Multicloud, DevSecOps, AI Pose Challenges for Federal Government

The federal government faces a number of challenges implementing multicloud strategies, DevSecOps, and AI, a new survey finds.

Nathan Eddy

February 21, 2023

4 Min Read
multiple clouds connected to each other

The federal government is facing multiple issues as it adopts multicloud strategies and implements DevSecOps and artificial intelligence (AI), according to a survey sponsored by Science Applications International Corp. (SAIC).

The survey of IT and business influencers and decision-makers in the federal government, conducted by Market Connections, found that when consuming services from one or multiple clouds, insufficient budgeting and forecasting are considerable cost challenges — nearly one in five (17%) blames incorrect billing as a financial concern.

While nearly all federal government employees use at least one cloud, 70% use two or more, with Microsoft Azure, Amazon Web Services (AWS), and Google Cloud the three most widely used cloud service providers (CSPs).

Related: Big 3 Public Cloud Providers Focus on What's Next

More than half (54%) of survey respondents said integration is the most difficult component of deploying a DevSecOps solution, while policy and governance is the top barrier to implementing AI.

"Government agencies need to be more prescriptive in areas where there is an overpopulation of choice," explained Bob Ritchie, chief technology officer at SAIC. "By making a choice, getting behind that choice, and pressing forward, agencies can see positive outcomes."

The cloud business model is a pivot from capital expenditure (CapEx) to operational expenditure (OpEx), which is a significant culture shift for many in the federal budget and forecast space, he said.

In the past, if you needed to provide a service, you could build a more discrete bill of materials of what would be needed as a "worst case" (read, overprovisioned 99% of the time).

"With cloud, you have to have a lot more insight into the operating model in terms of traffic or use your service will experience to accurately forecast, lest you fall into the trap of treating cloud like someone else's data center and procuring infrastructure as if a legacy CapEx," he noted.

In addition, the uncertainty around system modernization and migration, as well as the business case around ROI post-modernization/migration, presents unacceptable budget risk to both operate the as-is legacy infrastructure and systems and finance the modernized cloud environment.

"In some cases, for example, we have been able to eliminate third-party software license costs that completely offset the cost to modernize within 12 months of migrating to cloud, thus paying for itself in one year," he said.

However, forecasting for that type of result on a multiyear congressional budget is difficult and requires rigorous portfolio rationalization and analysis.

Access to DevSecOps, AI Talent a Continued Challenge

Government agencies need to rationalize the number of choices to find an optimal balance, Ritchie said, noting that access to cloud, DevSecOps, and AI talent continues to be a challenge that government agencies must overcome.

CSPs and government agencies, he said, are working well together on some of the large multi-CSP vehicles such as C2E and JWCC to establish more streamlined and predictable cost projections, along with a commitment scheme that fits within the parameters of the Federal Acquisition Regulation (FAR).

Related: Best Practices for Moving to a Multicloud Strategy

In addition, CSPs are focused on establishing a marketplace of secure, reusable mission accelerators and programs to help offset the cost of running dual-ops.

"This is operating the old while modernizing and migrating to the new," Ritchie said. "CSPs will thrive by continuing to collaborate with integrators across the industry to operationalize the acceleration packages and tools."

Ritchie added that the marketplace across clouds could expand beyond software as a service (SaaS) and get to a point where government agencies will be able to select from effectively Provisional Authority to Operate (P-ATO) architectures.

"We could see large contracts like C2E and JWCC account for 80% of use cases," he said. "It will also allow more tailored and curated options at the agency, division, and program levels to provide choice and customizations as needed."

A Growing Selection of CSPs

Ultimately, agencies will have greater selection of cloud architectures to choose from, like the range of choices for productivity and other IT tooling.

The other major component over the next 18 to 24 months is addressing the storage, security, access, and interoperability of data across CSPs.

"A curated data fabric enabled by multi-CSP is the necessary next step toward finding the right tool for the job, to ensure missions aren't locked into a CSP's system," Ritchie said.

Ritchie noted that the most surprising findings from the survey were around the slow success/adoption rate of DevSecOps across organizations.

"There are certainly pockets of exceptional adoption, and this reflects a similar pattern in the private and commercial sectors," he explained.

However, the commercial sector has seen a significant increase in the "moderate to good" range according to the Department of Regulatory Agencies (DORA), Ritchie said, and he was surprised not to see the same movement in the federal government.

Read more about:


About the Author(s)

Nathan Eddy

Nathan Eddy is a freelance writer for ITProToday and covers various IT trends and topics across wide variety of industries. A graduate of Northwestern University’s Medill School of Journalism, he is also a documentary filmmaker specializing in architecture and urban planning. He currently lives in Berlin, Germany.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like