The General Services Administration’s 18F office, established to help federal agencies better use technology to serve the public, rolled out cloud.gov in late 2015. The open-source Platform as a Service now has 32 customer systems at 14 agencies, some of which run their primary website on cloud.gov.
Director Shashank Khandelwal, who has been with 18F since 2014, took on the top cloud.gov job in early 2017. FedTech asked Khandelwal about cloud.gov’s role in providing modern, seamless technological services to federal agencies.
FEDTECH: What does cloud.gov provide that a commercial Platform as a Service does not?
KHANDELWAL: The advantage of cloud.gov being operated by the government is that it streamlines the process to adopt compliant PaaS. As part of the shared service, we manage the vendor-dependent pieces. Cloud.gov sets precedent and raises the bar for excellence in federal technology teams. Cloud.gov is part of modernizing the federal government. Cloud.gov also combines an easy application environment with built-in federal security standards. Using raw Infrastructure as a Service requires a huge amount of expertise to run correctly. Cloud.gov simplifies this, providing a faster path for agencies to migrate applications to the cloud. Cloud.gov can be accessed by agencies through the interagency agreement with GSA. This process takes four to six weeks.
FEDTECH: What was the inspiration for the project?
KHANDELWAL: Through 18F’s work with agency partners to build solutions for their constituents, we saw a deep need for modern infrastructure that would reduce time to delivery, especially the paperwork burden, while staying in compliance. One of the big advantages of a governmentwide shared service is that cloud.gov can aggregate demand from agencies to take advantage of volume pricing on infrastructure services and reduce costs. We offer further savings to the American taxpayer by eliminating the need for operations, security and compliance work normally performed redundantly across agencies.
FEDTECH: What are the advantages and disadvantages of an open-source environment?
KHANDELWAL: We use a huge amount of free and open-source code built by industry, which is more than an advantage — it enables this project to exist. Using these resources produces good value because it allows our small team to operate the software and ensure its security and compliance, with a relatively small amount of custom software development to meet government- specific needs.
When we use open-source software packages, we don’t need to go through a lengthy procurement process — because they’re free — and we’re not locked into a long-term contract that may not serve our needs. We also have full access to the source to customize and improve it.
FEDTECH: What security advantage does cloud.gov give its customers? What security issues do open-source platforms face?
KHANDELWAL: The team leverages its private sector expertise, government expertise and industry-standard technologies to make cloud.gov secure, while also meeting and exceeding government requirements for security compliance.
Cloud.gov is compliant with the Federal Risk and Authorization Management Program, which ensures it meets National Institute of Standards and Technology Special Publication 800-53 controls and is continuously monitored to keep up with ever-evolving technology. Ultimately, this means that each customer agency benefits from this up-to-date platform without having to do the work themselves.
There’s no inherent insecurity to using or publishing open-source code. Best practices for security for closed-source projects also ensure security for open-source projects, including careful review of external dependencies, good code practices that properly separate and protect secrets, such as passwords, apart from the actual codebase, and regular training for the team on our security policies and procedures.
FEDTECH: How do you practically demonstrate the cost and flexibility benefits of cloud services to agency employees who are used to the idea of physical servers?
KHANDELWAL: We allow every federal government employee to sign up for a limited sandbox cloud.gov account. This allows agency employees who are curious about the cloud to try it out for themselves. Our quick-start page, cloud.gov/quickstart, provides training videos with sample applications that agency employees can deploy to cloud.gov. It takes just a small amount of time to get something up and running in cloud.gov, which is a demonstration of how easy it is if you don’t have to set up and manage the infrastructure.
We also can show them how easily they can scale up and down with cloud .gov — it’s a one-line command. There are examples we use to demonstrate the need for flexibility: For example, traffic to a website will be high if the president mentions it, and will taper off quickly. College Scorecard may receive more traffic than usual during the few weeks when many high school students receive their acceptance letters. Paycheck processing happens every couple weeks, and not in the time in between. With a data center, you’d need to maintain infrastructure to handle the peaks, and it wouldn’t be utilized at other times. With the cloud, you can spin up and down as necessary, on demand.