Now that the Senate has passed a version of the Modernizing Government Technology Act, federal agencies are one step closer to being able to update aging systems and networks. Even when funding is approved and available, however, federal CIOs will still be grappling with issues that exist today: the continuing evolution and disruption of emerging technologies like cloud and virtualization, IT as-a-service, and the internet of things, along with the growing cybersecurity concerns.

Currently, many federal CIOs have a hybrid cloud environment, where some solutions or applications run in local data centers while others are provided as services. Even basic hardware, storage and operating systems could be outsourced to Infrastructure-as-a-Service (IaaS) providers or Platform-as-a-Service (PaaS) providers. Software that is now hosted internally could convert to a Software-as-a-Service (SaaS) model.

When you consider the solutions holistically, these shifts mean that CIOs will be left with a diverse collection of legacy IT systems, SaaS or as-a-service offerings, cloud vendors and other solutions.

The distribution of services and solutions creates a number of challenges:

1. Legacy IT. No matter how capable cloud and as-a-service providers become, it’s likely that some IT will remain within a traditional data center, either because it is too sensitive, too specialized or too antiquated to move to the cloud. Thus, the CIO will retain a portion of his or her IT capability in a traditional, local data center. As other systems move to the cloud or become as-a- service, retaining the staff to manage and maintain local or legacy applications will become a challenge.

2. Vendor diversity. The CIO will work with a diverse collection of cloud and service vendors, from very responsive and agile commercial service providers to vendors who build private clouds to military service providers that may focus more on mission, security and standardization than customer service. Management of these diverse vendors will be complex, because:

  • These vendors and solutions won’t have common service level agreements, will have different interactions and channels for discussion and feedback, and different contracting and payment methods;
  • Most will be specialists in one aspect of the overall IT stack (IaaS for example), leading the CIO and his or her team to become a general contractor and to grow skills or rely on contractors or experts to ensure integration and to create new strategy.

3. As-a-service Metrics. Since the applications and solutions are relatively new and somewhat unproven, the CIO and his or her team will need to define new measurements and metrics for evaluating the various providers and their services.

4. Vendor Cybersecurity. While each as-a-service and cloud provider will provide some level of cybersecurity for their own applications and data, the CIO is still responsible for the aggregate cybersecurity for all the data and systems under their control. This means they need to understand and vet the cybersecurity of each cloud or service provider as well as identify gaps and needs in the entire solution.

5. Vendor Accountability. As service providers increase and operate in different models, responsibility becomes more diffused. It will be easier for solution providers, cloud providers and legacy IT staff to blame each other when system issues arise. The diffusion increases the chance that the CIO loses one central point of responsibility for his or her systems.

6. IT Workforce Skills. CIOs face difficulty finding and staffing the right mix of skills, as some local, legacy applications grow older and fewer IT professionals have or want those skills, and new cloud/as a service solutions become highly technical and virtualized.

7. Shifting CIO Role. How does the CIO manage the human and cultural change associated with moving away from tight control and visibility of the IT infrastructure to managing a set of service providers? He or she will face the same amount of responsibility for the systems with less ownership, less visibility, less control and more formulaic and structured changes.

8. Avoiding vendor lock-in. Will new solution vendors keep pace with the rapid changes in technology? Does making a selection for an IaaS/PaaS/SaaS model create “lock-in” as technology advances?

9. Managing and protecting data. As the number of cloud or as-a-service vendors proliferate, mission critical data will be distributed across a wide range of legacy systems and cloud providers. The CIO remains responsible for managing and protecting the data, as well as ensuring the data is migrated successfully and deleted if or when the agency moves between vendors. Removing and proving that the data is removed from multiple cloud or as-a-service providers will be exceptionally difficult.

In the past, technology shifted, but relatively slowly and along somewhat predictable lines. With the advent of cloud and as-a-service solutions, old models are changing quickly, and the impacts aren’t quite clear. What remains true is that the CIO must support the mission and must protect the data and systems, while working vigorously to adapt the IT infrastructure to meet customers’ needs within their budgets. This means that CIOs must create a more agile, nimble IT infrastructure and workforce. Rather than providing simply products or solutions, it’s clear that the best IT partners should help their customers think through these changes and options – providing strategic consulting and advice on enterprise architecture, helping their customers find the best possible solutions from a very wide range of possibilities.