ML17354A636
| ML17354A636 | |
| Person / Time | |
|---|---|
| Issue date: | 12/20/2017 |
| From: | NRC/OCIO |
| To: | |
| References | |
| Download: ML17354A636 (47) | |
Text
United States Nuclear Regulatory Commission Cloud Computing Strategy Version 1.3 12/20/2017
NRC Cloud Computing Strategy 12/20/2017 i
Revision History Date Version Description 04/07/2017 1.0 06/06/2017 1.1 Updated the contents of Appendix D.
12/05/2017 1.2 Updated the contents to reflect the latest changes to the strategy.
12/20/2017 1.3 Updated some references to other documents.
NRC Cloud Computing Strategy 12/20/2017 ii Table of Contents List of Figures.............................................................................................................................. iii List of Tables................................................................................................................................ iv 1
Background............................................................................................................................ 1 2
Purpose and Objectives......................................................................................................... 3 2.1 Scope............................................................................................................................. 3 2.2 Assumptions................................................................................................................... 3 2.3 Performance Measurement............................................................................................ 4 3
Strategy Development Approach........................................................................................... 5 4
Strategies for Cloud Services Adoption................................................................................. 5 4.1 General Strategies.......................................................................................................... 6 4.1.1 Benefits Realization................................................................................................. 6 4.1.2 Iterative Approach................................................................................................... 6 4.1.3 Data Center and Cloud Optimization....................................................................... 6 4.1.4 Agility and Innovation.............................................................................................. 7 4.2 Strategies for Establishing a Foundation for Support of Cloud Computing.................... 7 4.2.1 IT/IM Policy and Governance.................................................................................. 7 4.2.2 Acquisition Planning and Support........................................................................... 8 4.2.3 Cloud Services Management and Application Migration....................................... 11 4.2.4 IT Infrastructure Readiness................................................................................... 13 Support for Optimized and Reliable Network Access to Cloud Services....... 13 Support for Agency Approved Security Credentials and Access Controls..... 14 4.3 Exit Strategies to Address the Risk of Vendor Lock-In................................................. 15 5
Cloud Service Adoption Roadmap....................................................................................... 17 6
Appendix A - Cloud Computing Overview........................................................................... 19 6.1 Essential Characteristics.............................................................................................. 19 6.2 Service Models............................................................................................................. 20 6.2.1 Software as a Service (SaaS)............................................................................... 20 Definition of SaaS.......................................................................................... 20 SaaS Software Stack and Provider/Consumer Scope of Control................... 20 6.2.2 Platform as a Service (PaaS)................................................................................ 21 Definition of PaaS.......................................................................................... 21
NRC Cloud Computing Strategy 12/20/2017 iii PaaS Software Stack and Provider/Consumer Scope of Control................... 21 6.2.3 Infrastructure as a Service (IaaS).......................................................................... 22 Definition of IaaS............................................................................................ 22 IaaS Software Stack and Provider/Consumer Scope of Control.................... 22 6.3 Deployment Models...................................................................................................... 23 6.4 Conceptual Cloud Computing Reference Model.......................................................... 24 6.5 Actors in Cloud Computing........................................................................................... 24 7
Appendix B - Factors for Prioritizing IT Services for Cloud Adoption.................................. 26 7.1 Cost/Economic Related Factors................................................................................... 26 7.1.1 Projected Cost Savings......................................................................................... 26 7.1.2 Implementation Timing and LOE........................................................................... 27 7.1.3 Confidence of Resource Commitment.................................................................. 27 7.2 Benefits Related Factors.............................................................................................. 28 7.2.1 Benefit Scope/Impact............................................................................................ 28 7.2.2 Added End-User Benefits...................................................................................... 28 7.2.3 IT Operational/Delivery Benefits............................................................................ 29 7.3 Solution/Architecture Factors....................................................................................... 30 7.3.1 Cloud Leverage..................................................................................................... 30 7.3.2 Implementation Readiness.................................................................................... 30 7.3.3 Solution/Architecture Complexity.......................................................................... 31 7.3.4 Availability............................................................................................................. 31 8
Appendix C - Cloud Service Portfolio.................................................................................. 33 9
Appendix D - Cloud Service Adoption Portfolio.................................................................. 35 10 Appendix E - Glossary..................................................................................................... 40 List of Figures Figure 1: Relationship of Contracts Supporting Cloud Services................................................. 10 Figure 2: Notional Diagram of the Future NRC Cloud Computing Environment......................... 14 Figure 3: SaaS Provider/Consumer Scope of Control................................................................ 20 Figure 4: PaaS Component Stack and Scope of Control............................................................ 21 Figure 5: IaaS Component Stack and Scope of Control............................................................. 23 Figure 6: The Conceptual Reference Model............................................................................... 24
NRC Cloud Computing Strategy 12/20/2017 iv List of Tables Table 1: Cloud Benefits: Efficiency, Agility, and Innovation.......................................................... 2 Table 2: Cloud Service Adoption Roadmap................................................................................ 17 Table 3: Actors in Cloud Computing........................................................................................... 24 Table 4: List of NRC Systems/Applications that are Cloud Services.......................................... 33 Table 5: Cloud Service Adoption Portfolio Listing....................................................................... 35
NRC Cloud Computing Strategy 12/20/2017 1
1 Background
The U.S. Nuclear Regulatory Commission (NRC) continues to actively seek opportunities to enhance its information technology (IT) systems and services in an effort to support its mission while minimizing cybersecurity risk and maximizing the use of its IT resources. To this end, the NRC has chosen to leverage a number of Federal IT service strategies and initiatives which have been designed to encourage Federal agencies to reduce IT resource burden, transfer and reduce cybersecurity risk, and ensure continuous enhancement and modernization of IT infrastructure, platforms, and software. Three of these strategies and initiatives that include a cloud computing1,2 focus are described below:
Federal Cloud Computing Strategy3 - In February 2011, the Office of Management and Budget (OMB) issued the Federal Cloud Computing Strategy that shifted from building custom systems to adopting cloud technologies and shared solutions with the goal of improving the governments operational efficiencies and achieving cost savings.
It states that When evaluating options for new IT deployments, OMB will require that agencies default to cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists.
Federal IT Shared Services Strategy4 - Building on a requirement established in the OMB 25-point IT reform plan, OMB released its Federal IT Shared Services Strategy that requires agencies to use shared services for IT service delivery in order to increase return on investment, eliminate waste and duplication, and improve the effectiveness of IT solutions. It states that This IT Shared Services Strategy and the associated policy guidelines require agencies to default to a shared solution when opportunities for consolidation exist. Cloud-First and Shared-First concepts and policies are intended to work in tandem. The Federal Governments continuing move toward cloud-based IT solutions will serve as a catalyst for the broader adoption of IT shared services. Cloud computing is a method to manage and deploy IT shared services.
Data Center Optimization Initiative (DCOI)5 - This initiative requires agencies to develop and report on data center strategies to consolidate inefficient infrastructure, optimize existing facilities, improve security posture, achieve cost savings, and transition 1 See Appendix A for an introductory overview of cloud computing.
2 See Appendix E for a glossary of terms.
3 See Federal Cloud Computing Strategy document, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/federal-cloud-computing-strategy.pdf.
4 See Federal Information Technology Shared Services Strategy document, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/shared_services_strateg y.pdf.
5 See Office of Management and Budget (OMB) memorandum M-16-19, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/federal_data_center_con solidation_initiative_02-26-2010.pdf.
NRC Cloud Computing Strategy 12/20/2017 2
to more efficient infrastructure, such as cloud services and inter-agency shared services, when appropriate.
Cloud adoption frequently leads to reduced costs, but not always in the short-term and sometimes never. In addition, cloud providers have the potential to leverage computing environments that are more agile and secure than those of Federal agencies, due to economies of scale, staff specialization, platform uniformity, greater availability of resources, and superior backup and recovery.6 Table 1, below, has been adapted from Figure 27 of the Federal Cloud Computing Strategy, which summarized three areas of cloud computing benefits: efficiency, agility, and innovation.
Table 1: Cloud Benefits: Efficiency, Agility, and Innovation Benefit Details Current Federal Government Environment Efficiency Improved asset utilization (server utilization > 60-70%)
Aggregated demand and accelerated system consolidation (e.g., Federal Data Center Consolidation Initiative)
Indirect productivity benefit to all services in the IT stack (e.g. less effort required for to stand up and develop software testing environments).
Low asset utilization (server utilization < 30% typical)
Fragmented demand and duplicative systems Difficult-to-manage systems Agility Purchase as-a-service from trusted cloud providers Near-instantaneous increases and reductions in capacity More responsive to urgent agency needs Years required to build data centers for new services Months required to increase capacity of existing services Innovation Shift focus from asset ownership (CAPEX model) to service management (OPEX model)
Tap into private sector innovation Help IT services take advantage of leading-edge technologies, including devices such as tablet computers and smart phones Burdened by asset management De-coupled from private sector innovation engines Risk-adverse culture 6 NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf) 7 See page 3 of the Federal Cloud Computing Strategy, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/federal-cloud-computing-strategy.pdf.
NRC Cloud Computing Strategy 12/20/2017 3
2 Purpose and Objectives The purpose of this document is to provide an agency-wide strategy and high-level roadmap for cloud computing services adoption at the U.S. Nuclear Regulatory Commission (NRC). The agencys objectives are:
Improve security, cost effectiveness, efficiency, agility, and scalability in delivering IT services Align with the Office of Management and Budgets (OMB) Cloud First policy and the Federal Cloud Computing Strategy Accomplish appropriate system and application migrations to cloud services as part of compliance with Federal DCOI mandates Establish consistent cloud solution planning practices Reduce risks to IT delivery, availability, and performance by better leveraging the architectural benefits of a more distributed and consistent infrastructure and platform environment The NRC has previously adopted selected cloud computing services. This strategy builds on the experience and adds a holistic approach to cloud services adoption.
The intended audience of this document is NRCs senior leaders and managers, IT system planners and owners, IT program and project managers, technologists, and others responsible for cloud computing adoption.
2.1 Scope The scope of this strategy includes:
Reusable selection criteria for assessing the readiness or priority of systems and applications for cloud adoption; Support of the acquisitions planning and contract strategy for acquiring cloud services; Identification of foundational and infrastructure components and their dependencies to help achieve a managed hybrid cloud environment that integrates public cloud service offerings, public shared service offerings, and private cloud service offerings in NRC data centers; A multi-year cloud strategy and implementation roadmap, with an iterative transition and implementation approach, which integrates with existing data center optimization activities and IT infrastructure enhancements to inform future budget priorities.
2.2 Assumptions The following are some assumptions for this strategy:
NRC Cloud Computing Strategy 12/20/2017 4
Only Federal Risk and Authorization Management Program (FedRAMP) authorized and/or federal shared service providers will be leveraged, Classified and Safeguards-Information (SGI) systems and applications are out of scope for cloud services adoption, Savings from the move of existing systems and applications to cloud services will be reinvested in future modernization and cloud service adoption activities, Planned initiatives and milestones for cloud adoption are subject to change as lessons learned from iterative steps are revealed, cloud expertise is gained internally, and recommendations are obtained from experienced contractors and external stakeholders.
2.3 Performance Measurement The following performance indicators will measure the agency progress in meeting its cloud computing strategic objectives and ability to sustain/improve customers satisfaction these services:
Objective Outcome Indicators o Achieve value of cloud services: Between FY 2016 and FY 2020, maintain a consistent downward trend in IT services delivery costs (as compared to FY 2015 baseline) for those services that have been moved to the cloud.
o Maintain or improve customer satisfaction on service delivery: Between FY 2016 and FY 2020, improve or sustain prior year score for agency-specific questions addressing information and information technology on the annual Federal Employee Viewpoint Survey (FEVS).
Strategy Output Indicators o By Q3 FY 2017, implement at least two enterprisewide contracts to provide public cloud services; o By Q1 FY 2018, complete three public cloud service implementations; o Meet all fiscal year milestones in the Cloud Service Adoption Roadmap, in section 5.
NRC Cloud Computing Strategy 12/20/2017 5
3 Strategy Development Approach The NRC completed a number of activities to help develop this strategy. The key activities were:
Gathered cloud deployment best practices and lessons learned from other Federal agencies, industry and IT advisory sources.
Developed factors for assessing or prioritizing systems and applications for cloud adoption.
Validated the factors by reviewing a select number of NRC systems and major applications to determine suitability and priority for consideration for cloud adoption.
Developed a planning and preparation approach for acquisition of public cloud services, to support effective procurements for cloud requirements of the NRC.
Started concurrent performance of a network architecture assessment, to determine current network capacity and the options to enhance network efficiency, reliability and redundancy for access to cloud services.
Identified key foundational capabilities required for support of cloud service adoption, such as cloud procurement contract vehicles, support for financial considerations, support for network access to cloud services, support for needed security controls, support for cloud services management, and establishment of policies, procedures, training and governance for cloud adoption and use.
Identified technical standards for cloud service adoption and updated the NRC Information Technology / Information Management (IT/IM) Technical Standards.
Developed a high-level cloud service adoption roadmap, which addresses o foundational infrastructure capabilities; o Data Center Optimization Initiative (DCOI) milestones; o near-term key cloud service adoption activities, such as enterprise email and High Performance Computing System (HPCS) hosting; and o recommendations to inform near-term implementation planning activities.
4 Strategies for Cloud Services Adoption Based on best practices and lessons learned, the results of an initial review of the NRC system and major application portfolio, and other research and analysis performed, as identified in the approach above, the following sections lay out NRC strategies for cloud services adoption.
NRC Cloud Computing Strategy 12/20/2017 6
4.1 General Strategies 4.1.1 Benefits Realization To maximize cloud services benefits, the NRC will use the following strategies:
Leverage Software-as-a-Service (SaaS) first to support a low-code deployment approach (such as simple workflow automation activities, using ServiceNow, SalesForce, etc.), and optimize functional requirements to take full advantages of SaaS benefits.
Leverage Platform-as-a-Service (PaaS) to drive technology standardization for modernized systems and applications that require customization. Strive to redevelop systems and applications to implement fully-cloud-native solutions, when feasible and cost effective.
Plan ahead to acquire and support standardized PaaS platforms.
Adopt Infrastructure-as-a-Service (IaaS) only by exception.
4.1.2 Iterative Approach The NRC will use an iterative approach to cloud adoption to realize the following benefits:
Minimize technical risk and foster gradual growth of organizational maturity.
Realize incremental cost savings and reinvest the savings in architecture modernization and further cloud adoption.
Minimize direct contract and service management overhead by phasing in the use of IaaS and PaaS providers.
4.1.3 Data Center and Cloud Optimization To optimize the use of data centers and the hybrid cloud model, the NRC will use the following strategies:
Continue to reduce the number and size of data centers by migrating systems and applications to the cloud or by consolidating them in another data center, as appropriate, technically feasible, and cost effective.
Integrate cloud resource provisioning and deprovisioning with asset and configuration management (initially via cloud-broker-like services8)
Leverage cloud-broker-like services to plan for and ensure cloud usage and service optimization.
8 The services to be provided by a cloud broker are discussed in detail in section 4.2.3, below.
NRC Cloud Computing Strategy 12/20/2017 7
4.1.4 Agility and Innovation Plans and standards will be developed in preparation for taking the following actions to leverage the cloud computing paradigm:
Accelerate the adoption of a DevOps approach to development, testing, and operations.
Establish automated regression testing discipline, practices and tools to keep up with cloud service provider (CSP) changes.
Leverage new IT service access and provisioning mechanisms, such as service catalogs (initially via cloud-broker-like services).
4.2 Strategies for Establishing a Foundation for Support of Cloud Computing NRC organizational and IT infrastructure capabilities and IT/IM support services will have to be enhanced to provide the necessary foundation for acquisition, management, monitoring, and use of off-premise cloud solutions, as discussed in the following sections:
IT/IM Policy and Governance Acquisition Planning and Support Cloud Services Management and Application Migration IT Infrastructure Readiness 4.2.1 IT/IM Policy and Governance NRCs governance model will need to be reviewed to ensure that there is adequate structure and controls for verifying that system/application changes consider cloud first strategies and for validating that cloud service adoption adds value to the agency. The following tools have been developed to identify and facilitate cloud policy compliance:
The Factors for Prioritizing IT Services for Cloud Adoption (see Appendix B) has been developed to serve as a tool for helping determine the prioritization and timing of future system/application cloud adoption.
The Cloud Service Adoption Roadmap (in section 5, below) will be used to guide implementation and migration planning.
The Cloud Service Adoption Portfolio (see Appendix D), lists the current NRC systems/applications that are candidates for cloud adoption and will be used to update the Cloud Service Adoption Roadmap as planning and prioritization progresses.
The Planning and Preparation Approach for Acquisition of Public Cloud Services (see discussion in section 4.2.2, below).
NRC Cloud Computing Strategy 12/20/2017 8
The NRC Information Technology / Information Management Technical Standards.
These standards (the current version is 1.3, ML17082A5449) have been updated to document a cloud first policy for cloud service acquisitions and guide selection of cloud computing services. Other cloud adoption enablement standards under consideration include:
o Cloud Data Management Interface (CDMI) o Cloud Infrastructure Management Interface (CIMI) o Docker o Open Cloud Computing Interface (OCCI) o Open Virtualization Format (OVF) o Topology and Orchestration Specification for Cloud Applications (TOSCA) 4.2.2 Acquisition Planning and Support Collaboration between the Office of the Chief Information Officer (OCIO) and the Office of Administration (ADM) has resulted in the development and documentation of the Planning and Preparation Approach for Acquisition of Public Cloud Services (the current version is 1.2, ML17352A73710), to support effective procurements for cloud requirements of the NRC. It represents an integral component of the NRCs cloud services strategy, enabling the NRC to realize the strategys intended benefits, including reducing IT lifecycle costs and increasing service and delivery capabilities.
Although public CSPs have established commercial market mechanisms to enable straightforward procurement and provisioning of their services, Federal acquisitions of public cloud services must address several factors, specific to government purchasers, including:
The biggest and most capable cloud providers do not want to transact directly with government organizations - The reluctance of bigger providers such as Amazon Web Services (AWS) and Microsoft Azure to sell services directly to federal agencies.
This means virtually all procurements require a reseller or system integrator firm to act as a middleman.
Federal organizations must perform a variety of mandatory security and risk activities - Although commercial entities possess the option of validating and accepting risks with as little as a verbal discussion, federal organizations must adhere to a more formal, heavily documented, and validated risk management approach. Even in 9
https://adamsxt.nrc.gov/AdamsXT/content/downloadContent.faces?objectStoreName=MainLibrary&Force BrowserDownloadMgrPrompt=false&vsId=%7bFD5BBA13-9CFE-4B6F-B4F9-A75F36BD27A5%7d 10 https://adamsxt.nrc.gov/AdamsXT/content/downloadContent.faces?objectStoreName=MainLibrary&Force BrowserDownloadMgrPrompt=false&vsId=%7b140170B3-5998-495C-997F-3962952F196B%7d
NRC Cloud Computing Strategy 12/20/2017 9
FedRAMP environments, the agency will still be responsible for implementing a variable subset of security controls.
Federal acquisition processes and rules reduce flexibility - The Federal Acquisition Regulation (FAR) and standing procurement practices reduce the flexibility of federal organizations to try and buy, to create multiple overlapping vehicles, to abbreviate acquisition processes, or to terminate existing contracts easily.
Cybersecurity issues - There have been recent cybersecurity attacks on cloud environments that require specific considerations of provider options.
These and other factors introduce a substantially more complex cloud services acquisition environment for the NRC. To address these, the Planning and Preparation Approach for Acquisition of Public Cloud Services highlights key activities across the acquisition process and describes key concepts and areas of consideration by a variety of stakeholders involved in the agencys acquisition of public cloud services.
The NRC will centralize and standardize cloud procurement contract vehicles, including use of purchase cards.
An existing cloud services contract for IaaS has been obtained through a Department of Interior (DOI) interagency agreement for support of HPCS-RESNet hosting. This will not necessarily be the NRCs permanent solution for hosting of HPCS-RESNet. At least one other IaaS providers services will be acquired, as discussed below.
NRC Cloud Computing Strategy 12/20/2017 10 Figure 1, below, shows the relationship of the currently planned NRC contracts that will support cloud services adoption and use. These contracts include Federal governmentwide acquisition contracts (GWAC), such as the U.S. General Services Administrations IT Schedule 70; the Global Infrastructure and Development Acquisition (GLINDA) and other blanket purchase agreements (BPA); and the Systems, Network, and Related Cross-Cutting Services (SNCC)
BPA call order.
Figure 1: Relationship of Contracts Supporting Cloud Services Cloud-broker-like services (as discussed in section 4.2.3, below) will be a key component of this strategy to achieve effective results in adopting and sustaining cloud services. The GLINDA BPA call will integrate cloud-broker-like services into ongoing data center operations management and service implementations, and enable provider participation in requirements input as the NRC moves forward with cloud initiatives.
Acquisition of the following additional cloud services are considered:
One IaaS service Two PaaS services, to support Windows and Linux development and operating platforms Multiple SaaS services, driven by business requirements Any of the services could be provided by a single cloud provider.
NRC Cloud Computing Strategy 12/20/2017 11 4.2.3 Cloud Services Management and Application Migration Cloud services management is needed to manage cloud services, particularly in a unified manner across multiple cloud providers. Cloud services management includes monitoring and control functions such as:
Monitoring service levels and performance Responding to incidents and disruptions to services Integrated management control point to extend management and security policies across the hybrid cloud Automatic provisioning, configuration and deprovisioning of cloud resources Visibility and control of user access; auditing and logging of system access and resources; and usage, cost and metering controls.
The NRC considered three alternatives for supporting the capability for performing cloud services management. These alternatives11 are listed below with insight into potential risks associated with each:
Cloud providers tools. Leverage service management capabilities/tools provided by each CSP. As the number of CSPs increases, the number of tools and service management interfaces will become unmanageable.
Cloud/data center management platforms. Implement an integrated service management platform in the NRC data center. Hybrid-cloud service management solution offerings are still maturing and the NRC would need to invest heavily in the implementation to ensure service compatibility and interoperability to provide single pane of glass service management capability.
Cloud broker services. Leverage the services to plan, arbitrate, engineer, aggregate cloud services, and perform ongoing monitoring and optimization of the cloud services.
Service arbitration with the CSPs on behalf of the NRC can lead to CSP protests and can exceed Federal government acquisitions legal limits.
Given that NRCs interest in accelerating cloud services adoption and value realization, the strategy is to establish cloud-broker-like services. The cloud-broker-like services will not include arbitration services, but will cover the following services, among others:
Evaluating the NRCs current cloud migration evaluation model and developing a more comprehensive evaluation tool and method that informs the agencys cloud implementation roadmap 11 See the definitions for cloud provider and cloud broker in Appendix A.
NRC Cloud Computing Strategy 12/20/2017 12 Cross-Cutting Brokerage Services. The broker will provide continuous cross-cutting cloud service planning and design advisory and technical expertise to establish an agency approved brokered cloud service portfolio and maintain the strategy for its use.
Specific service areas include:
Program and Strategy Services. The cloud broker will provide program services to enable ongoing cloud brokerage service strategy development, architectural definition, training needs identification and migration planning.
Portfolio Assessment Services. Leveraging the NRCs existing cloud migration strategy, acquisition guidance, and other cloud program planning materials, the cloud broker will provide portfolio assessment services to the agencys cloud program.
Service Design and Terms Assistance. The cloud broker will leverage its service monitoring and optimization activities as well as its expertise to ensure the agency maintains an optimal mix of cloud services and associated service levels.
Brokered Services Delivery and Management. On the NRCs behalf, the cloud broker will provide and manage the agencys cloud services as follows:
Service Provisioning. The cloud broker will provide the resources and related technical capabilities to support the provisioning and deprovisioning of public IaaS, PaaS, and SaaS cloud services.
Service Delivery. As a component of its managed services, the cloud broker will ensure successful delivery of all IaaS, PaaS, and SaaS cloud services that meet the agency service requirements and related service level agreements. The cloud services include:
Compute and storage resources Network services Database services Data integration and analytics services Identity and directory services Scaling, performance, availability, and continuity services Application development, deployment and provisioning services Cloud management services Service Monitoring and Optimization. The cloud broker will provide ongoing monitoring and optimization of the agencys cloud services, including monitoring and optimization of the cloud brokers own services. The cloud broker will provide ongoing monitoring and optimization services for services provided by cloud service providers to the extent that these services provide the required mechanisms for their management by the cloud broker.
NRC Cloud Computing Strategy 12/20/2017 13 Engineering Services. The cloud broker will provide application-level engineering and configuration services associated with new application deployment as well as existing application/service migration (including change configuration and asset management).
The NRC expects the cloud broker to leverage a commercially available and/or widely used cloud management solution to automate and standardize the agencys multi-provider cloud services environment in order to achieve unified visibility into resource utilization and costs, ensure compliance and lower risks, and increase service flexibility.
As CSPs develop and make available new or enhanced IaaS, PaaS, and SaaS services, the cloud broker will be expected to work with the NRC to contemplate the efficacy and value of these services within the context of its cloud service design and catalog and make these services available to the NRC when approved or provided by the agency through another channel.
The cloud broker will provide the intermediary services to ensure application-level planning activities fully contemplate the opportunities, factors, and risks associated with use of the agencys cloud portfolio. Additionally, these services will be delivered as an integrated component of the NRCs DevOps delivery model currently being developed within the agency.
At some point in the future, when the NRC has developed corporate knowledge, skills, and capability for cloud services management, and management alternatives become more mature, there will be the option for the agency to assume to take over some of the responsibilities of the cloud broker.
4.2.4 IT Infrastructure Readiness There are a number of IT infrastructure capabilities that are required to be in place to support the adoption, management, monitoring and use of cloud services, as discussed in the following sections below.
Support for Optimized and Reliable Network Access to Cloud Services Support for Agency Approved Security Credentials and Access Controls Support for Optimized and Reliable Network Access to Cloud Services A network architecture assessment has been started to determine current network capacity and the enhancements needed to support efficient, reliable and redundant access to cloud services from and through the NRC network.
The following general capabilities will be implemented for reliably connecting to cloud services, with low latency.
Support for addressing unbalanced utilization of Internet and other external network connections
NRC Cloud Computing Strategy 12/20/2017 14 Support for interconnection of multiple cloud services/environments and network service providers via a Multiprotocol Label Switching (MPLS) virtual Local Area Network (vLAN)
Dedicated network connections for access to cloud services Support for access to SaaS via the Internet, for low-traffic-volume applications Reduced need to connect via public Internet, with the associated requirement to go through the GSAs Managed Trusted Internet Protocol Service (MTIPS), to communicate with cloud services.
Leveraging of appropriate technologies to utilize badwidth efficiently and improve end to end performance, e.g. compression, QoS, load balancing, optimized routing protocols, etc.
Below, in Figure 2, is a notional diagram of the future NRC cloud computing environment.
Figure 2: Notional Diagram of the Future NRC Cloud Computing Environment Support for Agency Approved Security Credentials and Access Controls Cloud services provider security responsibilities will be addressed by the acquisition of only FedRAMP authorized and/or federal shared service providers and inheritance of the security controls for NRC system security authorization. The NRC will be responsible for a variable subset of security controls.
Use of public cloud computing introduces new gaps in capabilities needed to provide and support the security controls that will not be the responsibility of the CSPs.
NRC Cloud Computing Strategy 12/20/2017 15 The NRC possesses a number of appropriate and useful but not fully documented security practices and controls that will have to be reviewed/updated in order to fully leverage public cloud services.
To provide capabilities to support identity, credential and access management (ICAM) for cloud services using agency issued credentials, the NRC will Standardize on Active Directory Federation Services (ADFS) that support federal Security Assertion Markup Language (SAML) 2.0 Web Browser single sign-on profile, if the provider supports it.
Provide support for one or more federal-government-accepted alternative industry solutions for SaaS/PaaS, such as Personal Identity Verification (PIV) card Public Key Infrastructure (PKI), via the NRC Access Control Gateway.
4.3 Exit Strategies to Address the Risk of Vendor Lock-In Vendor lock-in can make it difficult or impossible to move applications and data from one cloud service to another or to interface between cloud services. Common interoperability and portability issues that may be encountered are12:
Inability to pool services from different providers Authentication and authorization issues Issues with compliance of security policies and procedures Technical issues with managing virtual machine (provision, contextualization, de-provision)
Proprietary data format (incompatibility issues with existing software)
Inability to move to another service provider to take data in-house Lack of integration points with existing management tools Inconsistencies with data formats causing management and access challenges To reduce the risk and extent of vendor lock-in the following strategic approach will be taken13:
Become aware of the complexities and dependencies of cloud services solutions.
Assess providers technology implementation, such as application program interfaces (API), and standard service level agreement for potential areas of lock-in.
12 Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective (https://www.researchgate.net/publication/301334572_Critical_analysis_of_vendor_lock-in_and_its_impact_on_cloud_computing_migration_a_business_perspective).
13 Ibid. Content adapted from this source.
NRC Cloud Computing Strategy 12/20/2017 16 Select vendors, platforms, or services that support more standardized formats and protocols based on standard data structures.
Ensure there is sufficient portability.
Prepare an exit strategy/plan for each cloud service on which the NRC depends.
Monitor factors that may signal the need to exit a cloud service.
In addition, all data stored in the cloud should remain the exclusive property of the Federal government and the NRC should maintain regular backups of agency data. Backed up data must be stored in a machine readable format based on industry standards and CSPs terms of service and/or contract agreements must include the requirement to support these standards for data exports.
NRC Cloud Computing Strategy 12/20/2017 17 5 Cloud Service Adoption Roadmap The following roadmap, in Table 2, proposes a timeline of high-level milestones for cloud service adoption that spans multiple years, with near-term initiatives and long-term activities.
It identifies already-completed and near-term NRC initiatives that will build the foundational capabilities early for the support of cloud computing adoption (such as, contracts, infrastructure improvements needed for use of the cloud, and implementation of cloud broker services14); pilot the use of innovative cloud services (such as cloud-based process and service automation);
give a near-term focus on highest value services (such as enterprise email, storage, and high-performance computing); and support ongoing data center optimization.
In the long term, cloud adoption activities will expand to large system (e.g. Agencywide Documents Access and Management System (ADAMS)) migration to PaaS and legacy system modernization (e.g. Unified Communications, Integrated Library System) using PaaS/SaaS (see Appendix D).
The ongoing and long-term activities will be iterative, take advantage of lessons learned, and leverage cloud broker assistance to scope and implement for FY 2018 and beyond.
Table 2: Cloud Service Adoption Roadmap No.
Name Before FY 2017 FY 2017 FY 2018 FY 2019 After FY 2019 1
Build the Foundation 2
Virtualize servers in 3WFN data center
< FY 2013 3
Develop Planning and Preparation Approach for Acquisition of Public Cloud Services 9/16 4
Establish agency standards for cloud service adoption 7/16 10/16 5
Perform network architecture assessment 8/16 3/17 6
GLINDA contract implemented, including cloud broker services FY 2016 5/17 7
Enhance network architecture & configuration 4/17-6/17 8
Establish direct network connection services to selected cloud providers 6/17 9
Implement credential validation solution 4/16 4/17 10 Add new cloud service provider services via new or existing contract 1/17-6/17 11 Cloud adoption roadmap for mid to long term implementation (cloud-broker-like services plan) 9/17 On-going 9/19 12 Operationalize cloud broker services 10/17-3/18 13 Expand IT Solution Options 14 Cloud broker services will not include service arbitrage.
NRC Cloud Computing Strategy 12/20/2017 18 No.
Name Before FY 2017 FY 2017 FY 2018 FY 2019 After FY 2019 14 Identify & implement process automation PaaS/SaaS pilot as supplement to the agency solution platform.
11/17 9/18 15 Cloud Services Implementation 16 Near-Term Implementation 17 o
High Performance Computing System (HPCS - CDS/CFD/RESNet) - Phase 1 6/16 9/17 18 o
Labor and Employment Matters Legal Case Management System (OGC-CMS) - iComplaints for EEO case management - SaaS 4/15 6/17 19 o
Information Technology Infrastructure Email System (ITI-Email) - Office 365 -
SaaS 8/16 6/17 20 Mid-Term Implementation 21 o
Information Technology Infrastructure Secured Network Storage (ITI-Network Storage) - SaaS 7/17 12/17 22 o
Integrated Source Management Portfolio (ISMP) - PaaS 10/17-9/18 23 o
Unified Communications as a Service (Voice, VTC and Skype integration) 10/17-9/18 24 o
Non-tiered Data Center optimization 10/16 9/18 25 o
High Performance Computing System (HPCS - CDS/CFD/RESNet) - Phase 2
& 3 8/17 9/18 26 Long-term implementation, to include large systems (e.g. ADAMS) migration from tiered data centers to PaaS (e.g. EPM), and legacy system modernization (e.g. Voyager Integrated Library System) using PaaS/SaaS (see Appendix D) 10/17 On-going On-going
NRC Cloud Computing Strategy 12/20/2017 19 6 Appendix A - Cloud Computing Overview The National Institutes of Standards and Technology (NIST) defines cloud computing as:
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.15 Cloud computing has five essential characteristics, three service delivery models, and four deployment models.16 6.1 Essential Characteristics On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
Resource pooling. The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand.
To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
15 NIST Special Publication 800-145, The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/PubsSPs.html#800-145).
16 Ibid. The source of the three diagrams and adapted scope-of-control-information, below, is NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-146.pdf).
NRC Cloud Computing Strategy 12/20/2017 20 6.2 Service Models 6.2.1 Software as a Service (SaaS)
Definition of SaaS The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
SaaS Software Stack and Provider/Consumer Scope of Control In SaaS, the cloud provider controls most of the software stack. Figure [3] illustrates how control and management responsibilities are shared. In the center, the figure depicts a traditional software stack comprising layers for the hardware, operating system, middleware, and application. The figure also depicts an assignment of responsibility either to the cloud provider, the cloud consumer, or both.
Figure 3: SaaS Provider/Consumer Scope of Control In the SaaS service model, a consumer possesses control over the application-specific resources that a SaaS application makes available. For example, if a provider supplies an email application, the consumer will typically have the ability to create, send, and store email messages. Figure [3] depicts this as "user level" control. In some cases, a consumer also has limited administrative control of an application. For example, in the example of an email application, selected consumers may have the ability to create email accounts for other consumers, review the activities of other consumers, etc.
In contrast, a provider typically maintains significantly more administrative control at the application level. A provider is responsible for deploying, configuring, updating, and managing the operation of the application so that it provides expected service levels to consumers. A provider's responsibilities also extend to enforcing acceptable usage policies, billing, problem resolution, etc. To discharge these obligations a provider must exercise final authority over the application. Although a consumer may possess limited administrative control, the control possessed by the consumer exists only at the discretion of the provider.
NRC Cloud Computing Strategy 12/20/2017 21 The middleware layer depicted in Figure [3] provides software building blocks for the application. A middleware layer can take a number of forms, ranging from: (1) traditional software libraries, to (2) software interpreters (e.g., the Java Virtual Machine [] or the Python runtime environment [] or implementations of the Common Language Infrastructure [ISO/IEC 23271:2006]), to (3) invocations of remote network services. Middleware components may provide database services, user authentication services, identity management, account management, etc. In general, a cloud consumer needs and possesses no direct access to this layer. Similarly, consumers require and generally possess no direct access to the operating system layer or the hardware layer. Optionally, a provider may employ a Virtual Machine Monitor (VMM) as part of the software stack. In this case (not shown in Figure [3]), the VMM resides between the hardware and the operating-system layers. A VMM can be a useful tool to help a provider manage available hardware resources, however SaaS consumers do not require or generally possess direct access to it.
6.2.2 Platform as a Service (PaaS)
Definition of PaaS The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.17 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
PaaS Software Stack and Provider/Consumer Scope of Control In PaaS, the cloud provider controls the more privileged, lower layers of the software stack.
Figure [4] illustrates how control and management responsibilities are shared. In the center, the figure depicts a traditional software stack comprising layers for the hardware, operating system, middleware, and application. The figure also depicts an assignment of responsibility either to the cloud provider, the cloud consumer, or both.
Figure 4: PaaS Component Stack and Scope of Control 17 This capability does not necessarily preclude the use of compatible programming languages, libraries, services, and tools from other sources.
NRC Cloud Computing Strategy 12/20/2017 22 The provider operates and controls the lowest layers, the operating system and hardware; implicit in this is control over networking infrastructure such as LANs and routers between data centers. At the middleware layer, the provider makes programming and utility interfaces available to the consumer; these interfaces provide the execution environment within which consumer applications run and provide access to needed resources such as CPU cycles, memory, persistent storage, data stores, data bases, network connections, etc. The provider determines the programming model, i.e., the circumstances under which consumer application code gets activated, and monitors the activities of consumer programs for billing and other management purposes. Once a consumer has used the facilities of the PaaS cloud to implement and deploy an application, the application essentially is a SaaS deployment and the consumer has administrative control over the application subject only to the provider supporting the consumer according to the terms of use.
6.2.3 Infrastructure as a Service (IaaS)
Definition of IaaS The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
IaaS Software Stack and Provider/Consumer Scope of Control In IaaS, the cloud provider controls the most privileged, lower layers of the software stack.
Figure [5] illustrates how control and management responsibilities are shared. In the center, the figure depicts a traditional software stack comprising layers for the hardware, operating system, middleware, and applications. In the case of IaaS, the layer usually occupied by the operating system is split into two layers. The lower (and more privileged) layer is occupied by the Virtual Machine Monitor (VMM), which is also called the hypervisor. A hypervisor uses the hardware to synthesize one or more Virtual Machines (VMs); each VM is "an efficient, isolated duplicate of a real machine" []. In essence, when a consumer rents access to a VM, the VM appears to the consumer as actual computer hardware that can be administered (e.g., powered on/off, peripherals configured) via commands sent over a network to the provider. An operating system running within a VM is called a guest operating system; when full virtualization techniques are used by the provider, the consumer is free (using the provider's utilities) to load any supported operating system software desired into the VM.
NRC Cloud Computing Strategy 12/20/2017 23 Figure 5: IaaS Component Stack and Scope of Control As shown in Figure [5], the provider maintains total control over the physical hardware and administrative control over the hypervisor layer. The consumer may make requests to the cloud (including the hypervisor layer) to create and manage new VMs but these requests are honored only if they conform to the provider's policies over resource assignment. Through the hypervisor, the provider will typically provide interfaces to networking features (such as virtual network switches) that consumers may use to configure custom virtual networks within the provider's infrastructure. The consumer will typically maintain complete control over the operation of the guest operating system in each VM, and all software layers above it. While this structure grants very significant control over the software stack to consumers, consumers consequently must take on the responsibility to operate, update, and configure these traditional computing resources for security and reliability. This structure contrasts significantly with SaaS and PaaS clouds where many of these issues are handled transparently for consumers.
6.3 Deployment Models Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g.,
mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
NRC Cloud Computing Strategy 12/20/2017 24 6.4 Conceptual Cloud Computing Reference Model Figure 6, below, is NISTs conceptual reference model for cloud computing18. It shows the relationships between the cloud computing Actors.
Figure 6: The Conceptual Reference Model 6.5 Actors in Cloud Computing The following table provides NISTs definitions of the actors in cloud computing19:
Table 3: Actors in Cloud Computing Actor Definition Cloud Consumer A person or organization that maintains a business relationship with, and uses service from, Cloud Providers.
Cloud Provider A person, organization, or entity responsible for making a service available to interested parties.
Cloud Auditor A party that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation.
18 NIST Special Publication 500-292 (http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505).
19 Ibid.
NRC Cloud Computing Strategy 12/20/2017 25 Actor Definition Cloud Broker An entity that manages the use, performance and delivery of cloud services, and negotiates relationships between Cloud Providers and Cloud Consumers.
Cloud Carrier An intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers.
The NRC is a Cloud Consumer and the Office of the Chief Information Officer (OCIO) will share, along with a contractor, the role of Cloud Broker.
In general, according to NIST20, a cloud broker can provide services in the three following categories.[21 Note that Service Arbitrage is not feasible to implement in the Federal government acquisitions context, so it is not applicable to the NRC.
Service Intermediation: A cloud broker enhances a given service by improving some specific capability and providing value-added services to cloud consumers. The improvement can be managing access to cloud services, identity management, performance reporting, enhanced security, etc.
Service Aggregation: A cloud broker combines and integrates multiple services into one or more new services. The broker provides data integration and ensures the secure data movement between the cloud consumer and multiple cloud providers.
Service Arbitrage: Service arbitrage is similar to service aggregation except that the services being aggregated are not fixed. Service arbitrage means a broker has the flexibility to choose services from multiple agencies. The cloud broker, for example, can use a credit-scoring service to measure and select an agency with the best score.
20 Ibid.
21 http://www.gartner.com/newsroom/id/1064712.
NRC Cloud Computing Strategy 12/20/2017 26 7 Appendix B - Factors for Prioritizing IT Services for Cloud Adoption The following factors are proposed for prioritization of IT services for cloud adoption.
The factors are organized in three groups (listed in the table below), each with an associated multiplier and subfactors. Each subfactor, based on its selected rating level, results in a point value. The sum of the point values from each subfactor provides the total points for a main factor. The total point value for each main factor is multiplied by the associated multiplier and then the resulting values for each main factor are summed to generate the prioritization score.
No.
Main Factor Multiplier 1
Cost/Economic Related Factors 3
2 Benefits Related Factors 2
3 Solution/Architecture Factors 1
7.1 Cost/Economic Related Factors 7.1.1 Projected Cost Savings This factor focuses on the projected level of dollar savings in forecasted contract costs (from significant to minimal/none) achieved through an implementation or migration of some or all components of a system or service to public cloud services.
Cost savings (in dollars) compare the current forecasted costs over the next 5 years to the expected 5 year costs to deliver comparable services that include public cloud services.
Cost savings (C) = C(A) - [C(A)+C(B)], where C(A) is the cost to deliver the current service, C(A) is the residual cost to deliver the remaining service without the service that has been deployed in the public cloud, and C(B) is the cost of the new public cloud service.
Rating Level Description Points Significant The level of dollar savings from the use of public cloud services is equal to or greater than $500K annually.
4 Moderate The level of dollar savings from the use of public cloud services is equal to or greater than $100K annually.
2 Minimal/None The level of dollar savings from the use of public cloud services is less than $100K annually.
1
NRC Cloud Computing Strategy 12/20/2017 27 7.1.2 Implementation Timing and LOE This factor focuses on the level of effort (LOE) and timeframes associated (from minimal to extensive) with an implementation or migration of the solution or service to public cloud services.
Rating Level Description Points Minimal The solution or service can be implemented or migrated to public cloud services in less than 4 weeks with fewer than 200 person hours.
2 Medium The solution or service can be implemented or migrated to public cloud services in less than 12 weeks with fewer than 600 person hours.
1 Extensive The solution or service implementation or migration to public cloud services will require more than 12 weeks and/or more than 600 person hours.
0 7.1.3 Confidence of Resource Commitment This factor focuses on the level of confidence (from high to low/none) in the projected total cost of ownership and cost savings/cost avoidance through an implementation or migration of some or all components of a system or service to public cloud services.
Rating Level Description Points High Five years total cost of ownership and cost savings analysis results are available with IT governance board and CIO commitment to support the implementation of the proposed service.
2 Moderate Five years total cost of ownership and cost savings analysis results are available but without IT governance board and CIO commitment to support the implementation of the proposed service.
1 Low/None No total cost of ownership and cost savings analysis results are available.
0
NRC Cloud Computing Strategy 12/20/2017 28 7.2 Benefits Related Factors 7.2.1 Benefit Scope/Impact This factor focuses on the scope and level of impact (from high to low) of enhancing performance of agency functions by adopting cloud services.
Rating Level Description Points High One of the following applies:
Enhance performance of Primary Mission Essential Functions (PMEF) or Mission Essential Functions (MEF)
Enhance performance of cross-cutting corporate support functions that are time critical (functional activities must be completed within three business days) 3 Moderate One of the following applies:
Enhance performance of mission functions other than Primary Mission Essential Functions (PMEF) and Mission Essential Functions (MEF)
Enhance performance of cross-cutting corporate support functions that are not time critical 2
Low Enhance performance of non-cross-cutting corporate support functions or no performance enhancement expected 0
7.2.2 Added End-User Benefits This factor focuses on the extent to which additional end-user oriented benefits are received (direct, indirect, or minimal/none) through migration/use of one or more public cloud services including additional capabilities, consolidation of capabilities currently delivered by multiple services, performance enhancements, improved availability, and/or additional capacity/storage.
NRC Cloud Computing Strategy 12/20/2017 29 Rating Level Description Points Direct End users will receive direct benefits from the use of public cloud services such as additional capabilities and/or additional capacity/storage.
3 Indirect End users may receive some indirect benefits from the use of public cloud services such as increased availability or system/service performance.
2 Minimal/
None Minimal or no discernable user benefits are received through the use of public cloud services over on premise services.
0 7.2.3 IT Operational/Delivery Benefits This factor focuses on the extent (from material to none) to which additional systems operations-oriented benefits are received through migration or use of one or more public cloud services, including integrated upgrade paths; operational/configuration flexibility; and/or additional operational features such as notifications, automatic provisioning, or rules-based administration.
Rating Level Description Points Material The use of public cloud services provides material operational benefits to the organization that reduce operational risk or increase operational productivity.
2 Minimal The use of public cloud services provides some operational benefits to the organization but such benefits represent only a small, hard to quantify level of value to the organization.
1 None No discernable operational/delivery benefits are received through the use of public cloud services over on premise services.
0
NRC Cloud Computing Strategy 12/20/2017 30 7.3 Solution/Architecture Factors 7.3.1 Cloud Leverage Cloud leverage is the extent (from high to low) to which the service or solution can readily use or transition into different levels of the public cloud stack - SaaS is highest level, followed by PaaS, followed by IaaS.
This factor is based on the following criteria:
For legacy and new solutions, the following cloud service models will be considered in the order specified below:
- 1. SaaS - if the solution requirements can be satisfied by a SaaS service even if descoping is acceptable to accommodate potential service offerings
- 2. PaaS - if the solution implements a standardized and cloud-service-provider-supportable technology that takes full advantage of no-code feature of the platform offerings
- 3. IaaS - only by exception when no PaaS solutions are available and IaaS offers value to the agency Rating Level Description Points High The solution can readily use or transition into a SaaS offering.
2 Medium The solution can readily use or transition into one or more PaaS offerings.
1 Low The solution can readily use or transition into an IaaS environment.
0 7.3.2 Implementation Readiness Implementation readiness (from high to low) takes into consideration the following criteria:
needed knowledge and skills are readily available to support an implementation or migration such an effort supports/aligns with existing planned changes to the solution uses mainstream technologies currently supported by cloud service providers no code change/refactoring required (configuration change is acceptable) contract vehicle is available to acquire the service other Federal Government agencies have implemented the service that NRC can leverage or learn from
NRC Cloud Computing Strategy 12/20/2017 31 Count the number of criteria met and use the following table to determine the rating level and associated points score for this factor.
Rating Level Description Points High Meet more than 4 criteria 2
Medium Meet 2 to 4 criteria 1
Low Meet less than 2 criteria 0
7.3.3 Solution/Architecture Complexity This factor focuses on the level of complexity of the target solution (from simple to complex) and takes into consideration the following criteria:
target solution uses the out-the-box capabilities offered by the cloud service provider with minimal or no customization (only configuration modifications) target PaaS/IaaS solution is running on the latest versions of agency approved technology platforms with the exception of SaaS solution target PaaS/IaaS solution implements software that is compatible with cloud service providers supported technologies with the exception of SaaS solution target solution relies on server, storage, or network infrastructure that has already been implemented target solution has no or only loosely coupled interfaces with other NRC systems or services Count the number of criteria met and use the following table to determine the rating level and associated points score for this factor.
Rating Level Description Points Simple Meet all 5 criteria 2
Moderate Meet 2 to 4 criteria 1
Complex Meet less than 2 criteria 0
7.3.4 Availability This factor focuses on the level (from high to low) of demand for system/service availability to support continuous operation of agency functions.
NRC Cloud Computing Strategy 12/20/2017 32 Rating Level Description Points High The system or service is currently or expected to be rated High from a criticality perspective for disaster recovery/fail-over that requires a minimum of 99.99% service availability.
2 Moderate The system or service is currently or expected to be rated Moderate from a criticality perspective for disaster recovery/fail-over that requires a minimum of 99.9% service availability.
1 Low The system or service is currently or expected to be rated Low from a criticality perspective for disaster recovery/fail-over that requires less than 99.9% service availability.
0
NRC Cloud Computing Strategy 12/20/2017 33 8 Appendix C - Cloud Service Portfolio The following table lists the NRC systems and major applications that are cloud services.
Table 4: List of NRC Systems/Applications that are Cloud Services System /
Application Abbreviation System / Application Name Cloud Service / Provider Cloud Model CMMS Computerized Management Maintenance Service Corrigo SaaS ENS Emergency Notification System Verizon SaaS eOPF Electronic Official Personnel Folder OPM SaaS E-Travel Electronic Travel (GSA)
ETS2 (GSA/Concur)
SaaS FAIMIS Financial Accounting and Integrated Management Information System CGI IaaS GRB Assist Government Retirement and Benefits Assist GRB SaaS GovDelivery Email Subscriptions Service GovDelivery SaaS iComplaints iComplaints MicroPact SaaS ITI-Email Information Technology Infrastructure Email System Office 365 (Microsoft)
SaaS ITI-Public Website Information Technology Infrastructure Public Web Site Content Delivery Services Akamai PaaS LMS Learning Management System Plateau SaaS MaaS360 MaaS360 MaaS 360 (IBM)
SaaS
NRC Cloud Computing Strategy 12/20/2017 34 System /
Application Abbreviation System / Application Name Cloud Service / Provider Cloud Model Monster Hiring Management Services Monster Government Solutions SaaS NRCAREERS NRC Careers System OPM SaaS OPSM Official Presence Social Media Facebook, Flickr, GovDelivery, Twitter, WordPress, YouTube SaaS Veracode Veracode Veracode SaaS VMS Virtual Meeting Services (GoToMeeting)
GoToMeeting (Citrix)
SaaS
NRC Cloud Computing Strategy 12/20/2017 35 9 Appendix D - Cloud Service Adoption Portfolio The following table lists the NRC systems and major applications, active or in development, that are candidates for cloud adoption or a move to a different cloud-based solution.
Cloud brokerage services will be utilized to help with iterative migration of sets of systems/applications from the backlog to the cloud. After each iteration lessons learned will help determine the prioritization and timing of the next set of systems/applications.
Table 5: Cloud Service Adoption Portfolio Listing System /
Application Abbreviation System / Application Name Recommended Target Cloud Services ACCESS-PCI ACCESS-PIV Credential Issuance PaaS ADAMS Agencywide Documents Access and Management System SaaS if requirements
- allow, otherwise, PaaS AMS Allegation Management System Plan for modernization w/ PaaS BFS Budget Formulation System SaaS CHC Criminal History Check System PaaS CMS Case Management System (CMS) OI Plan for modernization w/ PaaS CRIS Centralized Reporting Information System PaaS CSO IRDB CSO Incident Response Data Base PaaS EATS Enforcement Action Tracking System Plan for modernization w/ PaaS EDO STAR EDO System for Tracking and Reporting SaaS if requirements
- allow, otherwise, PaaS EIE Electronic Information Exchange System IaaS, PaaS when modernized
NRC Cloud Computing Strategy 12/20/2017 36 System /
Application Abbreviation System / Application Name Recommended Target Cloud Services EMS Ethics Management System SaaS EPM Enterprise Project Management Plan for modernization w/ PaaS EPM -
CIPMS Construction Inspection Program Information Management System Plan for modernization w/ PaaS EPM - eRAI Electronic Request for Information Plan for modernization w/ PaaS EPM - iTravel International Travel IaaS, PaaS when modernized EPM -
VOICES Verification of ITAAC Closure, Evaluation, and Status Plan for modernization w/ PaaS ERDS Emergency Response Data System PaaS ESPA Enterprise Staffing Plan Application SaaS FAIMIS Financial Accounting and Integrated Management Information System Move from IaaS to SaaS FedPass Federal Planning and Architecture Support System IaaS FUNDS Funds Control Database IaaS GI Dashboard Generic Issues Dashboard IaaS, PaaS when modernized GLTS General License Tracking System Plan for modernization w/ PaaS HFIS Human Factor Information System Plan for modernization w/ PaaS HPCS -
CDS/CFD High Performance Computing System PaaS if requirements allow, otherwise IaaS HRBES HR Budget Execution System IaaS HRProperty HR Property Management System SaaS ICAM Identity, Credential, and Access Management PaaS
NRC Cloud Computing Strategy 12/20/2017 37 System /
Application Abbreviation System / Application Name Recommended Target Cloud Services ILS Voyager Integrated Library System SaaS IRGS Integrated Record Governance System (ATLAS)
IaaS ISMP Integrated Source Management Portfolio PaaS ITI -
Messaging Skype for Business SaaS ITI - Network Storage Information Technology Infrastructure Secured Network Storage SaaS ITI - Project Servers MS Project Servers SaaS ITI (Seat)
Desktop Productivity Applications SaaS LVS License Verification System - part of Integrated Source Management Portfolio (ISMP)
PaaS MDMS Master Data Management Services PaaS NBGS NRC Business Gateway System PaaS NEAT NRC Enterprise Acquisition Toolset PaaS NKC NRC Knowledge Center SaaS NSICD NRC System Information Control Database IaaS NSTS National Source Tracking System - part of Integrated Source Management Portfolio (ISMP)
PaaS OCFO STAR OCFO System for Tracking and Reporting SaaS if requirements
- allow, otherwise, PaaS OCIO STAR System of Tracking and Reporting - OCIO SaaS if requirements
- allow, otherwise, PaaS OGC-CMS Labor and Employment Matters Legal Case Management System SaaS OGC-IR OGC Information Repository IaaS OIGMIS Office of the Inspector General Management Information System IaaS PAN Pandemic Application IaaS
NRC Cloud Computing Strategy 12/20/2017 38 System /
Application Abbreviation System / Application Name Recommended Target Cloud Services PEM Portfolio Enrollment Module - part of Integrated Source Management Portfolio (ISMP)
PaaS PITA Plant Information Tracking Application IaaS PMES Postal Machine Equipment System SaaS PMFS Public Meeting Feedback System PaaS PMM 2.0 PMM 2.0 PaaS PMNS Public Meeting Notice System PaaS PSATS Personnel Security Adjudication Tracking System IaaS PWS Protected Web Server SaaS RATS Recruitment Activity Tracking System IaaS RCA Record Classification Actions System SaaS RICS Regulatory Information Conference System SaaS RITS-NMSS Regulatory Information Tracking System - NMSS IaaS ROE Reactor Operating Events PaaS RRPS Replacement - Reactor Program System PaaS SARDB Simulator Action Request DB IaaS SFST TSCAP Transportation and Storage Computational Analysis Platform System IaaS SharePoint SharePoint SaaS SPELLS Sharepoint Process EDO Lessons Learned System SaaS SPMS Space Property Management System SaaS SRS Administrative Services Request System PaaS
NRC Cloud Computing Strategy 12/20/2017 39 System /
Application Abbreviation System / Application Name Recommended Target Cloud Services STAQS Strategic Acquisition System PaaS STARS SECY Tracking Reporting System SaaS if requirements
- allow, otherwise, PaaS SWP Strategic Workforce Planning SaaS TACS Technical Assignment Control System PaaS TLM (HRMS)
Time and Labor Modernization SaaS if requirements
- allow, otherwise, PaaS TTCTravel Travel Request Generator System IaaS TTS Ticket Tracking System (FSME)
SaaS if requirements
- allow, otherwise, PaaS UCaaS Unified Communications as a Service (Voice, VTC and Skype integration)
SaaS WBL Web Based Licensing - part of Integrated Source Management Portfolio (ISMP)
PaaS WebACTS Web Advisory Committees Tracking System PaaS WESTKM West KM IaaS WITS-OGC OGC Work Item Tracking System SaaS if requirements
- allow, otherwise, PaaS
NRC Cloud Computing Strategy 12/20/2017 40 10 Appendix E - Glossary Broad network access. One of the five essential characteristics of cloud computing.
Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g.,
mobile phones, tablets, laptops, and workstations). (Source: NIST Special Publication 800-145, page 2)
Closed data center. The OMB definition of closed data centers refers exclusively to data centers that: a) no longer consume power for physical servers; or b) no longer house physical servers (whether in a production, test, stage, development, or any other environment), excluding print servers. (Source: OMB memorandum M-16-19, page 9)
Cloud broker. See the definition in Appendix A.
Cloud computing. See the definition in Appendix A.
Cloud infrastructure. A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer. (Source: NIST Special Publication 800-145, page 2)
Commodity IT. As described in OMB Memorandum M-11-29, examples of commodity IT shared services opportunities include:
o IT infrastructure (e.g., data centers, networks, workstations, laptops, software applications, and mobile devices); and o Enterprise IT services (e.g., e-Mail, web infrastructure, collaboration tools, security, identity and access management). Commodity IT is asset-oriented, while enterprise IT services may, at times, be more utility-oriented (defined as purchasing by usage rate). (Source: Federal Shared Services Implementation Guide)
Community cloud. One of the four cloud computing deployment models. See the definition in Appendix A.
Data center. For the purposes of OMB memorandum M-16-19, Data Center Optimization Initiative (DCOI), rooms with at least one server, providing services (whether in a production, test, staging, development, or any other environment) are considered data centers. However, rooms containing only print servers, routing equipment, switches, security devices (such as firewalls), or other telecommunications components shall not be considered data centers. (Source: OMB memorandum M 19, page 4)
NRC Cloud Computing Strategy 12/20/2017 41 DevOps. DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture), and seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective. (Source:
Gartner, Inc. (http://www.gartner.com/it-glossary/devops/)).
Hybrid cloud. One of the four cloud computing deployment models. See definition in Appendix A.
Information system. A NRC information system is a set of associating hardware devices, software applications, and/or third-party provided services that collects, stores, processes, and/or provides electronic information to support one or more business functions. Each system or group of systems is granted the Authority to Operate under the Federal Information Security Modernization Act (FISMA).
Information technology (IT) application. An IT application is a component of a system that the end-users interact with to provide, process, and acquire information to and from an IT system.
Information technology / information management (IT/IM) service. An IT/IM service is a means to deliver IT and information related end products to the customers that are of value to meet their needs. For example, an end product can be an IT application, an IT strategic/tactical recommendation, business data or a report.
Infrastructure as a Service (IaaS). One of three cloud computing service models.
See Cloud Infrastructure as a Service.
Measured service. One of the five essential characteristics of cloud computing. See definition in Appendix A.
Mission Services. These are core purpose and functional capabilities of the Federal Government; such as disaster response, food safety, national defense and employment services. Some Mission Services may have a single Federal organization focused on providing that service, while other mission services have multiple Federal organizations providing parts of a service. This may be due to statute, budget or other unique capabilities an agency may have developed. (Source: Federal Shared Services Implementation Guide)
On-demand self-service. One of the five essential characteristics of cloud computing.
See the definition in Appendix A.
Platform as a Service (PaaS). One of three cloud computing service models. See definition in Appendix A.
Private cloud. One of the four cloud computing deployment models. See definition in Appendix A.
Public cloud. One of the four cloud computing deployment models. See definition in Appendix A.
Rapid elasticity. One of the five essential characteristics of cloud computing. See definition in Appendix A.
NRC Cloud Computing Strategy 12/20/2017 42 Resource pooling. One of the five essential characteristics of cloud computing. See definition in Appendix A.
Shared Service. An IT shared service is defined as an information technology function that is provided for consumption by multiple organizations within or between Federal Agencies. There are three general categories of IT shared services: commodity, support, and mission; which are delivered through cloud-based or legacy infrastructures. Federal Agencies establish and deliver intra-agency IT shared services, which are often overseen by the agencys CIO. Inter-agency IT shared services are called Lines of Business (LOBs) and are operated by a Managing Partner within a Federal Agency, after approval by OMB. (Source: Federal Informaton Technology Shared Services Strategy).
Support Services. There services are defined by the capabilities that support common business functions performed by nearly all Federal organizations. These include functional areas such as budgeting, financial, human resources, asset, and property and acquisition management. (Source: Federal Shared Services Implementation Guide)