Does this ASP have bite?

An application service provider (ASP) is in the business of offering your

organization access, for a fee, to a remotely hosted computer application.

Your users most likely would access the application using Internet protocols

and a standard Web browser. The ASP takes care of all the details — arranging

for computers to run the application, software and hardware maintenance,

and their side of the telecommunications connection.

Sounds a lot like time sharing to a guy who grew up with Control Data's

Cybernet and its competitors such as Service Bureau Co. and Infonet.

The benefits of application outsourcing are pretty clear. Agencies are

not, in general, chartered to do software development and computer center

operations. If those activities could be handled by a specialist, it's logical

that the overall cost associated with those systems could be lowered and

service improved.

But agencies will soon find that the quality of an ASP arrangement largely

depends on the fine print in the contract.

Cost is a central issue. If you don't currently measure how much it

costs to operate and maintain a computer system, you can't tell what's a

fair price to pay an ASP to run it for you.

On the business side, the ASP contract must define ownership of data

and software modifications, along with the protocol for requesting data

and the format and timeliness of delivery. Otherwise, you can wind up being

held hostage (intentionally or otherwise) in the event of a dispute or a

decision by the agency to take the systems work back in-house.

You also need technical controls, including a service level agreement

that specifies reliability and availability. For example, an uptime of 99.9

percent with a response time of two seconds or less sounds good, but those

terms need to be thoroughly defined, along with who is responsible for what.

For example, the application could be running just fine, but it doesn't

do you any good if the network is down. And it may not be immediately clear

whose network, gateway or router is down. For those kinds of situations,

it's good to designate the ASP as the prime contractor and hold them responsible

for the Internet service provider performance. The last thing you want to

do is try to negotiate multiple contracts simultaneously.

Another issue involves soft-ware maintenance. Frequently, software licenses

are written to allow access to an application for the authors and the end

user, and nobody else. Since the ASP's staff is supposed to be taking care

of the application for you, you must ensure that it has the tools to do

its job, including access to source code for modifications, if necessary.

You also need to specify some reasonable security measures, including

protections against denial-of-service attacks like those recently in the


Like seat management, ASP relationships can be a step toward turning

information processing into a utility, paid for as it's used. Done right,

taxpayers and agencies can share the rewards.

— Bragg is an independent consultant and systems architect with extensive

experience in the federal market. He welcomes your questions and topic suggestions



  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.