II. dECISION FRAMEWORK FOR CLOUd MIgRATION
13
★ ★
Identify sources of value
As described in Section 1, cloud computing provides three primary sources of business value: eciency,
agility, and innovation. Listed below are a number of considerations for each value category.
Agencies should feel free to stress one or more of these sources of value according to their individual
needs and mission goals. For instance, some agencies may place a higher value on agility, while others
may stress cost savings brought about by greater computing eciency.
Eciency: Eciency gains can come in many forms, including higher computer resource utilization due
to the employment of contemporary virtualization technologies, and tools that extend the reach of the
system administrator, lowering labor costs. Eciency improvements can often have a direct impact on
ongoing bottom line costs. Further, the nature of some costs will change from being capital investment
in hardware and infrastructure (CapEx) to a pay-as-you go (OpEx) model with the cloud, depending on
the cloud deployment model being used. Services that have relatively high per-user costs, have low
utilization rates, are expensive to maintain and upgrade, or are fragmented should receive a relatively
high priority for consideration.
Agility: Many cloud computing eorts support rapid automated provisioning of computing and storage
resources. In this way, cloud computing approaches put IT agility in the hands of users, and this can be
a qualitative benet. Existing services that require long lead times to upgrade or increase / decrease
capacity should receive a relatively high priority for consideration, and so should new or urgently
needed services to compress delivery timelines as much as possible. Services that are easy to upgrade,
are not sensitive to demand uctuations, or are unlikely to need upgrades in the long-term can receive
a relatively low priority.
Innovation: Agencies can compare their current services to contemporary marketplace oerings, or
look at their customer satisfaction scores, overall usage trends, and functionality to identify the need for
potential improvements through innovation. Services that would most benet from innovation should
receive a relatively high priority.
Determine cloud readiness
It is not sucient to consider only the potential value of moving to cloud services. Agencies should make
risk-based decisions which carefully consider the readiness of commercial or government providers
to fulll their Federal needs. These can be wide-ranging, but likely will include: security requirements,
service and marketplace characteristics, application readiness, government readiness, and program’s
stage in the technology lifecycle. Similar to the value estimation, agencies should be free to stress one
or more of these readiness considerations according to their individual needs.
Security Requirements: Federal Government IT programs have a wide range of security requirements.
Federal Information Security Management Act (FISMA) requirements include but are not limited to:
compliance with Federal Information Processing Standards agency specic policies; Authorization to
Operate requirements; and vulnerability and security event monitoring, logging, and reporting. It is
essential that the decision to apply a specic cloud computing model to support mission capability
considers these requirements. Agencies have the responsibility to ensure that a safe, secure cloud solu-
tion is available to provide a prospective IT service, and should carefully consider agency security needs
across a number of dimensions, including but not limited to: