Information technology leaders in the U.S. government have been promoting cloud technologies for more than a year. In December 2010, the federal chief information officer launched an IT reform plan that required agencies to start adopting cloud technologies. At the time, some agencies had already implemented cloud solutions, and since then many others have initiated cloud programs.
It's still early days in the federal cloud revolution, and a key challenge in adopting the technology involves federal contracting procedures.
"The most consistent lessons learned from the early cloud adopters show that the federal government needs to buy, view, and think about IT differently," the federal CIO Council says in a guide to cloud contracting released Feb. 24. The guide was produced jointly with the federal Chief Acquisitions Officers Council (CAO).
"Cloud computing presents a paradigm shift that is larger than IT, and while there are technology changes with cloud services, the more substantive issues that need to be addressed lie in the business and contracting models applicable to cloud services," the guide says. "Federal agencies should begin to design and select solutions that allow for purchasing based on consumption in the shared model that cloud-based architectures provide."
Focus on Cloud Performance
Federal agencies normally invest in IT equipment and facilities and own, operate, and manage those facilities themselves, often at in-house locations. However, withh cloud configurations, agencies purchase IT services "on demand" from an outside entity -- a cloud service provider (CSP) -- whose facilities are usually physically remote from the agency. The emergence of the CSP changes everything and requires astute use of a different contracting vehicle.
The CIO guide focuses on several aspects of cloud contracting, including the following:
Terms and Disclosure: CSPs involve common acceptable-use standards to effectively maintain how customers use such providers. Usually this includes a Terms of Service Agreement (ToS). Agencies can also require CSPs to sign Non-Disclosure Agreements (NDAs) to enforce acceptable provider personnel behavior for dealing with government data.
"These agreements are new to many IT contracts because of the nature of the interaction of end-users with CSP environments -- both due to federal agency access to cloud services through CSP interfaces, and CSP personnel access and control of federal data," the guide says.
Performance: Service Level Agreements (SLAs) within the overall CSP contract require the provider to perform at acceptable levels in measurable terms. According to the guide, common terms and general standards are consistent, but other definitions and performance metrics can vary widely among vendors.
For example, "uptime" or "availability" may not account for planned service outages. As a best practice, SLAs should clearly define how performance is guaranteed (such as response time, problem mitigation time, and availability) and require vendors to monitor service levels, provide timely notification of a failure, and evidence that problems have been resolved.
"Federal agencies need to fully understand any ambiguities in the definitions of cloud computing terms in order to know what levels of service they can expect from a CSP," the guide says.
In addition, most cloud SLAs do not include penalties if a standard is not met -- and the consequences can be "catastrophic," the CIO council notes. Absent penalty provisions, providers may not have sufficient incentives to meet the agreed-upon service levels. To motivate providers to meet the contract terms, there should be a credible consequence -- such as a financial or service credit -- so that a performance failure results in a significant cost to the cloud vendor.
Agencies Will Adjust
The guidance document will be utilized as a basis for contracting actions.
OMB will work with all key stakeholders to better understand what tools and information agencies still desire. It will include the federal CIO, the General Services Administration (GSA), and agency officials in a variety of ways, such as outreach, education and training, to ensure agency personnel understand the recommended actions.
The guidance includes consideration of commercial practices, and reflects OMB's regular outreach with industry during the last two years as the administration's strategy on cloud computing has evolved on a multitude of cloud topics, including acquisition. In addition, it reviewed government contracts with various commercial providers to understand how federal agencies contracted with them for use of the CSP offerings.
For vendors of cloud services and related offerings, the CIO guide provides notice of potential changes in contracting.
"The issue of SLAs is familiar to cloud providers, so that should not be a big issue in terms of the concept," Joe Brown, president of Accelera Solutions, told CRM Buyer. "But federal agency personnel might need some training and assistance to help understand what the SLAs mean."
Performance Work Agreements (PWAs) are similar to SLAs, and agencies have been using them routinely, Brown mentioned.
Such agreements often include either financial penalties or incentives, "but applying that idea to SLAs could take a little work for the agencies," he said.
Some aspects of SLA implementation are easier to accomplish than others, noted Brown.
"There are some standard benchmarks for things like availability and some technologies that can be employed to adopt them. But judging 'performance' is a little more subjective." he continued. "The agencies will have to put in place some measurements for individual contracts and ask the contractor to meet them."
On the other hand, vendors can help themselves by offering some type of "self servicing mechanism" that monitors such factors as availability and reliability. "The goal should be transparency of the operation, and providers should strive to feed operational information back to the agency," Brown noted.
To promote cloud deployment, the GSA has put in place a "shared services" contract mechanism for Infrastructure as a Service (IaaS) under a Blanket Purchase Agreement (BPA) whereby several providers are "preselected" by GSA to provide cloud services throughout the government. The idea is to save agencies the time and trouble to develop their own contracting mechanism.
While such contracting vehicles can be useful, especially in helping agencies pursue enterprise-wide IT programs, there's a flaw in that process, Brown said, in that the preselected vendor roster limits the competitive opportunities for a broad range of vendors.
"I would like to see that contract mechanism opened up every year for new opportunities for more vendors or just expand the regular Schedule 70 qualification process," he said. Schedule 70 refers to the broad GSA approved contractor list for IT services.
"Information technology is changing so fast that innovations and the addition of more vendors with improved products and services occurs continuously," Brown pointed out. "It's just naive to think that a single group of providers can cover the whole range of cloud and related applications."
The CIO guide also covers other contracting elements, such as use of the newly released Federal Risk and Authorization Management Program (FedRAMP); selection of private, public or hybrid clouds; privacy issues; and Freedom of Information compliance.
It represents the next key step in the administration's "Cloud First" policy