President Obama introduced a cloud-first strategy in 2011, when then-U.S. CIO Vivek Kundra directed agencies to consider a cloud computing option first. President Trump is continuing the emphasis on cloud with the (draft) August 2017 “Report to the President on Federal IT Modernization.”

Despite this attention, government has been slow to move toward the cloud. In a Government Business Council survey, just 19 percent of respondents indicated that their agency “extensively uses applications developed for the cloud” or is “piloting some applications developed for the cloud.” The remaining clear majority – 81 percent – acknowledged that their agency had not yet begun a substantial move to the cloud, or were not aware of progress.

Why has the pace of movement been so slow? There are several reasons at play. Cloud adoption has been slower than expected, in part because an understanding of the benefits and advantages of the cloud aren’t always clear. Indeed, the potential short-term costs can be substantial and the migration to the cloud comes with risks and uncertainty, especially around security. Furthermore, a transition to cloud often calls for some organizational change (what to do about staffing in a data center?), and potential changes to the architecture of some software applications. Pressure to shift towards the cloud is usually a long-term topic, in which decision-makers are confronted by short-term pressures.

To balance that conflict, it is useful to consider cloud migration in the private sector, particularly the motivations and conceptual “rules of thumb” for when companies move to the cloud, and what they choose to move. Conversely, it’s also helpful to recognize when, what, and why companies do not move to the cloud. This paper summarizes these “rules of thumb” and suggests which best apply to government, with a conclusion that “cloud first” doesn’t mean cloud always.

When and why private companies use the cloud

Private companies most frequently move their IT applications, data and operations to the cloud for one (or more) of 10 motivations:

  1. Unpredictable growth is likely (e.g., Uber, and Netflix, as they launched)
  2. Demand fluctuates significantly (e.g., Amazon, Macys, Best Buy in October-January)
  3. Limited resources such as investment capital, or calendar time (e.g., LinkedIn, SnapChat) 
  4. Lack of available expertise (e.g., Zynga, Uber)
  5. Fear of security risks from in-house hosting (e.g., British American Tobacco)
  6. Desire for early access to technological innovation (many)
  7. Expectation of lower total cost of ownership: more efficient, lower price from cloud hosts (many)
  8. Desire for access to proven, economical (shared) support applications (e.g., QuickBooks for accounting, and Salesforce for customer relationship management)
  9. Requirement for highly reliable physical proximity to data needed in many geographic locations (e.g., Netflix)
  10. An emergency back-up hosting facility is needed for business continuity (e.g., most companies with headquarters in Louisiana and Florida)

When and why companies operate their own data centers

In contrast, private companies frequently operate their own data center in several other circumstances:

  • A core, base portion of IT needs are stable/unlikely to change (e.g., the Hartford Insurance Companies)
  • Extremely sensitive data (e.g., JP Morgan)
  • The organization uses an extraordinary volume of infrastructure/hosting service that is integral to their business and competitive advantage (e.g., Apple, Google, Amazon). Such companies may become vendors of cloud services, in addition to their core business.

Some of these rules of thumb apply to government

If we apply this same basic logic to government, even under a cloud-first policy, the rules of thumb don’t produce a conclusion of “cloud always.” In fact, they produce some helpful ideas about when the government may want to move to the cloud. Here are the key points as to when and where moving to the cloud makes the most sense, with some caveats:

Limited resources (capital, or calendar time) to buy/build data centers. In the current constrained budget environment, there’s little chance to obtain appropriations for a large capital expenditure to upgrade or construct a modern data center. Thus, the cloud is an ideal solution that allows government to “pay-as-you-go,” subject to a contractual ceiling, rather than paying up-front for the hardware that will be used to support government computing needs.

However, some government agencies – including some with relatively modern infrastructure and operations – have data centers with extra capacity already in place. Some existing government centers have a marginal cost that may be less than the price for equivalent infrastructure capacity available in the commercial cloud. This marginal cost analysis should be explored in conjunction with shared data center arrangements.

Lack of available expertise. Federal agencies seem at least as likely to face this challenge as are private sector companies, and perhaps more so. Given the recent hiring freeze and broader challenges with onboarding government employees, the gap in requisite talent is growing much faster in government than in the commercial sector.

An emergency back-up hosting facility is needed. This need to use the cloud is as important for government as for the private sector, if not more so. It is most important to have emergency back-up capabilities when people’s lives, health, and/or safety depends on continuity of an agency’s services.

Desire for access to proven, economical (shared) support applications. Government agencies rely upon virtual providers for an increasing array of shared service support applications – most prominently payroll processing.

Other rules of thumb from the commercial sector don’t apply to government in most cases:

  • Unpredictable growth is likely – few agencies expect breakout growth with the American population growing at a fixed rate and the overall volume of government services stable. 
  • Demand fluctuates significantly – IRS tax return processing and FEMA response to disasters are relatively rare examples of significant (seasonal) workload fluctuation in government – these may warrant use of the cloud; overall, however, few agencies experience significant fluctuations in demand such as those faced by commercial retail and tourism companies.
  • Highly reliable physical proximity to data needed in many geographic locations – few government data users need such fast data processing times that data hosts and processing capacity must be located near their many customers. Perhaps military intelligence and combat operations are an exception.

The reasons private companies retain responsibility for operating their own data centers instead of moving to the cloud can also be applied to government. Here are some cases where it may make sense to delay a move to the cloud:

A core, base portion of IT needs are stable/unlikely to change. Few federal agencies are subject to unpredictable growth or change in their IT infrastructure, such as having to carry out a dramatically increased or decreased volume of work (though perhaps such an assumption might be valid for agencies that oversee the Affordable Care Act). Thus, many agencies may reasonably plan to meet a core, base portion of their IT infrastructure needs using in-house data centers – if those data centers are modern, secure, and efficient. Many government data centers are not up-to-date and will likely require some investment in modernization in the near term.

It should be noted that few government data centers are likely to be as efficient and low cost as commercial cloud operators – after all, data center management is not a core capability of the government. Thus, a careful cost comparison is likely to be called for, since other motivations for moving to the cloud are not strongly present.

Extremely sensitive data. Several types of government agencies use extremely sensitive data. These may include, for example, law enforcement, the intelligence community, the military, and agencies that manage personally identifiable information. The government naturally should take much greater care before moving these sorts of applications to the commercial cloud. That great care is embodied in FISMA and FedRAMP.

Organization uses an extraordinary volume of infrastructure/hosting service that is integral to their business and competitive advantage. A few government agencies use intensive amounts of data (Social Security, Census Bureau, National Weather Service), or rely upon unusual infrastructure for a competitive advantage (e.g., NASA, and DOE’s National Laboratory supercomputing facilities). These agencies may find that they operate at a scale, can keep deep expertise on staff, and may not be well served by public cloud because of their unusual needs. As with the private sector, some of the agencies may find that they can share the cost of their infrastructure by acting as a cloud provider (shared service provider) themselves – presumably supporting other government agencies. (Full disclosure: The authors’ employer, REI Systems, supports GSA in its role as managing partner of the government’s Data Center Optimization Initiative.)


Our conclusion is that it is not reasonable to expect government agencies to move all IT applications, platforms, and infrastructure to the cloud – private companies don’t, and it just doesn’t make sense in all cases. However, there are a number of cost, performance, and security considerations – especially longer-term – that should be fully vetted as part of the decision-making process. Indeed, government agencies should ground their approach using the decision-making factors used by many commercial entities. Agencies may find it helpful to apply the “rules of thumb” noted in this article to determine which applications and functions are best moved to the cloud and, perhaps just as importantly, effectively frame the discussion as part of the decision-making process.

A more detailed white paper addressing this topic may be accessed at

John Druitt, senior director, leads REI Systems’ Open Government and Public Safety business, bringing the best technical solutions and advice to some of the public sector’s toughest mission problems. Since joining REI in 2013, John has supported GSA, OMB, DHS, and DoJ.

Wagish Bhartiya, senior director, has spent most of his career at the intersection of strategy, high-tech, and client service. His expertise lies in bringing new technologies to highly competitive, innovation-driven markets. Prior to joining REI in 2012 to focus on government clients, Wagish played significant roles in companies including Amazon, LivingSocial, and McKinsey & Company.

More In Opinions
How can governments prepare for bioweapon attacks?
The tools needed to test, trace and treat both natural and intentional viral outbreaks are similar. But as future bio-attacks may be coordinated with financial, cyber or kinetic actions, the need for the military to sustain robust and dedicated capabilities to counter biothreats is paramount.
Lessons learned from the pandemic in modernizing public health systems
Agency leaders from Ventura County, California, and Winnebago, Illinois, spoke about how they transformed their technology infrastructure and processes to handle COVID-19 and how they plan to replicate and scale these changes to impact service delivery beyond pandemic-related needs.
Mission Possible: Securing remote access for classified networks
The Federal government understands the significance of remote access on meeting mission objectives now and in the future. Agency leaders are looking to the private sector for technology that helps them maintain the highest security levels while meeting the ease-of-access demands of today’s worker – and can be implemented quickly.
In Other News
Load More