight into how to run your 
enterprise, 
your department,
and better serve citizens. That 
to me is the promise of cloud. 
Doing that inexpensively without
having to buy your own services,
manage her own environment. You 
focus on your mission, and you 
focus on doing your mission 
better. 
>> That concludes our session. I
would like to think our panel. 
Inc. you all for coming, and 
have a wonderful rest of the 
afternoon. 
>> [ Applause 
] 
>> Thank you so much. As always,
we can't say 
enough about our audience and 
for bringing the time, the 
attention, and 
the enthusiasm that you have to 
these proceedings. It could be 
done without you. Now, to 
deliver our closing remarks from
the 
cloud, Mr. Jeff [ Indiscernible 
], Senior procurement executive 
with the U.S. General 
services administration. 
>> Good afternoon. Thank you to 
all the planners and all the 
panelists who helped put today 
together and took the time 
to plan, prepare, rehearse a 
really good set 
of sessions. Thank you to the 
GSA [ Indiscernible ] team. A 
special shout to the folks at 
DHS for starting these events. 
For GSA,  reverse industry are 
all about listening because we 
believe several good things come
from these listening sessions. 
In our three previous reverse 
industry days we heard how
an option that we had exercise 
way less then 1% of the time for
leases was viewed as high risk 
by capital markets, thus it 
drove 
the prices significantly higher.
We heard one large government 
contractor tell us that they had
up to 13 levels of review to 
submit a solicitation proposal. 
We also heard how page 
limitations on proposals kept 
their bid and proposal 
costs down. Intern, that keeps 
our costs down. We also heard 
how poorly structured request 
for information kept some 
company 
-- companies hitting for 
requirements. In response, 
GSA  formed some tiger teams to 
address the things that we had 
learned. Today, we started this 
with a session on tips and 
trips. Next, we had a session a 
focus on giving you 
an industry point of view. They 
told you some of the things that
they have seen, and the others 
wrestled with when what it 
really means 
to buy as a service. Next, we 
heard two different case studies
related to cloud adoption. 
Finally, we heard about 
management once you have moved 
to the cloud. Our hope and 
today's event is that you heard 
a new view worth considering 
that you learn from the private 
sector how they dealt with an 
issue which you may also 
encounter and find it 
challenging. We hope you came 
away with thoughts on how you 
can better your move to the 
cloud. 
Perhaps you too will want to 
form a Tiger team to implement 
some of the things coming out of
today's session. On behalf of 
GSA,  Inc. you 
for attending. 
>>
[event concluded]
