Is government procurement ready for the cloud?

Cloud computing can present unfamiliar territory for government acquisition officials.

Mention cloud computing to true believers and you’ll likely hear all about speed and agility. They'll tell you that agencies can simply dial IT services up or down as needed to quickly support new mission plans or workload changes. As a bonus, agencies pay only for what they use instead of bankrolling the often idle, over-provisioned computing capacity common in most data centers.

Unfortunately, there’s a rub when it comes to the cloud. Many IT procurement practices and contracting vehicles were designed to help managers provision hardware and software, not on-demand services. Can the current acquisition practices translate easily to the dynamic world of cloud computing?

Not really, said Barry Brown, executive director of the Enterprise Data Management and Engineering Division at Customs and Border Protection. He echoed a view shared by others in the federal government. With cloud computing, “the technology delivery model has changed,” he said. "What has not changed is the procurement model."

The methodology gap between procuring IT systems and procuring IT services has been intensifying in the past year, ever since former Federal CIO Vivek Kundra outlined the government's cloud-first policy. That initiative seeks to reduce costs and increase IT acquisition flexibility by pushing federal IT systems to cloud environments. Each agency has until May to identify three IT resources that it will move to the cloud.

But the move is straining traditional procurement departments. Rather than promoting speed and agility, in some cases cloud initiatives are spawning extended contract negotiations and legal challenges that are making it take even longer for agencies to get the resources they need.

Not all the early obstacles are specific to the cloud, so they won't be permanent. But other features that are essential parts of the cloud model will continue to present challenges. Technology executives will need to accommodate them with new procurement and vendor management practices if the switch to on-demand, utility computing is to succeed.

Stumbling blocks

Why do some experts believe that current procurement practices are ill-suited to the cloud? They point to four key challenges.

Challenge 1: Variable service levels

With the cloud model, IT managers can shop for new, on-demand services via online catalogs. That approach acknowledges that demands can change from month to month, or even more frequently.

“From a contracting perspective, that’s pretty tough to deal with,” said Wolf Tombe, chief technology officer at Customs and Border Protection. He contrasts that variability with contracts that designate the technologies purchased and specify the delivery date.

Challenge 2: Nonstandard terms of service

Backers of the cloud model promote economies of scale, whereby costs decline because multiple customers share common resources, such as a suite of office productivity software. But consultants say many agencies try to negotiate cloud contracts that have custom services, which slows the procurement process.

“Everybody thinks what they need is special,” said Michael Sorenson, director of cloud services at systems integrator QinetiQ North America. Some compare the approach to asking Microsoft to customize its Office suite before buying the product.

Challenge 3: A shifting landscape

Cloud providers bring additional uncertainties to service terms. In the past, when a software vendor revised a commercial package, agencies could choose to install the new features or stick with the existing version of the program. But cloud providers regularly revise their service offerings, and the changes automatically flow to all customers, whether they ask for them or not.

“This makes procurement uncomfortable because you cannot be sure what you buy today will be there tomorrow,” said Peter Gallagher, a partner in the Civilian Federal Systems group at Unisys. “The pace of change is more rapid than with [off-the-shelf software].”

Challenge 4: Pricing uncertainties

Some agencies struggle to determine whether a firm fixed-price or cost-plus approach delivers the most benefits in a cloud-computing contract. “The best procurement procedure we’ve seen is a firm fixed price, and then if there are any modifications to the core service — say, additional storage for an e-mail user — the agency will pay for it by the drink,” Sorenson said. “But that is more complex than a standard utility scenario.”

All of that is leading some government executives to call for new procurement methods that address contracts oriented to service and performance. Officials are still far from having all the answers, but they understand the challenges they face. “It is a new way of doing business, and it requires new contracts,” Tombe said.

Counterpoint

Not everyone agrees that cloud services represent such a significant departure from past IT practices that they require new acquisition methods. Some say only minor changes are needed for future cloud acquisitions to be well served by existing contracting vehicles, such as the General Services Administration’s Alliant governmentwide acquisition contract and IT Schedule 70 blanket purchase agreements, which specify firm fixed prices for cloud services negotiated on behalf of the entire federal government.

“I don’t think cloud procurement is as different or problematic as people make it out to be,” said Larry Allen, president of Allen Federal Business Partners, which provides procurement policy support for government contractors. “I’m not an advocate for creating new cloud-based contract vehicles. It’s much better to use what’s out there.”

In fact, for all the contracting uncertainties, agencies are making progress toward the cloud-first deadline. GSA and the National Oceanic and Atmospheric Administration are just two examples of agencies with large-scale cloud initiatives. Last year, GSA moved 17,000 staff members to Google Apps for Government, a cloud-based e-mail and collaboration system, and NOAA awarded an $11.5 million, three-year contract to migrate 25,000 employees to the Google messaging platform.

Wake-up calls

But cloud procurements don’t always go smoothly. In some cases, the problems are inherent to the cloud, such as determining how much customization of services, if any, is acceptable. In other cases, procurement officers are still sorting out when and how to apply existing rules to the cloud environment. Working through those issues can put the brakes on cloud procurements.

For example, in October 2011, the Government Accountability Office upheld a protest by Technosource Information Systems and TrueTandem that challenged a specification in a GSA request for quotations for cloud-based e-mail services. The RFQ required that data services be located in the United States or other designated countries.

GSA responded to the challenge in part by arguing that the government needs to control where information is stored because of concerns about foreign jurisdictions asserting access rights to data that resides in or moves through their country. Location would likely not have been an issue for agencies that opted to host services in-house, but in the cloud, data could conceivably be stored anywhere in the world.

Nevertheless, the challenge by the two contractors said the GSA requirement unduly restricted competition. GAO agreed, saying that GSA failed to establish a legitimate government need for the stipulation and calling on the agency to amend the RFQ to reflect its actual needs regarding data centers located outside the United States. After reviewing the decision, GSA issued an amended RFQ, nearly six months after issuing the original request.

Earlier, the Interior Department became embroiled in an even bigger contracting controversy after a lawsuit by Google put the brakes on a $59 million, five-year external private cloud intended to provide e-mail and collaboration capabilities for 88,000 of Interior’s employees. A lawsuit by Google charged that Interior’s request for proposals was “unduly restrictive of competition” because it specified a private cloud solution using Microsoft Business Productivity Online Standard Suite. Early last year, a federal judge sided with Google in a ruling that said Interior violated federal acquisition rules for open competition.

Part of the ruling stemmed from Interior’s choice of Microsoft technology, which the department had been using in a traditional implementation. The bigger question appeared to be Interior’s stipulation of a private cloud, which Google, as a supplier of technology for multi-tenant public cloud solutions, could not support.

Knowing that the private cloud stipulation might be challenged, Interior’s procurement and legal staffs tried to be proactive by documenting market research the agency had gathered about the potential risks of public clouds, said William Corrington, Interior’s CTO at the time and now cloud strategy lead at Stony Point Enterprises, a consulting firm that specializes in cloud strategies for federal agencies.

According to court documents, Interior said its research led it to a single-user, private cloud solution because of the sensitive nature of the data that would be stored in the cloud, the agency’s tolerance for risk, and “the benefits and liabilities of each cloud model.”

The case illustrates how questions about emerging cloud technologies add complexity to government procurements. As a result, some Interior officials felt they were being forced to accept undue risks because acquisition rules altered the agency’s original cloud choice, Corrington said.

The legal challenges also led to significant delays. Interior awarded the original contract in late 2010 but is still trying to move the project forward. In early January, the agency issued a new RFP that just now reopens the bidding. This time the department is calling for a commercial provider that can transition its current in-house e-mail systems to “an integrated, cost-effective, cloud solution.” It makes no mention of a private cloud or specific products.

Such legal challenges and protracted contract negotiations over sticking points such as security and service-level monitoring are prompting some observers to call for new methodologies to guide everyone in the procurement community.

“Our acquisition people are doing the best they can, but progress [toward cloud adoption] represents transformation and change for IT,” Tombe said. “That transformation and change require that some of our partners and stakeholders change along with us.

5 ways to prep for the cloud

Government acquisition personnel must often perform a balancing act to achieve the cost and efficiency benefits promised by cloud providers. On the one hand, they need to contract for solutions that share a common set of hardware and software resources to benefit from money-saving economies of scale. Unfortunately, one-size-fits-all solutions aren’t always appropriate, especially when missions and support requirements differ so widely across the government.

Agency officials and consultants say some core definitions and tools could speed contract negotiations and bridge the sometimes conflicting needs of agencies and cloud providers. Here is a list of techniques that could help speed government’s move to the cloud.

1. Security accreditation

Security fears rank among the top obstacles to cloud migrations. Fortunately, procurement officers could have an important tool to address those issues this year — the Federal Risk and Authorization Management Program (FedRAMP). It will create a security baseline that any agency can use to ensure that cloud contracts meet a standard level of protection. Combined with security guidelines from the National Institute of Standards and Technology, FedRAMP promises to simplify and speed the acquisition process.

2. Service-level agreements

The FedRAMP model for an accredited baseline of requirements could be useful in other areas, including the creation of service-level agreements. Agencies and cloud providers often struggle to balance conflicting requirements when it comes to SLAs, said William Corrington, former chief technology officer at the Interior Department and now the cloud strategy lead at Stony Point Enterprises.

For example, the Office of Management and Budget or the General Services Administration might specify that all cloud-based e-mail solutions achieve a minimum uptime rating of 99.95 percent, which would relieve agencies and vendors from hashing out those terms for each contract and thereby speed negotiations.

“Government lawyers would have some confidence that contract language is coming down from OMB or GSA, and cloud vendors would understand what the government is expecting for terms and conditions,” Corrington said.

3. Standardized service definitions

A similar framework for predetermined terms and conditions would benefit common cloud services, such as e-mail solutions or IT infrastructure services. “There are a lot of variables, but if you lock everyone down into a set of services that are utilitarian, then many challenges go away and agencies can compare pricing apples to apples,” said Michael Sorenson, director of cloud services at QinetiQ North America.

The framework would differ from traditional governmentwide acquisition contracts and blanket purchase agreements (BPAs) by establishing standard service definitions all vendors in a particular cloud category would use. Cloud providers might be willing to embrace standardized definitions as a way to discourage agencies from negotiating special terms for commodity solutions.

“Even when the new BPA for [GSA’s proposed e-mail-as-a-service agreement] comes out, I still think agencies will look at terms of service and want to negotiate them,” said Peter Gallagher, a partner in the Civilian Federal Systems group at Unisys. “If you are a [software-as-a-service] provider, it is difficult to negotiate different terms of service in a multi-tenant environment.”

To accommodate varying needs, the government could create standardized terms for tiers of service, such as gold, silver and bronze levels with different performance characteristics, Gallagher added.

4. Clear rules for data management

Today, agencies must negotiate to insert clauses into cloud contracts that specify how their information is maintained and protected by cloud providers. For example, officials at Customs and Border Protection are concerned about having exit strategy options for their data if they decide to switch cloud providers.

“I want that language in the contract going in," said Wolf Tombe, the agency's chief technology officer. "I don’t want that to be an afterthought.”

Another issue is the physical location of the storage systems that house government data. Some security rules call for sensitive data to remain in the United States or in select overseas countries. But that can be hard to nail down, as GSA learned when two contractors successfully challenged its original e-mail-as-a-service request for quotations, which restricted data services to certain specified locations.

5. New skill sets for procurement employees

Some acquisition officers might need training to help them negotiate and manage cloud contracts. “Agencies don’t necessarily need to hire legions of new people, but they should make sure their acquisition workforce understands the difference in service acquisitions and why they’re different from products,” said Larry Allen, president of Allen Federal Business Partners.

Key skills for a cloud-rich environment include project and vendor management. The IT Acquisition Advisory Council, among others, is working with the government to promote new acquisition methodologies that are better suited to the cloud, Tombe said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.