 right here in my hometown. I'm especially grateful to President Romo and the University of Texas at San Antonio for hosting us to discuss such a critical topic. I'm one that this university is intimately engaged on. It's important for members to travel across the country and talk face to face with local leaders to get a first hand glimpse at what's working across the country in places like San Antonio. I thank President Romo and this team for all they have done so far to make this visit informative for the subcommittee. I'm joined today by Representative Robin Kelly from Illinois. Ms. Kelly is a good friend and is the ranking member of the subcommittee. I believe that for oversight to be effective and long-lasting it must be conducted in a bipartisan fashion and I've been blessed with a ranking member who feels the same. We've been able to work together on cyber security, privacy, IT acquisition on this subcommittee so far this Congress and I look forward to continuing and building on that work with Ms. Kelly. I'm also personally grateful to call her a friend. I want to recognize the folks from UTSA that are here today in the audience. Thank you so much for your attendance. It's going to be the younger generations facing that are facing unique challenges but also enjoy unparalleled opportunities in a future that is nearly limitless in possibility. It's fueled by innovation and technology advances and inventions and some of these we're going to discuss right here today. But I think it's just as important to realize that all of these advances happen because of people like you. You are engaged and open-minded, curious about the world and understand how to use and build technology to make a difference. Thank you for being here today. I often note that the federal government spends nearly 80% of over $80 billion on legacy systems. $80 billion. That's a big number and 80% of that is on systems that we think are old and outdated. Legacy systems are expensive to maintain and often make sensitive information vulnerable to cyber attacks. The Labor Department has a 30-year-old system developed by people who are now all dead. They had to resort to looking for old parts on eBay. The Chief Information Officer of the Office of Personal Management actually came before our committee and argued that the antiquated COBOL mainframe IT system at OPM was a cybersecurity asset. The Chinese government disagreed. Any of you have ever worked for the federal government or held a security clearance or has a relative with the security clearance paid the price of such antiquated technology and outdated thinking? We must do better. That brings us here today. In 2010, the federal CIO issued a 25-point plan to improve the management of individual high-risk IT investments to increase transparency and accountability, eliminate duplication, and promote incremental development to mitigate investment risk. This cloud-first policy was instituted in order to reduce spending on IT investments, such as data centers, and realized the benefits of cloud adoption that we will discuss here today, including efficiency, accessibility, scalability, collaboration, innovation, reliability, and security. However, four years later, the federal government has been slow to implement the cloud-first policy. In 2014, the government accountability office found that of the seven major agencies they examined, 2% of their IT budget was spent on cloud in 2014, a 1% increase from 2012. GAO said this relatively small percentage of the agency's IT budget spent on cloud could be attributed to the fact that agencies collectively have not considered cloud computing services for roughly 67% of their investments, because a large percentage of the spending remains focused on legacy technologies. We need to break out of this paradigm. We deserve a federal government that harnesses innovative solutions, such as the cloud, to modernize record-keeping, improve critical government functions and maximize security and be wise stewards of our tax dollars. I hope today's field briefing helps begin the move in that direction. I look forward to hearing from our witnesses on ideas and solutions, on how we get out, we get on with modernizing our IT and building a federal government that understands and utilizes cutting-edge technologies, such as the cloud. We chose to hold this briefing here in San Antonio because the city is on the cutting edge of cloud computing and technology innovation as a whole. There's an incredible amount of forward thinking taking place here, whether we're talking about the business community universities or some of the federal agencies that exist here in San Antonio. The great idea is we are going to hear about from our panel today should be a model for the federal government. I hope Washington is paying attention because this is the direction in which we need to be moving and the subcommittee will hold them accountable. I'm pleased to recognize my colleague, the ranking member of the subcommittee on information technology, Congresswoman Robin Kelly of Illinois for an opening statement. Thank you, Mr. Chairman, for holding this briefing on the benefits and challenges to the adoption and use of cloud computing. I would like to thank President Romo, University of Texas, San Antonio, for hosting the subcommittee today. It was a pleasure being introduced to the UTSA community and learning about the innovative cybersecurity research and technology development taking place on this beautiful campus. Welcome to our witnesses. I look forward to hearing your perspectives on the potential benefits of cloud computing and the challenges the federal government faces and adopting for managing information technology resources. Cloud computing offers an opportunity for the federal government to take advantage of information technologies to reduce cost and increase the efficiency and effectiveness of services provided to citizens. In 2011, the Obama administration published a federal cloud computing strategy that provided information help agencies modify their IT portfolios to take full advantage of the benefits and realize the value of cloud computing. We are all aware of the importance of information security in the light of the recent data breaches in both the public and private sector. Therefore, it is critical that agencies have the ability to assess the security of new technologies. In fiscal year 2014, the federal risk and authorization management program, FedRAMP, became operational implementing a number of security controls to create a more transparent security environment between cloud providers and consumers. FedRAMP is intended to help ensure that cloud computing solutions have adequate security controls to improve confidence and encourage trust in the cloud computing environment. However, challenges remain to the adoption and use of cloud computing solutions in the federal government. Today's hearing intends to explore the private sector's perspective on the state of the federal government's transition to cloud. I also hope that the witnesses can offer some insight on the private sector's approach that can be applied to the federal government so that the benefits of cloud computing are realized as quickly as possible. The administration established a policy to move agencies toward cloud computing services. The subcommittee on information technology can provide effective oversight to ensure that agencies are transitioning to the cloud and leveraging information technologies to operate more efficiently and effectively. I look forward to today's hearing. Thank you, Mr. Chairman, and I yield back. The gentlewoman yields back. And again, I appreciate your visit to the Alamo City. I know you're not a stranger here, but it's always good to have you. I'd like to now recognize our panelists for today's briefing. I'm pleased to welcome UTSA's own Dr. Malia Agrawal, the Vice President of Research for UTSA. Mr. Mark Nettinger, Director of the Federal Network Resilience Division in the Office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Mr. John Engates, CTO Chief Technology Officer at Rackspace. Mr. Mark Rylan, Director of Solutions Architecture and Chief Architect at Amazon Web Services. Thanks for coming. And Mr. Alan Boise, Product Line Manager at VMware vCloud Government Service. Thanks for being here. I want to welcome all of you here today, and I look forward to a robust discussion today. In order to allow ample time for discussion, I'd like y'all to limit your opening testimony in five minutes. Dr. Agrawal, you're recognized for five minutes. Chairman Hurd, Ranking Member Kelly, thank you for the opportunity to come and discuss the State of the Cloud. Malia Agrawal, as was said, the Vice President for Research here at the University of Texas at San Antonio UTSA. Just a quick overview of UTSA to provide context. We are very young but rapidly growing institution with an enrollment of almost 29,000. We are a minority serving institution with about 58% of our student enrollment coming from minority and underrepresented groups. In 2014, UTSA was named number one for cybersecurity education. According to a survey of several thousand working professionals, survey was conducted by Hewitt Packard. We are also a national center of academic excellence in information assurance and cyber defense as designated by the National Security Agency and the Department of Homeland Security. This past February, UTSA announced the creation of the Open Cloud Institute, OCI, and initiated to develop certificate programs and spur research in cloud computing and to foster collaboration with industry. The OCI was founded with over $9 million in donations from industry leaders such as Rackspace, AMD, and Intel. The OCI cloud is the largest cloud in academia with an open architecture. Now, regarding the state of the cloud, advancements in cloud computing are making it a technology of choice for industry, academia, private citizens, and hopefully the federal government. Cloud technology is truly a productivity enabler and a market disruptor. In fact, the cloud revolution that is taking place right now is perhaps just as significant as the PC revolution that took place in the 1980s and disrupted the big frame computer era. As far as the future is concerned, a future can be envisioned when the cloud will make computational power and data storage power available to everyone with minimal cost and effort just as water and electricity. This would be an enormous advantage for countries at the forefront of this technological change because in the information age, knowledge is power. And as with any evolving technology, dominant future directions still have to be determined or established for cloud computing. For example, would most cloud environments operate independently in silos? Will there be a federation of clouds? Would the cloud reside in large centralized data centers? Or would it be more optimum to have micro grids of smaller container sized units? As more edge devices such as phones and tablets and laptops interact with the cloud, it is possible that the cloud may use some of the computational power of these devices themselves. In such a scenario, the boundaries of the cloud will get fuzzy and we may see the evolution of the cloud of things just as we talk about the internet of things. Clearly there is a need for much more cloud research, especially in the areas of hardware optimization, software platforms and targeted applications. For example, there's a need to optimize the cloud for high performance computing, which is still mostly conducted on supercomputers whose availability is limited to a few people. There will be an impact on businesses as cloud technology evolves and becomes more widely accepted. Data as a service or business intelligence services will emerge. This is the realm of big data. As more companies build cloud based systems that capture corporate operational data, the inherent information therein is increasingly ripe for value mining. The areas of cybersecurity, cloud, high performance computing and data analytics are intertwined and should not be considered separately. Also we should anticipate a sharp rise in cloud verticalization, movement to vertical applications such as in health care and government will become more common. It is likely that the cloud providers are going to take the necessary steps to receive appropriate industry certifications and create more platforms designed to align to Sarbanes-Oxley, FDA, HIPAA requirements, etc. The accelerated adoption of the cloud may lead to a workforce shortage and a talent war. Finding cloud application developers will become an issue for companies hiring in 2015 and beyond. A new initiative by UTSA in collaboration with Intel and Rackspace to train developers could serve as a national model. As a result of the concentration of data and computing resources and the back and forth transport information, the security and resiliency of cloud infrastructures continue to be a necessary and critical area of concern. The cybersecurity threat is very real as can be seen from the recent security breaches at Target, Home Depot, Blue Cross Blue Shield, Anthem, JPMorgan, Army National Guard and the U.S. Office of Personal Management. As more of federal agencies migrate their operations to the cloud, this becomes a very serious national security issue. In closing, I would recommend that we take a targeted approach to accelerate the adoption of the cloud. And there's also a need to establish a national entity where the federal government, industry and academia can collaborate and focus on cybersecurity and the cloud. This could be in the form of a university affiliated research center or UARC, which we would like to see at UTSA. UTSA holds the number one ranking in cybersecurity education and is already doing significant work with the Department of Homeland Security for developing cybersecurity standards. Just two weeks ago, we received an $11 million grant from DHS. Along with several other cybersecurity centers and institutes, UTSA also houses the Open Cloud Institute in partnership with industry. Moreover, San Antonio is the home to the 24th and 25th Air Forces, two cyber wings, space wings and the National Security Agency. And thus, it would be the logical location for such an entity. Thank you for your time. We'll be happy to answer questions. Dr. Agarwal, I appreciate you being here today. Mr. Nettinger, you're recognized for five minutes. Chairman Hurd, Member Kelly and the members of committee, I really do thank you for the opportunity to be able to appear before you and be able to talk about the state of the cloud. In 2010 and then in 2012, the federal government through the administration's initiative of cloud-first and share-first began to harvest the efficiencies of the cloud at that time. The focus of the activity was in migration of commodity IT to the cloud, such as email, website, management, and collaboration tools. This level of activity seems to be predominant still today, versus taking advantage of the cloud for mission IT applications, critical applications. Through these early ventures in the cloud, many lessons have been learned from the agencies. In 2012, a report co-authored by the CIO council and the chief acquisition officers highlighted that these lessons as well as documenting the significant paradigm shift which agencies need to deal with were identified, specifically in how agencies dealt with the acquisition and acquiring IT services and the deployment of IT and the associated impact during that migration to the cloud of losing control of the assets and security monitoring of their assets within the cloud. Through these observations, a renewed focus was placed on contracting guidance and security baseline considerations when engaging with cloud service providers, including the need to clearly delineate roles and responsibilities between agencies and cloud service providers, data governance and data security controls, liability management and event of security breach, availability and accessibility of data in case of disaster and restrictions on data access, among others. In 2011, the Federal Risk and Authorization Management Program, FedRAMP, was established. FedRAMP's mission is to provide a unified way to secure cloud computing services. Through use of standardized baseline set of security controls for authorizing cloud systems, even with the support from organizations as FedRAMP, adoption of cloud computing by federal agency still resides often with the migration of commodity IT. Agencies have responsibility to ensure due diligence and securing agency assets migrated to the cloud. These continuous, there continues to be a lack of consensus by the agencies with their cloud service providers as to how effectively to measure, monitor and evaluate security at the cloud environment. This is compounded further, especially as agencies move or consider moving from a infrastructure as a service, use of the cloud to more of a SaaS or software as a service environment, given the decreased control of the environment that their assets are maintained. In 2015, many agencies are still using cloud computing similar to 2010. Two activities that DHS is currently engaged to be able to promote the expansion of the cloud are is the work that DHS is currently working with FedRAMP on, CIO council and agencies in promoting the use of increased security controls to establish a baseline for high confidentiality, high integrity, high availability cloud environments, high, high environment. In support of provisioning CDM as a service to agencies through this high, high, high cloud environment, as well as being able to offer that to other agencies so they can use that as they're considering the migration of their critical missions applications. DHS is also working in conjunction with the CIO council and other agencies to begin taking a look at patterns of current legacy applications that to be able to identify where there may be components of those applications that could be established and placed into the cloud that the legacy applications then can be connected, reducing duplication of effort as you replatform or re-architect the critical applications. With a renewed effort of this type in conjunction with the effective contracting controls to ensure clarity of roles and responsibilities, visibility into risk management and asset access is believed agencies may be in more, maybe more inclined to expand their use of the cloud and maximize the benefits to the federal government. With that I'll close and wait for questions. Thank you, sir. Mr. Engates, recognize for five minutes. Mr. Chairman and Congresswoman Kelly, members of the committee, thank you for inviting me here today. My name is John Engates. I'm a native of San Antonio and a proud graduate of UTSA. I'm also the chief technology officer at Rackspace, a cloud computing company based here in San Antonio. We operate cloud data centers on four continents and we serve more than 300,000 business customers, including two-thirds of the Fortune 100. Rackspace leads in the managed cloud segment of our industry. We help businesses, business customers tap the power of cloud computing without the pain and expense of running it all themselves. We provide expertise that the businesses don't have on staff or can't or don't want to hire. We distinguish ourselves through what we call fanatical support with engineers available for our customers 24 by 7. We at Rackspace want to also help the federal government improve performance of their IT operations. I was honored, for example, to be invited to the White House to advise on ways that they can fix the broken website that was preventing Americans from signing up for the healthcare insurance under the Affordable Care Act. And I'm especially honored to talk to you today about the state of the cloud. I think you've chosen an excellent venue here at UTSA, which we at Rackspace are proud to have helped to become a national leader in cloud computing and cybersecurity through our sponsorship of the Open Cloud Institute that Molly spoke of. The timing of your hearing is also excellent, given the rising cost of federal IT and the growing number of performance and security issues with old school systems. Cloud providers like Rackspace can, I believe, help the federal government achieve greater cost efficiencies, better constituent services, and better security. Let me start by briefly describing what I mean by cloud computing. I think that term, we throw it around and sometimes we don't completely understand it. The term comes from a diagram that network engineers used to draw on a whiteboard that would describe the internet. So you can think of cloud as simply use of computing and storage as a service via the internet. You don't have to own or buy any of the hardware or the software. You literally just access computing power via the internet and pay for what you use in much the same way that you consume electricity or other utility services. Back in the late 1800s, businesses and government first started using electricity. Most of them built and operated their own power plants just like we historically built our own IT services. But as that electric grid evolved and developed, with greater economies of scale, new companies started to immediately take advantage of the grid instead of generating their own power. Older companies and agencies with their own legacy power plants continued to gradually do that over time, but really focusing on their core business rather than generating electricity was the right move. Now, cloud computing today is like those early stages of the electric grid. Almost every new company that I encounter starts on the cloud. We call it born in the cloud rather than purchasing their own servers or building their own data centers. Established companies, bigger organizations are rapidly moving out of their own data centers and into the cloud. The industry analysts firms at IDC, industry analysts at the IDC firm report that spending on cloud computing hit $64 billion last year, and it will double by 2018. But the US government is still figuratively running in its own power plants instead of just buying capacity from the cloud. And as a result, it's falling behind in three main ways. First, cost efficiency. The typical computer server in an old school data center runs, run by a company or agency is in use just 15% of the time according to the NIST, the National Institute of Standards and Technology. Servers at Rackspacer are in use more than 40% of the time. That's because in individual companies, they can't pool those resources. They have to buy and run the servers that they need to deal with their peak demands, whereas in a cloud computing model, you can pool that capacity and really share that work across many, many companies. Think of examples like year in holiday retailers, the ramp up that they need for Christmas and the holidays, or even the IRS when they ramp up to do your taxes. By contrast, those who use the cloud can get access to that extra computing at peak times and then cut back the rest of the time. Now let's consider other performance and constituent service aspects. If a company or agency runs its own data center, it's missing out not only on economies of scale, but also on the value of economies of expertise. Computing is increasingly complex and fast changing every few months. We see powerful new applications and advances that allow for new data insights and efficiencies. We're trying to take advantage of that technology early and get ahead of that for our customers. And then finally, let's consider security, which is often viewed as a vulnerability of the cloud. In fact, enhanced security is one of the cloud's greatest advantages. The reason, again, is those economies of scale and economies of expertise. Cloud users benefit from shared security services and appliances, ones that can block large scale distributed denial of service attacks and security attacks as well. These devices cost millions of dollars, but they're typically unaffordable for individual agencies or companies, but can be shared and leveraged at scale in the cloud. Major cloud providers like Rackspace serve hundreds or thousands of businesses all over the world. And as we say in Texas, we see a lot of rodeos. We see every type of security attack you can imagine. And we develop a pattern recognition that I think cloud can adapt and allow for companies and agencies to take advantage of as well. It's really very difficult for many companies or any agency to duplicate those economies of expertise like we're doing in the cloud. Typically, it's something that I think people assume they're going to get better security in their own data center because they control it. But oftentimes, that's a fallacy. Just like safety in an automobile is a perceived better safety in your automobile in an airplane, you typically have actually a better track record for safety as well. And I think those same kinds of things apply in the cloud. So let me just close by saying we at Rackspace stand ready to work with you to help address these issues and help the U.S. government benefit from computing innovations that are driving the next great industrial revolution. I'm glad to answer any questions you may have now or later. And thank you for the honor to testify to this committee. Thank you, Mr. Engates. Mr. Rylan, you're recognized for five minutes. Good afternoon, Chairman Hurd and Ranking member Kelly. And my name is Mark Rylan. I'm a senior technologist for Amazon Web Services and the public sector team. Thank you for inviting us here to participate. We really, really appreciate that opportunity. As of today, AWS has more than a million active customers in 190 countries. And that includes more than 1700 government agencies using our cloud. It's a very diverse customer base. It ranges from some of the most successful startups like Pinterest and Airbnb to large enterprises and all imaginable vertical segments, including banking and so forth. And of course, agencies of the US federal government who are utilizing the cloud very effectively. And also the US intelligence community which has a cloud that's built and operated by AWS. Previously, organizations had only two options for acquiring IT capabilities. They would make either massive capital and labor investments to build their own infrastructure or they would enter into long-term contracts with vendors for a fixed amount of capacity that they might or might not use. With the utility-based model of computing in the cloud, by contrast, the cost is directly related to consumption. If a program, a government program, for example, is funded for one year and then refunded the next or a pilot project or test program does not achieve its expected results, federal agencies no longer need to be tied to large IT expenditures that cost millions of dollars. If a project does fail, agencies can adjust immediately and to contain costs. But in fact, cloud-based projects are far less likely to fail at all because the utility computing model allows for small-scale inexpensive experiments followed by rapid readjustment in advance of any very large investments. The result is a better return on investment while avoiding cost overruns and high-profile failures. That's how businesses operate more and more today and that's what AWS and other cloud vendors are empowering federal agencies to do as well. As our chairman has reminded us several times, the U.S. federal government spends more than 80 billion annually for IT purposes and over 70% of that is spent on legacy systems. That's a lot of money, half more than half a trillion dollars over the last decade. That money could have been spent on new or rebuilt applications to tackle pressing challenges in areas such as public health and education. In our IT budget environment today, it's just no longer acceptable to spend that much on legacy systems. And I'm delighted to be here representing with my panelists an industry who provides a compelling new alternative to these expensive traditional IT models. And this alternative makes strong economic sense. At AWS, for example, we've lowered our prices 49 times over the past seven years. And as a result, our government customers have realized major savings automatically. Our experience in working with U.S. federal agencies has confirmed that there continue to be some challenges for our customers in implementing commercial cloud services, including, for example, the need to overcome cultural barriers, particularly the bias towards on-premise data centers and the measurement of success in terms of how much equipment you own or how big your budgets are, which is not a good measure of success. Also, agencies sometimes have to address procurement challenges because of the adjustment to utility-based pricing is different from their traditional way of acquiring. And also, agencies need to clearly understand the different, somewhat different security and compliance requirements and how the cloud enables them to address those. But despite these ongoing challenges, we are seeing adoption of AWS increasing significantly across the federal government. I have highlighted several examples in my written testimony, such as the SEC Midas program, the revamped healthcare.gov website, which runs on AWS, our ongoing work at InNASA, and several more. There are many more examples that we would be happy to discuss with members and staff if the subcommittee needs additional data on government usage today. Turning to security in the early days, as my colleague mentioned, Mr. Engates, there was sort of this concern about the cloud. It's new. It's got different models of abstraction and so forth. And what's happening now, though, is there's a growing recognition that the cloud and its accompanying automation and agility provide the opportunity to actually enhance system security. For federal government customers, a critical element of progress in this area has been our commitment to meeting and exceeding government compliance standards. For example, the FedRAMP program that's been mentioned here several times. It's a government-wide program that provides a standardized approach to security assessment, authorization, continuous monitoring, and it's been really critical for the expansion of federal cloud computing and its success. But securing the cloud is more than just meeting compliance requirements. Roger Baker, a former CIO of the Department of Veteran Affairs, recently wrote an op-ed piece in January of this year. He identified six specific reasons why, in his opinion, commercial clouds provide a better basis for secure systems than existing federal data centers. All that's listed in our written testimony. We believe that the evidence fully supports the arguments made by Mr. Baker and many others that security should no longer be seen as a barrier to cloud adoption, but actually an argument in favor of it. Finally, on some policy matters, Congress has already played a major role in enacting initial IT reforms that are necessary for expanding cloud computing adoption across the federal government. Implementation of FATARA, for example, continues to be important for ensuring that procurement and acquisition reforms that are needed for IT transformation proceed as the technologies evolve. FedRAMP can also be improved. For example, the existing Joint Authorization Board process should be streamlined to provide more timely authorizations and reduce duplication of effort across the FedRAMP program management office and the third party assessment organizations. FedRAMP should also re-emphasize the role of individual federal agencies in conducting their own security assessments for cloud service providers or CSPs. In addition, Congress should also mandate that CSPs should be required to have a completed security assessment under FedRAMP prior to consideration for use by agencies. On the funding side, federal agencies should be given more flexibility to either use existing working capital funds or to establish new ones so that the adoption of cutting-edge technologies such as cloud computing services can occur. The old way of doing IT worked well under a capital expenditure or CAPEX model but the new way of procuring IT really does not. In sum, given today's budget climate, recent major security breaches of federal government systems and many of the other issues we've talked about today, now is the time to aggressively expand cloud computing adoption. Thank you for holding this hearing today and for inviting it at AWS to participate. I look forward to taking your questions. Thank you, Mr. Ryland. Mr. Boise, you recognized for five minutes. Thank you very much. Thank you, Chairman Hurd, ranking member Kelly, other members of the subcommittee. Thank you for the opportunity to testify today at this important field hearing. I'm Alan Boise. I'm the head of VMware as government service of the federal and authorized cloud offering. To date, there have been a number of challenges that keep government agencies from embracing and implementing cloud adoption. First, meeting federal security requirements. Cloud service vendors may not be familiar with security requirements that are unique to government agencies. Conversely, agencies' understanding of the shifting guidance and regulatory controls regarding cloud can represent a moving target for all departmental components of government agencies. Secondly, acquiring knowledge and expertise. Agencies might not necessarily have the necessary tools, resource, or expertise to understand what can move to the cloud, but sometimes more importantly what should not or cannot move to the cloud. Additionally, it cannot be solely an IT initiative. It needs to include the privacy elements, contracts, security, legal, procurement, executive leadership, as well as IT. The third challenge, incompatible infrastructures and interoperability with existing agency ecosystems. Many cloud providers require technology that is inconsistent with current and legacy government infrastructures. Lastly, a major challenge is IT and financial barriers to change, as we mentioned before. Due to long-standing processes, frameworks, and tools, many IT staff are culturally resistant to change due to unfamiliarity with many of the cloud service offerings out there today. Additionally, contracting officers have a very difficult time reconciling purchasing, procurement, and ensuring cost containment, owning to the fact that the cloud service utility consumption model runs counter to existing contract requirements. VMware believes there are several best practices that the government should consider when transitioning to the cloud. First, assess what applications and workloads should move. When federal agencies are first considering a move to the cloud, the first step should be a complete assessment of their current application landscape from both an operational and complete budget understanding. What are my true costs to run my mission workloads? Above all else, the migration to the cloud should be a business decision rather than IT decision. If the move to the cloud cannot demonstrate clear and definitive cost efficiencies, agencies cannot claim success. Second, cloud service providers today have to support diversity and understand how to develop offerings that agencies can easily assimilate into their existing architectures and budgets. Completely proprietary solutions limit flexibility and increase cost and schedule challenges for the agency. Thirdly, in my written statement, I reference the four types of cloud models established by NIST. I'd like to talk about why hybrid clouds make sense for the federal agencies. A hybrid cloud is the deployment of a common set of application tools and services across multiple clouds that enable data and application portability. Leveraging existing investment in a hybrid cloud minimizes a lot of the soft costs that do not immediately appear on budget calculations for cloud migrations, but they can often include budget overruns when we're talking re-engineering efforts, additional license procurement and duplicative software purchases. Often these are the costs that can derail migration efforts because an agency is over budget before they've finished their cloud migration implementation. In some cases, the capability and technology has outpaced the means to consume these cloud services in such a way to adapt and adopt to the various cloud service models. Instead of streamlining IT service delivery, agencies are faced with adding complexity, cost and confusion to their environments. Empowering the agencies to maximize their existing capabilities represents the clearest path for success in cloud migrations. In the end, I believe agency cloud strategy will be comprised of a multi-cloud solution, one that can effectively incorporate the very strengths of each of the delivery models, utilizing a phased approach to minimize risk and exposure. Hybrid cloud is by design the extension of the traditional data center, onsite data center resources to the public cloud. This environment requires a consistent security model, seamless access to data and unified management that allows agencies to extend the same staff skill sets, processes, and workflows established in their own daters to the cloud on demand. This also represents a shift from owning IT infrastructure to purchasing utility services. This model is the foundation for cost savings in cloud migration. In response to recent cybersecurity incidents, trusted security in the cloud is achieved through the partnership of shared responsibilities between the cloud service provider and the agency. The provider takes on the responsibility of securing the cloud service. Agencies continue to own and operate and are responsible for the security and compliance of the workloads. Understanding the current governance and how cloud services integrate into existing ecosystems is the key to maximize existing resources and increase cost efficiencies. And summary agencies should look to incrementally extend their data center in a way that builds out scalable and resizable capacity in a consistent, compatible, and transparent way. Success and migrations to the cloud are based on the ability of an agency to maximize and leverage its current IT investments and environment and minimize the risks associated with transformation of their systems from a security, financial, and operational standpoint. When an agency builds out private cloud or moved directly to public cloud, it should be able to run any application workload on any operating system anywhere it's best served its needs. VMware sincerely appreciates the opportunity to share our thoughts and best practices on this very important matter. We applaud the leadership and vision of the chairman and ranking member for Holdings Field Hearing. I look forward to answering any questions the subcommittee might have and I ask my formal statement to be submitted for the record. So ordered. Thank you. And I'd like to recognize myself for five minutes. Mr. Rylan, you talked about how some of the intelligence agencies are using your tools. And the intelligence agencies traditionally have the highest concern when it comes to security. If the intelligence agencies can do this, why can't other elements of the federal agencies not? Well, I think the intelligence community recognize the value of this highly automated, highly agile environment. Things like advanced persistent threats don't exist in an environment that's constantly being updated to the latest levels of software releases and so forth. And I think they had a great vision to take advantage of that and also the cost savings and all the agility that goes with it. I definitely think that that reasoning behind that decision is very applicable to the civilian agencies and the DOD as well. So I would encourage people to really look hard at that solution and think about whether there will be any willing amongst that community to make any type of compromises when it came to security and once you recognize that's not going to happen then it helps assure people that the commercial cloud services run by the key, the core providers with this tremendous capability running very, very large scale infrastructure in a highly secure way. That's something that every agency can take advantage of. Mr. Nettinger, is the issue a cultural issue with some of these agencies that are slow to adopt the cloud? We hear the concern about security and but as the three gentlemen to your left have articulated that this can be solved. What should take? Yeah, actually I do agree with a number of the points that were raised from a cultural perspective, yes, cultural from two aspects. One from IT as well as one from the business side. Because basically from the cultural perspective it's a perspective of wanting to know where their systems are. Now the early migration from the focus of IT commodity was a little bit easier to move off. But from the application side the ownership is still a concern. So it is a cultural perspective. Part of that I think is also driven by the ability to have the degree of awareness as to the level of security that's provided at the cloud level and the visibility that they have that the agency would have to ensure that they're meeting their responsibility for their securing their assets. And that goes back to a partnership point that I think was raised. If you have the true partnership between the provider and the agency you start building that additional trust. And that's where I think with the changes or the direction and the guidance that are being given to agencies from a contracting aspect to ensure that that type of clear delineation of roles and responsibilities is identified as well as understanding as to how they have access to their assets and have an understanding of security. I think that's going to improve. But one of the underlying issues is that in 2010 when cloud first was put forward and then with Sheriff first running closely after that there was a lot of activity with a lot of assumptions that the cloud providers were going to provide X, Y, and Z and that their responsibility would be lessened. That's not the case so there's some lessons learned that is still sort of sticking with the agencies. So it is a cultural piece and it's also the contractual aspect. But I think we can get over that as we deal with that stronger partnership. Thank you. Mr. Boyes, you talked about one of the first steps that needs to happen is that these agencies need to do an assessment of their own infrastructure and how much is it costing? What are they doing? Do you see many that are capable of being able to do that basic assessment? I do. And I think that I've been encouraged by a lot of the efforts, as was mentioned by one of my colleagues, that it's the pilots or the proof of concepts are basically getting their feet wet in the cloud. I think improving small successes in the beginning but part of that comes from getting a very clear understanding of exactly how much is it costing me to run this workload. And I'm not just talking about how much the servers cost or I'm not just talking about it's what are the data center costs? What are the skill sets? You know, what are the licenses I'm paying for this? It's that sort of knowledge and understanding in the very beginning that gets you the starting point that you need to be able to show that proof going forward. And doing that assessment of not just an inventory of these are my applications that I have but going through the process using the government's own guidance and under FIPS to be able to correctly classify how these applications should be assessed. Taking some of these workloads and making assumptions that they might be a high assessment and then when they're really only low is really you're taking the safeguards and controls to protect that data is a lot more costly to do in the high side. And if you're not putting the right data in there you're really not spending your money wisely. So I think it's also understanding exactly how you're doing what the application looks like because just being able to have the mindset of doing a lift and shift you're really in some cases as was mentioned before the infrastructure might only be doing 15% of the work at any given time. Just lifting and shifting that is just transferring that same inefficiency in the cloud and that's why it's very important to understand which applications can take advantage of the elasticity and scalability of the cloud and which ones are just transferring that inefficiency and henceforth cost into just another platform. Excellent, thank you. I'd like to now recognize our representative Kelly for five minutes. Thank you, Mr. Chairman. Thank you to our witnesses again. To our private sector witnesses information security is obviously a significant issue in the public and private sector. How would it move to the cloud increase our security posture and reduce the risk of cyber incidents? Would it be a dramatic difference as it just depend on the entity that would move to the cloud? And I know we just talked about maybe it's the culture of an agency but is it change is hard? We don't have the resources or do the agencies just not understand what a significant difference it would make? I'll try to answer that question. I believe that agencies could take immediate advantage of some of the scale efficiencies of a cloud provider when it comes to security. I mentioned in my testimony that cloud providers typically operated a scale that's much larger both in terms of physical resources like the servers and the data centers but also the people that are there to manage, monitor and maintain those systems both from a system administration and a daily kind of care and feeding of those servers standpoint but also from a security oversight. Having people who see every manner of attack every day constantly have to counter those attacks, have to adapt to the rapidly adapting threats that are out there in the market. That it teaches you a lot of lessons. You learn those lessons and you apply those to other organizations that are under your care. And I think oftentimes in the federal government you probably have sort of a siloed piecemeal approach to who manages IT, how they manage IT. They each have sort of a different perspective on it, maybe a different level of sophistication on how they manage it. And I think what you immediately gain by working with any one of the cloud providers here and a number of other companies out there in the market is the level of sophistication that they've had to grow into and maintain to continue to operate on the internet today. To be a player in the cloud I really literally have to defend against some of the most sophisticated attacks on the planet on a regular basis. And so you get very good at it. And I think those are benefits that could be immediately gained by the use of cloud computing. Yeah, if I could just sort of build on that a little bit. You know, with the cybersecurity sprint that was recently completed by Tony Scott, there's a major emphasis in regards to identifying what are those applications that we should consider as high-value assets. And it goes beyond, in essence, the FIPS standards and things of that nature. The next push that I think Tony Scott's been talking about this juncture is, okay, then what do we need to do in that migration and starting to move some of those legacy systems to the cloud? Awareness in getting the agencies comfortable of CIOs and CISOs, that the security that will be there is visible to them and that they are comfortable as to that level of security. One of the programs CDM, Continuous Dynastic Mitigations, I think it's gonna be a way of being able to highlight that capability. Because with that program, there's, as I mentioned in the introduction, we're working very close with FedRAM to establish a high, high, high environment. Well, as part of that program, 42 agencies are gonna be brought in to a single cloud arena with Continuous Dynastic Mitigation capabilities to track and to take a look at those vulnerabilities. Establishing that, I think will go a long ways to agencies and say, okay, we can do this within this environment. And basically, to be able to take advantage and demonstrate the advantage of bringing these 42 agencies together, which have extremely limited resources to take advantage of the cloud. So we're making gains along that line, but it is a cultural shift, it's an awareness shift, but it's also, I would say, a trust shift from a contractor perspective because there's been a number of contracts that do not go well and agencies are remembering those. I'd love to jump in and give a view on that as well. I'll give you some reasons why we're bold enough to make the claim, we really think cloud can help security. Number one, as was mentioned earlier, shared responsibility, it's true, absolutely the cloud is not a panacea, you still have to build and run secure systems using a cloud platform. But the advantage is that you greatly reduce the surface area of concerns that your security professionals need to focus on. So they now have maybe half the problems that they used to worry about. Now they worry about that reduced amount and their focus and their hopefully execution on that can be that much better because the number of things they need to be concerned about can be reduced. Another very, second point, very simple example, when you look at some of the top 20 controls lists from the cybersecurity world, usually the very first or second set of controls, sometimes the top three are inventory. What do you have? If you don't know what you have, you cannot secure it. And this is an ongoing problem and a lot of traditional environments is that they're big data centers who have lots of equipment and incomplete configuration management systems that really don't, you don't really know what's out there and you don't really know whether some developer to solve some problem on the weekend cross-connected a couple networks to get a quick and dirty thing done and then they forgot to un-patch. And so there's all these kind of stuff out there that's very difficult to get your arms around when you're a security professional. In a cloud environment, these are automated API-driven environments and inventory is absolutely 100% accurate because we're billing you for each of these resources on a daily or monthly basis that you have and our API calls will enumerate exactly what you have in the environment and it's dynamic and inaccurate at all times. So those are a couple of good examples. Another thing to think about is not just cloud transition that's going on, it's also a change in IT practices towards this more dynamic model of agile software development, DevOps, creation of applications through DevOps techniques. I really encourage everyone to Google Mark Schwartz, CIO of the Department of Homeland Security's Immigration and Citizenship Services. He's really doing very cutting edge work at CIS and talking about what they're doing and talking about doing deployments and updates of applications two and three and four times a day, passing a suite of compliance tests, a suite of conformance tests, all as part of an automated developer and operations pipeline in which they're continuously deploying new code to the cloud and their compliance and security officials are now deeply integrated into their development processes instead of being like a separate StoPy team that comes along once in a while and checks up on things. Very powerful what he's been able to do there and really he's just adapting modern commercial practices and showing that actually the government can build even better systems using these agile and DevOps type of models. And the fourth thing I'll do is reference our say is to reference our written testimony where I think this article by Roger Baker is really powerful. He actually lists six reasons why in his view as a former CIO in a major federal agency, commercial cloud providers just systemically have some advantages of actually running more secure systems. It's their laser focus. I could read the six, but I won't take the time to do that. But I think his arguments you will find quite persuasive and I would, I really encourage people to look for that. Oh, I yield back my time. I'm recognizing myself for five minutes and Mr. Engates this question is to you. If you look across all the federal agencies, a lot of them have the exacts, they're doing some of the exact same processes. You get information, you check it against something, you move it from point A to point B and then you spit something out at the end. And I'd probably say that most of the 24 CFO agencies have some kind of process there. Why don't we have shared, can we have shared services that are hosted in the cloud in order to do that type of thing and how can we get there? Yeah, I think that's absolutely true. I mean, every agency processes transactions or data or does some sort of activity on those computers and they all have their own silos of data and they all have systems that are sometimes using the very same software to do that for data processing. It could be a database package from a commercially available data company, could be a software product. In many cases, that's how IT has been built over the last 20, 25 years is buy a package of software and install it on your servers and run your IT. One of the other trends of cloud computing is software as a service. We hear different flavors of cloud computing mentioned during the discussions, but one of them is software as a service or SAS. Software as a service centralizes applications into a service provider data center and then allows multiple individuals, companies or agencies to tap into that application as a service. They can pay for it by the user or by the seat or however the license model works. It allows for the data to be centralized and so data tends to what we call have gravity. It's hard to move data very quickly, but once you get it into a cloud data center or a SAS provider, other integrations can happen against that data very simply. The VPI's are points of integration that developers can use to tap into that data. They can link the applications together. They can rely on that data to be a sort of single source of the truth because it's in one place and all in one location and many times those systems are infinitely more reliable because those companies that have built them are relying on those for their very livelihood. Those systems have to be built to a level of security reliability that these companies can live with because they're going to go out of business very quickly if they don't and that isn't always the case with the siloed deployments that we have today. So I think there's some real advantages to looking at software as a service in the cloud as a means to get some of that data centralized and accessible to more agencies. Excellent, thank you. And Dr. Agamal, this question is to you. When you look at some of the recent high profile hacks, a lot of them have been through a third party provider and sometimes it's medium to small sized businesses. You talk about this National Institute that we need it. What should we be doing to help protect the medium and small businesses? I think the small and medium sized businesses perhaps the weakest link in the supply chain because everything is connected together now. So you can protect the top companies but if they then interact with another small and medium sized company then we have a problem. Unfortunately, there is no system out there right now to assess where these companies stand. No certification system and that's something that perhaps through NIST or commerce we should be working on so that we have some kind of a national standard where companies can come and say, get assessed and say, well I'm level orange, I'm at level green, as they go and work with bigger companies they can provide those certifications. So I think unless we shore that up, it's gonna be a problem because there will always be a weak link. Now in terms of the security, the cloud revolution, it's a little unusual because it's coming out mostly from industry. It's not led by academia or government which is usually how some of these other revolutions took place. So all the security is a concern but I would trust the cloud providers with the best security there is today because it's like if you need a surgeon you'd like to go to somebody who's done it a thousand times before and they have done it more than anybody else. So although we keep focusing on security and it should always be part of the cloud architecture should not be a bore down later on. They mostly have the best security there is. Now just one more point in terms of culture change that we talked about. If you concentrate or the federal agencies concentrate on just replicating what they already have by putting it on the cloud and trying to see if they save money, that's one thing and perhaps that's not enough of a motivator. Perhaps why the security agencies are more apt to adapt is because they need more than they're currently doing and the cloud provides them with that opportunity. Perhaps at the same cost that they have today. So people need to recognize what the cloud offers to them not just they can put the email on the cloud. Appreciate that, sir. And my last question is to you Mr. Nettinger. Will Futara and the implementation of Futara help get the federal agency community and the private sector kind of seeing it off the same page talking in the same language? Yeah, I do think so. It's given the additional controls that the CIOs will have in making the acquisition decisions. I think that's going to be key because for, and I used to be a federal CIO myself and when I was a federal CIO I really controlled only about 20% of my IT spend, 80% from the mission side. With Futara that changes and if you take a look at who has those applications and control applications is on the mission side. So with Futara in hand that's going to allow the CIO to actually have to oversight of all the IT spend and be able to basically take a look at how they can move some of the mission support. Cold today, sorry about that. How they can move some of the mission support activities into the cloud and what's going to take to do it. So this I think will be a key element as well as being able to demonstrate examples to the mission owners as to where this can be successful. And that's where again throughout the CDM agency cloud where we're going to be moving 42 agencies into a common area. And that's going to have a major impact in regards to understanding and the comfort level as to what the cloud provider can provide. Thank you. I'd like to now recognize Congresswoman Kelly for as much time as she would like to consume. Thank you Mr. Chair. Today's hearing we've discussed the various benefits and challenges with transitioning to the cloud and Mr. Boise your testimony talks about the importance of the decision of what to move to the cloud. What factors should federal agencies consider when making the decision on what applications and workloads to move to the cloud. And you talked about in your testimony leveraging current IT investments but I'm listening to my colleague here who knows a little more in the subject than me. It sounds like our investments are so old so how much can we really bring over transition to the cloud? Well I think a large part of that is one I can answer the first part of the question about what you might want to look at as far as what are good candidates to move to the cloud. In a lot of cases it's not just looking at the application but it's kind of having an overlay of what does it look like. Where do the users who primarily use this live and where does the data that they access live? If they all live in one building and they require high performance and it needs to be on site then certainly that can be challenging to move to the cloud because you're decoupling some of these relationships and some of these dependencies on the application. So I think understanding the data portability of how you can move that data around and how you can figure out which parts of that application can live in the cloud where you can take advantage of the efficiencies of running workloads at 90% efficiency and then maybe pointing back to storage or pointing back to some other resource on site that you've already made a million dollar investment and if you're buying a new disk where your storage is. So I think a lot of it is really understanding the overlay of what the application looks like holistically from the top down. Understanding where the users are understanding how the application is actually designed and if it could benefit from the cloud. And also picking the ones that I think are, we've made great strides in how we do application development today that if it's web enabled, meaning that it's a web portal, if you go on and you sign into like an HR system at work where you sign into a website. That's ones that are web enabled and very modular that you can pick and parts and move them around as opposed to having a very strict architecture. I think some of those are ways of kind of looking at each application rather than looking at it as kind of a monolithic entity or IT ecosystem is looking at each one of these applications kind of independently making the assessment of which ones would be good candidates. Because again, there's the shared services strategy that came out a couple of years ago where I think there's a lot of ability to reuse some of these applications at a software as a service level that would represent good opportunities for them to save money. Okay, thank you so much. You're welcome. I yield. The general woman yields back. I think we could spend the rest of the week asking questions and talking about this, but I think this is one of the reasons why we have to have these conversations to highlight some of these issues and appreciate y'all being here today. Many of y'all came from far distances and many of us have planes to catch to different parts of the country. And before we close, we wouldn't be able to do this without the staff that made this happen and like to recognize Madison Smith, Shana Tehan, Troy Stock, Julie Dunn, MJ Henshaw, Brian Quinn, Sharon Casey, Brandon Garrett, Brandon Webb, Ashley Harris, and John Arnold. If y'all would help me recognize them for their help today. Again, I'd like to thank Dr. Romo and UTSA for hosting us here today. I'd like to thank our panelists for taking the time to appear before us today and that there's no further business. This concludes our briefing. It's a pleasure. Oh, it's a pleasure to have you here. Yeah.