When Congress passed the fiscal 2012 National Defense Authorization Act (NDAA) last week, it may have done more for cloud computing than any other organization to date.
Now that his objections have been addressed, President Obama is expected to sign the final version of the NDAA (HR1540) into law. The majority of news coverage of the act has focused on controversial provisions for the indefinite detention of US citizens who are suspected of terrorism, but the cloud computing industry and IT departments should focus on “Section 2867: Data Servers and Centers.”
Section 2867 requires the Department of Defense CIO to develop a performance plan by April 2 for reducing the resources required for servers and datacenters. Specifically, the CIO must develop a plan to reduce:
- Square footage of datacenter floor space
- Power and cooling utility costs
- Capital infrastructure costs per megawatt of data storage
- The number of commercial and DoD-developed applications
- The number of full-time equivalent staff
The NDAA also requires the plan to include specific strategies for:
- Desktop, laptop, and mobile device virtualization
- Transitioning to cloud computing
- Migrating data and services from DoD datacenters to private-sector cloud services
- Utilizing private-sector managed security services
- Reporting datacenter metrics on cost, capacity, and energy efficiency
- Transitioning DoD-owned datacenters to just-in-time modular technology.
The decision by Congress to legislate on something as specific as cloud computing for the Department of Defense should not be a big surprise. Congress has been using the department's budget for very prescriptive spending for many years. Until now, such spending focused mainly on weapon systems and military bases that produce civilian contractor jobs in congressional districts.
The implications of Congress having a specific interest in cloud computing will certainly be significant. Executing a focused strategy to use cloud computing and consolidate the DoD infrastructure will pour billions of dollars into the cloud services market. Massive defense spending on cloud services should lead to more innovation and more mature cloud offerings -- to the benefit of all consumers of such services. The DoD spending should also lead to better unit costs for service providers, which in turn should offer better pricing for the rest of the market.
To compete for DoD contracts, cloud vendors will have to devote resources to qualifying as defense contractors and making their services compliant with the Federal Information Security Management Act. Companies like Amazon Web Services, which received FISMA certification in September, will have an early advantage over other vendors. Overall, having more FISMA-compliant cloud services would be a positive for the cloud market and would go a long way in addressing fears about cloud security.
However, the Department of Defense will expand the cyberattack surface of every cloud service provider it uses. This in turn will mean additional risk for the vendors' commercial customers, which will need to account for it in their risk management plans.
Though the DoD already has plenty of data security issues from self-hosted systems, a security breach from a cloud-based service could be a major industry setback. Fortunately, the NDAA includes a significant set of provisions to improve cybersecurity.
For now, we can only speculate on what the DoD CIO will propose in the performance plan and the effect it will have more broadly on cloud computing innovation and adoption. The plan could become a blueprint that other federal agencies, states, and large enterprises could follow when converting to cloud services.
But given how specific Congress was in the NDAA, the real mystery will be in the details and the timeline for executing the plan.
— Jerry Bishop is an independent IT consultant specializing in CIO services, IT strategy, and turning around underperforming IT departments.