Cloud contracting checklist: 10 aspects to consider
The cloud’s unique requirements demand a fresh look at IT services procurement
Although cloud computing is considered just another way of acquiring IT services, the fact is that is represents a new way for agencies to consume IT and will also require a new way for agencies to think of how to procure them.
In a publication released in February — “Creating Effective Cloud Computing Contracts for the Federal Government” — the CIO Council and the Chief Acquisition Officers Council (CAOC) jointly came out with a list of best practices that they said highlights the unique contracting requirements of cloud computing.
“This move to cloud computing represents a paradigm shift from buying IT as a capital expenditure to buying IT as a service,” the document states. “This requires federal agencies to rethink the way they contract for IT in order to address elements unique to cloud computing environments.”
This new paradigm is larger than just IT, the document states, and although there are certainly technical changes involved with cloud services, the more substantive issues lie in the business and contracting models applied to the cloud.
To that end, the document also states explicitly what many organizations have considered for some time a necessary requirement for procuring cloud services, given that those services will touch all aspects of an agency’s business. It urges “proactive planning with all the necessary agency stakeholders” such as CIOs, general counsels, privacy officers, records managers, Freedom of Information Act officers and others.
It also points to a December 2011 memo from the Office of Management and Budget that specifically required all federal agencies to use the Federal Risk and Authorization Management Program (FedRAMP) when procuring and authorizing cloud solutions. The Federal Information Security Management Act requires federal agencies to authorize and accept the risk for placing federal data in an IT system, but the document directs agencies to maintain that responsibility within FedRAMP rather than as a separate directive.
Overall, the document details 10 areas that the CIO Council and CAOC believe agencies need to consider when drawing up cloud contracts:
Selecting a cloud service: Choosing the appropriate cloud service and deployment model is the critical first step in procuring cloud services.
Cloud service provider and end-user agreements: Terms of service and all CSP/customer-required agreements need to be integrated fully into cloud contracts.
Service-level agreements: SLAs need to define performance with clear terms and definitions, demonstrate how performance is being measured, and specify what enforcement mechanisms are in place to ensure that SLAs are met.
CSP, agency, and integrator roles and responsibilities: Careful delineation between the responsibilities and relationships among the federal agency, integrators and the CSP are needed in order to effectively manage cloud services.
Standards: The use of the National Institute of Standards and Technology’s Cloud Computing Reference Architecture and agency involvement in standards are necessary for cloud procurements.
Security: Agencies must clearly detail the requirements for CSPs to maintain the security and integrity of data existing in a cloud environment.
Privacy: If cloud services host “privacy data,” agencies must adequately identify potential privacy risks and responsibilities and address those needs in the contract.
E-discovery: Federal agencies must ensure that all data stored in a CSP environment is available for legal discovery by allowing all data to be located, preserved, collected, processed, reviewed and produced.
Freedom of Information Act: Federal agencies must ensure that all data stored in a CSP environment is available for appropriate handling under FOIA.
E-records: Agencies must ensure that CSPs understand and assist federal agencies in compliance with the Federal Records Act and obligations under that law.