Cloud Smart: Legacy Systems a Key Challenge

First, the good news:

The 2019 Federal Cloud Computing Strategy — Cloud Smart — is a long-term, high-level strategy to drive cloud adoption in Federal agencies and updates the previous Cloud First initiative:

Beyond Cloud First, which granted agencies broad authority to adopt cloud-based solutions, Cloud Smart offers practical implementation guidance for Government missions to fully actualize the promise and potential of cloud-based technologies while ensuring thoughtful execution that incorporates practical realities.

Against this framework, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized government-wide approach to security assessment, authorization, and continuous monitoring of cloud services.

And now… well let’s adopt a glass half-full mentality and just say the “challenging” news:

Like their counterparts in the private sector, as agencies seek to modernize in the cloud they inevitably drag a long-tail of legacy systems and processes behind them, kind of like the chains Jacob Marley drags along behind him in A Christmas Carol. And as agencies think about meeting the requirements of M-19-21, they must think beyond simply checking off a series of compliance boxes; they must consciously create bridges between their legacy systems and the cloud systems to which they aspire if they hope to break the chains that tie them to the past.

Of course, breaking these chains is a task easier said than done. For the foreseeable future, even the most forward looking cloud/cloud smart strategy will have a high degree of “hybridness” that must be addressed — both in terms of cloud vs. on-premise and digital vs. paper.

As I’ve written before, the elephant in the room when it comes to M-19-21 modernization is the long tail of legacy technologies. Per the AIIM CIP Study Guide, here are some of the annoying questions organizations need to ask about each information system as they modernize:

  • How old is the system and where is it in its life cycle? That is, is the system a current version and/or still supported by the vendor?
  • Is it customized or integrated with any other systems?
  • Where is it physically located? This is often a significant issue for multinational organizations, and governmental entities, because of privacy and data protection concerns.
  • Who owns the system (and therefore the data on it)? IT is a custodian, but ultimately the business is the steward and owner of the information on those systems.
  • How will you find out where rogue or shadow IT systems, likely unsupported by IT, are being used? Common examples include file sharing systems, personal email and communications applications.
  • How will you find where one-off tools — like Access databases, Lotus Notes applications, authoring tools, business-deployed SaaS applications, and single-seat applications — are being used?

These are some of the issues that will be addressed at the Federal Computer Week seminar on Electronic Records Readiness: A Practical Path to M-19-21 Compliance on March 25 at the Hamilton in DC.

I’ll be speaking; I hope to see you there. You can register HERE.

#NARACompliance #M-19-21