Contracting for Cloud Services

Contracting for Cloud Services A 6-Step “How-To” Guide to Contracting for Cloud Services Includes a 137-Element Contract...

Author: Ron Scruggs | Thomas Trappler | Don Philpott

100 downloads 3338 Views 1MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Contracting for Cloud Services A 6-Step “How-To” Guide to Contracting for Cloud Services Includes a 137-Element Contracting Checklist

Ron Scruggs, Thomas Trappler, & Don Philpott

Published by

ISBN: 978-1-937246-67-9

ii

Contracting for Cloud Services

About the Publisher – Government Training Inc.™ Government Training Inc. provides worldwide training, publishing and consulting to government agencies and contractors that support government in areas of business and ﬁnancial management, acquisition and contracting, physical and cyber security and intelligence operations. Our management team and instructors are seasoned executives with demonstrated experience in areas of Federal, State, Local and DoD needs and mandates. For more information on the company, its publications and professional training, go to www.GovernmentTrainingInc.com. Copyright © 2011 Government Training Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system or transmission in any form or by any means, electronic, mechanical, photocopying, recording or likewise. For information regarding permissions, write to: Government Training Inc. Rights and Contracts Department 5372 Sandhamn Place Longboat Key, Florida 34228 [email protected] ISBN: 978-1-937246-67-9 Sources: This book has drawn heavily on the authoritative materials published by a wide range of sources. These materials are in the public domain, but accreditation has been given both in the text and in the reference section if you need additional information. The author and publisher have taken great care in the preparation of this handbook, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or recommendations contained herein.

Agency/Business Management For more information on the company, its publications and professional training, go to http://www.governmenttraininginc.com

Delivering Your Message with PowerPoint Highly Effective Communications for Government & Corporate Managers PowerPoint presentations can be an enormously effective communications tool— provided you follow some basic rules. These rules are spelled out in “Delivering Your Message with PowerPoint,” written by Dave Paradi, a proven expert and sought-after speaker at all levels of government and corporations. The book is crammed with examples—good and bad—best practices, and checklists to ensure your presentation is a success.

Developing the Positive, Healthy & Safe Workplace A 7-Step Management Process Leading to a Culture of Personnel Safety & Security Rita Rizzo is a nationally recognized expert on all aspects of workplace quality, employee development, leadership and workplace security. Her thoughtprovoking seminars and books have brought practical solutions to the challenges of leadership. In the book, Rita presents a 7-step process for use by management and staff to create a positive, healthy, and safe workplace.

Telework: How to Telecommute Successfully A 5-Step Guide Designed for the Modern Teleworker Millions of people go to work every day without ever leaving their homes. They are part of a growing army of teleworkers in both the private and public sector. If you think you can do your job from home without being distracted, then teleworking could be right for you—and it is certainly worth considering. The book spells out all the positives—and the negatives—and with the use of checklists and questionnaires will help you succeed as a teleworker.

Agency/Business Management For more information on the company, its publications and professional training, go to http://www.governmenttraininginc.com

How To Get Others To Do What You Want Them To Do (Or... Never Kick a Kangaroo!) Wouldn’t it be great if you always got your way in negotiations and never lost another argument? We all have the tools to achieve this, but most of us don’t know how to use them. That is what How To Get Others To Do What You Want Them To Do (Or… Never Kick a Kangaroo!) is all about. It may be a strange title, but you should never get into a kick-boxing fight with a kangaroo—you would lose. In order to be successful you must understand the other participants —what they want, and the tools they use. You can then pick the tools and techniques that will work in your favor.

Executive Briefings & Presentations Best Practices Handbook A Step-by-Step Process and Guide to Making Powerful Presentations to Colleagues and the Press The book will teaches you how you to develop a plan so that you will know what to do, what to say, and how best to say it in any situation. These techniques will support you whenever you need to communicate—whether it is in the office, or in front of millions of people during a live television interview.

GovCloud: Cloud Computing for the Business of Government A 5-Step Process to Evaluate, Design and Implement a Robust Cloud Solution The book describes the key characteristics of cloud computing and various deployment and delivery models. It contains case studies and best practices, how to set and meet goals, guidelines for developing a robust business case analysis, how to implement and use cloud computing, and how to make sure it is performing well for your organization.

Agency/Business Management For more information on the company, its publications and professional training, go to http://www.governmenttraininginc.com

Handbook for Managing Teleworkers A 5-Step Management Process for Managing Teleworkers The book is an A-Z guide aimed at managers tasked with introducing teleworking, or overseeing teleworkers and ensuring that everything runs smoothly. The rules for managing teleworking are the same whether you are a federal or state employee, or work for a private company or organization. The book is also very useful to people who are considering teleworking, or trying to persuade their employer to introduce it.

Handbook for Managing Teleworkers – Toolkit The handbook discusses all the arguments that have been put forward against teleworking and then debunks them using the latest surveys and case studies. There are chapters on problems and how to overcome them, how to motivate through counseling and coaching, and developing trust. It is an invaluable resource for all telework managers and those who might be tasked with taking on this responsibility. An essential companion guide to Government Training Inc.’s Handbook for Managing Teleworkers.

vi

Contracting for Cloud Services

vii

Acknowledgements This handbook has drawn heavily on authoritative materials published by many federal agencies and especially the Department of Defense (DoD), General Services Administration (GSA) and the Government Accountability Oﬃce (GAO). These materials are in the public domain, but accreditation has been given either in the text or in the reference section at the end of the book if you need additional information.

Disclaimer Our aim is to provide a comprehensive framework that will allow you to understand the challenges of cloud computing, how to deﬁne procurement vehicles, processes and how to build and ﬁnalize a contract, as well as how to manage that contract. However, this book is a guide only and contains references should you need more detailed information on particular subjects. This book is not a legal handbook. “Example” clauses are given throughout this book, but before preparing a contract you must seek legal counsel. Also, if you have detailed legal questions seek the advice of an appropriate legal expert.

www.GTIBookstore.com

viii

Contracting for Cloud Services

ix

About the authors Ron Scruggs Ron Scruggs, Certiﬁed Technology Procurement Executive, has a distinguished career in sourcing, purchasing and contract management. He started his career in Washington, D.C., negotiating and managing federal government contracts in the 1960s. He also knows the international market well, having spent more than 20 years as Director of Contracts in Europe. Most recently he has co-developed the original Contracting in the Cloud seminar based on his experience since the early 2000s before the name “cloud” was attached to these services. Ron has assisted companies with IT and Business Process Outsourcing, Cloud Services, software development, software licensing, and Website development and other projects. He has negotiated dozens of Cloud Services agreements and developed a number of Cloud SaaS template agreements for clients. Additionally, Ron has developed software agreements for vendors, as well as customers, leading to an edge by knowing the vendors’ reasons for their terms and conditions while also understanding the customer needs. Acting as a consultant for a number of Fortune 500 and other companies, he has saved these companies millions of dollars while achieving better terms. On a single software deal, he saved $50 million for one of his clients. As manager of Strategic Alliances for Digital and Bay Networks, he negotiated major purchases, such as personal computers ($40 million a year) and software alliances with Microsoft, Olivetti and other major ﬁrms. He also spent 20 years working as Director of Contracts for Digital and Bay Networks. Ron has developed and taught courses to include Negotiation Success, Resolving Software Business Issues, Export Control Issues and Solutions, Open Software Dynamics and Procurement Management including Purchasing, Legal, Technical and Finance and Contract Management subjects. Ron has a BA and MBA and has also completed post-graduate courses with INSEAD in France, the Institute of Business Methods (IMEDE) in Switzerland and the Swedish Institute of Management. His published articles include: “Get Better Deals by Listening,” “Eﬀective SOW Writing,” “Cloudy SLAs,” and “What Vendors Do Not Want You To Know About Escrow.” Ron lives in Florida with his wife of 45 years and his pet, Benji. He still consults and teaches IT procurement issues. Thomas Trappler Thomas Trappler (www.thomastrappler.com) is Director of Software Licensing at the University of California, Los Angeles (UCLA), and has extensive experience leading enterprise-wide IT procurement and vendor-management initiatives and negotiations focused on cost reduction and risk mitigation, with an emphasis on cloud computing contracts and software license agreements. www.GTIBookstore.com

x

Contracting for Cloud Services

Elected the inaugural Chair of the University of California (UC) system-wide Technology Acquisition Support Group, Thomas has led the investigation, implementation and ongoing vendor management for more than 30 enterprise-wide IT acquisition agreements. These agreements provide 188,000 licenses to 228 operational units in a decentralized enterprise and have resulted in savings of $7.5 million/year. Additionally, Thomas is the lead author and project manager for initiatives to develop UC-wide standard software license agreement and cloud computing contract templates. Dubbed “The Cloud Contract Advisor” by Computerworld magazine, Thomas is a nationally recognized expert and published author in cloud computing risk mitigation via contract negotiation and vendor management. He has been a guest lecturer at the Polytechnic Institute of New York University, and developed and teaches “Contracting in the Cloud,” the original seminar focused on the unique issues associated with the acquisition and management of cloud computing services. Thomas is currently working with the Cloud Security Alliance as the lead author and project manager on an initiative to establish a standard cloud computing contract checklist. His presentations and publications include: Cloud Expo West 2011, presentation, Cloud Computing Contract Issues, November 7, 2011; Educause 2011, presentation, Managing Cloud Security Risks Through the Right Partnerships, October 19, 2011; Computerworld, column, The Cloud Contract Adviser, ongoing; The Business of Cloud Computing Conference, pre-conference workshop, “Due Diligence and Cloud Service Agreements,” June 13, 2011; Security Professionals 2011, presentation, If It’s in the Cloud, Get It on Paper: Cloud Computing Contract Issues, April 6, 2011; Educause West/Southwest Conference 2011, presentation, If It’s in the Cloud, Get It on Paper: Cloud Computing Contract Issues, February 23, 2011; EDUCAUSE Live!, webinar, Spotlight on Cloud Computing, December 10, 2010; Educause 2010, discussion session, Cloud Computing Contract Issues, October 14, 2010; Educause Quarterly, article, If It’s in the Cloud, Get It on Paper: Cloud Computing Contract Issues, Volume 33, Number 2, 2010; Educause Quarterly, article, Is There Such a Thing as Free Software? The Pros and Cons of Open Source Software, Volume 32, Number 2, 2009. Don Philpott Don Philpott is editor of International Homeland Security Journal and has been writing, reporting and broadcasting on international events, trouble spots and major news stories for almost 40 years. For 20 years he was a senior correspondent with Press Association-Reuters, the wire service, and traveled the world on assignments including Northern Ireland, Lebanon, Israel, South Africa and Asia. He writes for magazines, and newspapers in the United States and Europe, and is a regular contributor to radio and television programs on security and other issues. He is the author of more than 100 books on a wide range of subjects and has had more than 5,000 articles printed in publications around the world. His most recent books are Handbooks for COTRs, Performance Based Contracting, Cost Reimbursable Contracting, How to Manage Teleworkers, Crisis Communications and Integrated Physical Security Handbook II. He is a member of the National Press Club.

xi

Contents Acknowledgements ..................................................................................................................................... vii Disclaimer ................................................................................................................................................... vii Step 1. Understanding Cloud Computing ...................................................................................................1 Why it is Called Cloud Computing? ...............................................................................................................1 Key Cloud Computing Benefits ......................................................................................................................4 Challenges of Cloud Computing ..................................................................................................................10 PaaS Issues .................................................................................................................................................22 Step 2. Understanding The Federal Government’s New Approach To Cloud Computing .........................23 Cloud First ..................................................................................................................................................23 President’s Cyber Policy ...............................................................................................................................25 Federal CIO Statements ...............................................................................................................................28 Cybersecurity Gets a Boost ..........................................................................................................................28 IT Reform Push, Nine Months After ‘Cloud First’ Introduction........................................................................41 GSA is in the Cloud .....................................................................................................................................47 Step 3. Identifying/Determining Your Needs ............................................................................................59 Provision of Selected IT Services ..................................................................................................................61 Successful Move to the Cloud Requires Agency Introspection First ................................................................74 Focus/Roadmap ..........................................................................................................................................85 Pricing Billing Terms ....................................................................................................................................85 Step 4. Defining Potential Procurement Vehicles and Processes .............................................................91 Contracts and RFPs .....................................................................................................................................91 How do you Gather Information on Cloud Services? .....................................................................................91 Customer References...................................................................................................................................93 A Process For Acquiring Cloud Computing Services ......................................................................................93 Developing a Performance-Based Work Statement .....................................................................................110 Other Agencies’ Cloud Implementations ....................................................................................................135 Step 5. Building and Finalizing a Contract .............................................................................................139 Infrastructure/Security ...............................................................................................................................139 Information Security ..................................................................................................................................153 Operations Management ...........................................................................................................................158 Third-Party Certifications ...........................................................................................................................160 Customer Data Center Inspection Rights ....................................................................................................163 Performance Reporting ..............................................................................................................................164 Location of Data .......................................................................................................................................172 Data Protection, Access, Location – Questions............................................................................................176 Fees/Payments ..........................................................................................................................................177 Terms and Conditions Online .....................................................................................................................191 Storage Limits/Fees ...................................................................................................................................191 Technical Support ......................................................................................................................................192 SaaS, Security, the Cloud and the Contract .................................................................................................192

www.GTIBookstore.com

xii

Contracting for Cloud Services

Step 6. Managing The Contract and The Vendor Relationship ...............................................................213 Contract Administration.............................................................................................................................213 Overcoming Weaknesses ...........................................................................................................................215 Contracting Officer’s Technical Representative (COTR) ................................................................................216 Voucher/Invoice Review, Approval and Processing ......................................................................................221 Re-certification/Re-inspection ....................................................................................................................227 SLA/KPI Monitoring ...................................................................................................................................227 Vendor Continued Viability – Proactively Monitor .......................................................................................228 Payment for Performance...........................................................................................................................229 Compliance...............................................................................................................................................229 Relationship Advice for Contract Managers ................................................................................................229 Conclusion ................................................................................................................................................230

Notice: Appendices & Blank Forms are available online. To access additional materials, visit our website at www.GovernmentTrainingInc.com, go to the Books section of the website, and click on Contracting for Cloud Services. In the Reference Library Login area of the page, use the following credentials to login: Username: GTI246679 Password: 10119781 This username and password are assigned to you, the purchaser. You will need to enter your email address when logging in so that we can verify each visitor. This information is for the use of the purchaser only and not to be distributed to anyone except the purchaser.

xiii

Symbols Throughout this book you will see a number of icons displayed. The icons are there to help you as you work through the Six Step process. Each icon acts as an advisory – for instance alerting you to things that you must always do or should never do. The icons used are:

This is something that you must always do

This is something you should never do

Really useful tips

Points to bear in mind

Have you checked off or answered everything on this list?

www.GTIBookstore.com

xiv

Contracting for Cloud Services

1

STEP 1

Understanding Cloud Computing

Cloud computing describes a broad movement to treat IT services as a commodity with the ability to dynamically increase or decrease capacity to match usage needs. By leveraging shared infrastructure and economies of scale, cloud computing presents organizational leadership with a compelling business model. It allows users to control the computing services they access, while sharing the investment in the underlying IT resources among consumers. When the computing resources are provided by another organization over a wide-area network, cloud computing is similar to an electric power utility. The providers beneﬁt from economies of scale, which in turn enables them to lower individual usage costs and centralize infrastructure costs. Users pay for what they consume, can increase or decrease their usage, and leverage the shared underlying resources. With a cloud computing approach, a cloud customer can spend less time managing complex IT resources and more time investing in core mission work.

Why it is Called Cloud Computing? The term “cloud” is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network, and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents.

www.GTIBookstore.com

2

Contracting for Cloud Services

“It comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us.” – Kevin Marks, Google

NIST Provides a Formal Definition for Cloud Computing Cloud computing is deﬁned by the National Institute of Standards and Technology (NIST) as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of conﬁgurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management eﬀort or service provider interaction. This cloud model promotes availability and is composed of ﬁve essential characteristics, three service models and four deployment models.”

3

Step 1. Understanding Cloud Computing Five Characteristics

On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops and PDAs). Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with diﬀerent physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state or datacenter). Examples of resources include storage, processing, memory, network bandwidth and virtual machines. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for both the provider and consumer of the utilized service. Three Service Models The NIST deﬁnition categorizes cloud computing into three service models: Cloud Software as a Service (SaaS).The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface, such as a Web browser (e.g., Web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-speciﬁc application conﬁguration settings. 

Examples: Google, NetSuite, RightNow, Salesforce, Service-Now, SuccessFactors, Taleo and Workday.

www.GTIBookstore.com

Contracting for Cloud Services

4

Cloud Platform as a Service (PaaS). The capability provided to the consumer is the ability to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems or storage, but has control over the deployed applications and possibly application hosting environment conﬁgurations. 

Examples: Google App Engine, Salesforce.com’s Success on Demand, Engine Yard and Azure.

Cloud Infrastructure as a Service (IaaS).The capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage and deployed applications, and possibly limited control of select networking components (e.g., host ﬁrewalls). 

Examples: Amazon Web Services (EC2, S3 etc.), ENKI, GoGrid,Logicworks, OpSource, Rackspace, SAVVIS (acquired by CenturyLink) and Terremark.

Four Deployment Models The NIST deﬁnition of cloud computing includes four deployment models, each of which provides distinct trade-oﬀs for agencies which are migrating applications to a cloud environment. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or oﬀ premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a speciﬁc community that has shared concerns (e.g., mission, security requirements, and policy and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or oﬀ premise. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Key Cloud Computing Benefits A number of government agencies are adopting cloud technologies and are realizing considerable beneﬁts. For instance, NASA Nebula, through a community cloud, gives researchers access to IT services relatively inexpensively in minutes. Prior to adopting this approach, it would take researchers months to procure and conﬁgure comparable IT resources and signiﬁcant management oversight to monitor and upgrade systems. Applying cloud technologies across the entire federal government can yield beneﬁts such as:

Step 1. Understanding Cloud Computing 

Cost Reduction



Scalability



Automatic Updates



Remote/Mobile Access



Increased Reliability



Rapid Deployment/Easy Implementation



Access to Higher Level IT Resources



Green IT

5

Cost Reduction 

You only pay for what you use, as you use it.



Hardware, software and IT staﬀ expense reductions.



Additional reduced costs from energy and real estate.

In FY2010, approximately 30 cents of every dollar invested in Federal IT was spent on data center infrastructure. Unfortunately, only a fraction of this investment delivers real, measurable impact for American citizens. By using the cloud computing model for IT services, the federal government will be able to reduce its data center infrastructure expenditure by approximately 30 percent (which contributes to the estimated $20 billion of IT spending that could be migrated to cloud computing solutions). Similar eﬃciency improvements will be seen in software applications and end-user support.

Tip As utilization is improved, more value is derived from the existing assets, reducing the need to continuously increase capacity. Fewer machines mean less spending on hardware, software and operations maintenance, and real estate and power consumption.

These savings can be used to increase capacity or be reinvested in agency missions, including citizen-facing services and inventing and deploying new innovations. Cloud computing can allow IT organizations to simplify, as they no longer have to maintain complex, heterogeneous technology environments. Focus will shift from the technology itself to the core competencies and mission of the agency.

Across the public and private sectors, data center infrastructure investments are not utilized to their fullest potential. For example, according to a recent survey, many agencies are not fully utilizing their available storage capacity and are utilizing less than 30 percent of their available server capacity. Low utilization is not necessarily a consequence of poor management, but, instead, a result of the need to ensure that there is reserve capacity to meet periodic or unexpected demand for key functions. With cloud computing, IT infrastructure resources are pooled and shared across large numbers of applications and organizations. Cloud computing can complement data center consolidation eﬀorts www.GTIBookstore.com

Contracting for Cloud Services

6

by shifting workloads and applications to infrastructures owned and operated by third parties. Capacity can be provisioned to address the peak demand across a group of applications, rather than for a single application. When demand is aggregated in this fashion and properly managed, the peaks and troughs of demand smooth out, providing a more consistent and manageable demand proﬁle. The shift to cloud computing can help to mitigate the fragmented data, application and infrastructure silo issues associated with federated organizational and funding models by focusing on IT services as a utility. IT services become candidates for more cost-eﬀective procurement and management, similar to the model currently used for buildings and utility services. Cloud computing has the potential to provide a more interoperable and portable environment for data and systems. With the appropriate standards, over time, organizations may be able to move to common services and platforms. Cloud computing can accelerate data center consolidation eﬀorts by reducing the number of applications hosted within government-owned data centers. For those that continue to be owned and operated directly by federal agencies (e.g., by implementing private IaaS clouds), environments will be more interoperable and portable, which will decrease data center consolidation and integration costs because it reduces unnecessary heterogeneity and complexity in the IT environment.

Scalability 

Easily access resources needed



Start small and increase over time



Facilitate seasonal peak needs



Resources can grow as your needs grow

With traditional infrastructure, IT service reliability is strongly dependent upon an organization’s ability to predict service demand, which is not always possible. For example, the IT system used in the Car Allowance and Rebate System (CARS, more commonly known as “Cash-For-Clunkers”) had numerous failures because the load was considerably higher than what its system could handle. The sponsor for “Cash-for-Clunkers,” the National Highway Traﬃc Safety Administration (NHTSA) anticipated a demand of 250,000 transactions over a four-month period, but within just 90 days, the system processed approximately 690,000 CARS transactions. Within three days of the ﬁrst dealer registrations, the system was overwhelmed, leading to numerous outages and service disruptions. The $1 billion appropriated for the Remember program was nearly exhausted within one week, and an additional $2 billion was appropriated to triple the The impact of cloud computing potential number of transactions just nine days after will be far more than economic. the program began. Cloud computing will also allow agencies to improve services and respond to changing needs and regulations much more quickly.

NHTSA deployed a customized commercial application hosted in a traditional data center environment, but the CARS system presented a very good example of an unpredictable service demand and a short devel-

Step 1. Understanding Cloud Computing

7

opment window that could have been more eﬃciently handled using a cloud computing approach. Cloud computing will allow agencies to rapidly scale up to meet unpredictable demand, thus minimizing similar disruptions. Notably, cloud computing also provides an important option for agencies in meeting short-term computing needs such as the one above; agencies need not invest in infrastructure in cases where service is needed for a limited period of time. With a larger pool of resources to draw from, individual cloud services are unlikely to encounter capacity constraints. As a result, government services, such as “Cash-for-Clunkers,” would be able to more rapidly increase capacity and avoid service outages. Given appropriate service level agreements and governance to ensure overall capacity is met, cloud computing will make the government’s IT investments less sensitive to the uncertainty in demand forecasts for individual programs, which frequently emerge rapidly in response to national program needs which cannot be foreseen in the early stages of the federal budget cycle.

Automatic Updates 

With cloud computing, you always have the current version, functionality and patches, because the service is continuously updating in real time.



The result is a reduced need to dedicate your resources to continuously update/patch in-house systems because the cloud vendor does it all for you. This frees up in-house IT staﬀ to focus on core business issues.



This can present a challenge if you don’t want to update. For example, due to lack of integration with in-house systems or lack of training for your end user staﬀ.

Remote/Mobile Access 

Employees, partners and clients can access and update ﬁles and information wherever they are (as long as there’s an active Internet connection), rather than having to run back to the oﬃce.



This increased accessibility can lead to increased productivity for employees that are on the road.



This increased accessibility can lead to increased collaboration. The ease with which a geographically dispersed team can access the same documents makes it easier to work cooperatively on the same project. There is no need for time to be wasted waiting for emailed revisions because every team member can see what is being done by the others in real time.

Increased Reliability 

Unless you’re in the business of running data centers or other computing services, this is not likely to be your organization’s core area of expertise, nor should it be.



By moving these processes to the cloud, they’re being run by organizations whose core business is to provide such services, so their expertise in these areas is likely higher than your own, ideally resulting in improved infrastructure security, business continuity and disaster recovery.



An additional beneﬁt is that your in-house resources can be redirected from these areas to focus on diﬀerentiating projects related to and supporting your core business. www.GTIBookstore.com

Contracting for Cloud Services

8

Rapid Deployment/Easy Implementation Cloud computing also provides an indirect productivity beneﬁt to all services in the IT stack. For example, less eﬀort will be required to stand up and develop software testing environments, enabling application development teams to integrate and test frequently in production-representative environments at a fraction of the cost of providing this infrastructure separately. Cloud-based projects can be conceived, developed and tested with smaller initial investments than traditional IT investments. Rather than laboriously building data center capacity to support a new development environment, capacity can be provisioned in small increments through cloud computing technologies. After the small initial investment is made, the project can be evaluated for additional investment or cancellation. Projects that show promise can gain valuable insights through the evaluation process. Less promising projects can be cancelled with minimal losses. Reducing the minimum required investment size will also provide a more experimental development environment in which innovation can ﬂourish.

This “start small” approach collectively reduces the risk associated with new application development.



The ability to reduce capital investment and transform it into operational expenses is an advantage of cloud computing. Cloud computing can lower the initial cost and reduce the time it takes to deploy new services, and thus can align expense with actual use. Many businesses also prefer OPEX over CAPEX because of tax considerations.



Instead of having to acquire, install and conﬁgure a wide range of hardware and software to get a new IT solution up and running (a process often taking months to complete), you just sign up for what you need over the Internet, and access to the service is typically provisioned in a matter of hours.



Business process owner units, in particular, may value the ability to get a solution up and running quickly. The time reduction in their case may also be increased by the ability to by-pass traditional central/corporate IT and/or procurement processes that they may have had to go through in the past. From an overall organization perspective, this may not always be a good thing.

Access to Higher Level IT Resources 

Some organizations, especially smaller agencies, may not always be able to aﬀord to acquire the latest technology and/or hire IT staﬀ with the highest level of skills. By moving to a cloud solution, those organizations can have more equal access to such technology and IT staﬀ resources, thus allowing them to compete more eﬀectively with larger organizations. Due to the economies of scale achieved by a cloud vendor, those resources can be provided at a lower cost that doing so in-house.

9

Step 1. Understanding Cloud Computing 

Additionally a cloud vendor may have expertise in business processes that are needed to keep your business running, but that are not your core business or a key diﬀerentiator. For example, Salesforce and CRM, or Workday and payroll/personnel. Moving to a cloud solution could provide you with access to expert systems and resources in those areas, again allowing you to redirect in-house resources to initiatives supporting your core business.

Cloud computing will not only make the federal government’s IT services more eﬃcient and agile, it will also serve as an enabler for innovation. Cloud computing allows the federal government to use its IT investments in a more innovative way and to more easily adopt innovations from the private sector. Cloud computing will also help the federal government’s IT services take advantage of leading-edge technologies including devices such as tablet computers and smart phones.

Green IT 

Since a cloud provider’s core business is running data centers, they’re more likely to be able to build and run them in the most energy eﬃcient manner possible (virtualized servers, eﬃcient cooling, building close to renewal energy sources, etc.) than an organization with a diﬀerent core business. This results in reduced needs to acquire in-house hardware, and reduced energy consumption and carbon footprints, per server.



Organizations with green initiatives may be able to further those initiatives by adopting cloud services. Cloud Benefits: Efficiency, Agility, Innovation Cloud Benefits

Current Environment

EFFICIENCY Improved asset utilization (server utilization>60-70%)

Low asset utilization (server utilization<30% typical)

Aggregated demand and accelerated system consolidation (e.g., Federal Data Center Consolidation Initiative)

Difficult-to-manage systems

Fragmented demand and duplicative systems

Improved productivity in application development, application management, network and end-user AGILITY Purchase “as-a-service” from trusted cloud providers Near-instantaneous increases and reductions in capacity

Years required to build data centers for new services Months required to increase capacity of existing services

More responsive to urgent agency needs

www.GTIBookstore.com

Contracting for Cloud Services

10

Cloud Benefits

Current Environment

INNOVATION Shift focus from asset ownership to service management

Burdened by asset management

Tap into private sector innovation

Risk-adverse culture

De-coupled from private sector innovation engines

Encourages entrepreneurial culture Better linked to emerging technologies (e.g. devices)

Challenges of Cloud Computing 

Cloud Services are Dynamic and Changing



Cloud Services Growth is Exploding



Procurement Contracting has not Caught up with the Growth



Vendor Contracts (Caveat Emptor, Buyer Beware)



Security



Data Issues



Vendor Lock-in



Vendor Viability



Service Level Agreements



Multi-tenancy/Shared Resources



Legal “Cloudy and Foggy”



Private Cloud Challenges



PaaS Issues



Other Key Challenges

Cloud Services are Dynamic and Changing The cloud is a paradigm shift allowing people to network, compute and store data diﬀerently. Earlier, the solutions provided by the predecessors to the cloud were called time-sharing, then loadbalancing and the Web; today we call the evolution the cloud. The enablers to cloud include virtualization, Web 2.0, service-oriented architecture (SOA) and pay-as-you-go models among others.

Caution You cannot outsource your responsibility to the cloud.

When using cloud services, the gain has to be weighed against the cost and risk. According to an Information Week study, 62 percent of ﬁrms don’t monitor their cloud application performance. That lack of monitoring creates issues in getting what you pay for. Perfor-

11

Step 1. Understanding Cloud Computing

mance management including Service Level Agreements are part of the solution, when SLAs are drafted and managed properly. Your clients and users look to you when cloud service problems arise. Therefore, you need to do some thorough due diligence before contracting for cloud services.

Cloud Services Growth is Exploding 

We will see a growth to thousands of cloud vendors. – Gartner



By 2012, it will be 30% percent of IT budgets.



By 2012, over 80 percent of ﬁrms will be using the cloud.



The industry is poised for strong growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion.” Gartner



A 2011 IBM poll of CIOs shows 70% will pursue the cloud in the next 5 years as a means of growing business and revenue.



Total revenues SaaS in 2012 are expected to reach $21.2 billion.



SaaS revenues will reach $92.8 billion by 2016.



By 2016, SaaS will have 26 percent of the total packaged software market. (Forrester)

According to IDC’s landmark 2010 Digital Universe Study, the amount of data created and stored in 2009 via IaaS when used primarily as a storage vehicle was greater than ever before and was a remarkable 62 percent higher than the previous year. Over the next decade, the amount of data will be 44 times greater than it was in 2009. Cloud services and growth will clearly change the way we do things. Procurement Contracting has not Caught up with the Growth (dealing with outdated contract models) 

There are few customer cloud agreement templates.



Outsourcing agreements are a good base. Some consider cloud services as outsourcing.



ASP, “Hosting” are also good base documents.



Develop cloud agreements (or work statements) with emphasis on SLAs and KPIs, security and other key provisions, and address your business or mission needs.

The authors have included checklist references and other data in this book to help you determine the provisions you should address in your “cloud” agreements. As part of the procurement process developing an agreement and preparing a procurement document requires a knowledgeable team including a technology specialist, a lawyer, a procurement professional, a security professional and a user of the services.

www.GTIBookstore.com

Contracting for Cloud Services

12

Vendor Contracts “The ease and convenience with which cloud computing arrangements can be set up may lull customers into overlooking the signiﬁcant issues that can arise when key data and processes are entrusted to cloud service providers,” said Professor Christopher Millard, principal researcher on the Cloud Legal Project. This premise has also been the authors’ experience. Some key reasons for precontract due diligence include ensuring the vendor provides adequate infrastructure and security, the vendor is viable, and the cloud solution meets your mission or business requirements. Businesses often jump to cloud solutions, since there are immediate economic beneﬁts. However this is often done without the realization of long-term risks and consequences that can easily eradicate the short-term savings. Lack of security is one such consequence. Sometimes to get cloud services started, you just click on “accept” on the Web. Some cloud contract issues include: 

Major issue: information security policies and compliance often are not addressed.



Vendor contracts are written to protect the vendor.



Generally missing key concerns (your reasons for using cloud services).



Performance (results are not meeting requirements).



Data loss without backup guarantee.



SLAs and KPIs are missing – as well as the right SLAs/KPIs.



Performance results.



Remedies (no remedy for vendor cloud failure).



Disaster Recovery (including how much data is lost, and when you can use the services again).

Vendor contracts are drafted by them in order to protect themselves, the vendor. Often the disclaimer language is much clearer than the language describing the services you are contracting for. Following is a summary of the forms and format of standard vendor terms and some recommendations. More details are provided later in this book. Note that in Federal Government contracting the vendor contracts are not part of the Government award. GSA for example has the terms of their Schedule 70 apply to awards. Vendor agreements usually have a number of modules and a provision that the cloud vendor can change the terms at any time (often by just posting the changes on the Web). 

Terms of Service (ToS) – the agreement boilerplate. This has disclaimers of warranty, liability and other risk reduction provisions. The authors recommend you develop your own template agreements in a way that balances your requirements and risk, as well as vendor risk.



Acceptable Use Policy (AUP) – usually adequate except for remedy without notice. These require review, should be aligned with your use policy and have a notice for violations and a cure period.

Step 1. Understanding Cloud Computing

13



Privacy Policy – often allowing the vendor to share data without notice to you. These should require notice to you prior to the sharing of data or, in the event of legally required immediate release, that you are notiﬁed as to its release.



Service Level Agreement (SLA) – generally not addressing customer needs. May reﬂect only downtime of system with exclusions to downtime. Does not reﬂect loss of data when system returns to operation or how long system is down.



SLA may allow vendors to market 100 percent uptime – BUT there may be exceptions to what is considered downtime (or uptime) or the credits may not apply until a lesser uptime (they guarantee 100 percent, but credits do not apply until the 99 percent uptime threshold is hit).



Exceptions to uptime (maintenance, force majeure, etc.) 

Little remedy for failure – does not address loss of revenue, customers, and does not address loss of data and recovery points for data loss or time to restore service.



Threshold for remedies – often remedies do not kick in until after a period of “free” downtime as the example in the prior bullet point shows.

An Acceptable Use Clause (a Cloud Vendor Example) “You agree to be solely responsible for the contents of your transmissions through the Services. You agree not to use the Services for illegal purposes or for the transmission of material that is unlawful, defamatory, harassing, libelous, invasive of another’s privacy, abusive, threatening, harmful, vulgar, pornographic, obscene, or is otherwise objectionable, oﬀends religious sentiments, promotes racism, contains viruses, or that which infringes or may infringe intellectual property or other rights of another. You agree not to use the Services for the transmission of ‘junk mail,’ ‘spam,’ ‘chain letters,’ ‘phishing’ or unsolicited mass distribution of email. We reserve the right to terminate your access to the Services if there are reasonable grounds to believe that you have used the Services for any illegal or unauthorized activity.” (As a minimum, there should be notice and a correction period rather than immediate access termination. Also the clause should contain mutuality regarding the cloud vendor’s use of the services as it applies to you, your customers and your data). Things to Consider Many vendor contracts generally note services “as is” without warranties. Limitation of liability omits most monetary damages, and there is little or no responsibility for data breaches or security. Some vendors state that the economic beneﬁt that the cloud vendor can deliver is predicated on the services—and the agreements—being standard. So they say! That standard contract protects vendors and does not address your reasons for going to the cloud. The vendor contracts generally do not address performance and omit their liability for most any cause. Use of a competitive RFP can often overcome this issue by introducing competition which increases negotiation leverage. Having an agreement that is one-sided does provide the vendor an economic beneﬁt, but does not provide customers with reasonable protections and does not guarantee performance. www.GTIBookstore.com

Contracting for Cloud Services

14

For instance, the following actual summary of terms and conditions from a cloud vendor were a major cause of concern: 

Minimum 5 yr. term, renewal 3 yrs.



Customer to comply with online terms of use, terms may change (including price).



Ninety-nine percent uptime, ﬁve percent for each percentage point below to a maximum credit of 15 percent.



Exception for upgrades and maintenance and events beyond control of vendor.



No acceptance testing of customization.



Service “as is” and disclaims it will provide satisfactory quality, data accuracy, uptime.



No guarantee that the service will meet your requirements or needs.



No guarantee of access to the service or the accuracy of the service.



No guarantee availability of its Website.



Customer’s Sole remedy – Customer stops use of service.



Oh, by the way - $500K upfront payment for the ﬁrst year of service.



Other security and backup: You are responsible for properly conﬁguring and using the service and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving of Your Content.



Disclosure of Data: We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.

Remember that, almost without exception, providers go to considerable lengths to deny that any performance warranty (or security warranty in many cases) existed. [Note that this procurement was sent out to bid after a review of the many issues (the term was too long, there was no guarantee of performance, plus the others issues noted above). The particular vendor with these provisions was not invited to bid.] Loss of Governance In using cloud infrastructures, the client necessarily cedes control to the cloud vendor on a number of issues which may aﬀect security. At the same time, Service Level Agreements (SLAs) may not oﬀer a commitment to provide such services on the part of the cloud vendor, thus leaving a gap in security defenses. Governance implies control and oversight over policies, procedures and standards for application development, as well as the design, implementation, testing and monitoring of deployed services. With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems. While cloud computing simpli-

15

Step 1. Understanding Cloud Computing

ﬁes platform acquisition, it doesn’t alleviate the need for governance; instead, it has the opposite eﬀect, amplifying that need as vendors and third parties are now involved. A recent study of the private sector showed that some company executives went directly to cloud vendors and ordered their services without involving their IT department. The executives had the budget and wanted fast deployment and cheaper costs without the normal internal processes impeding their eﬀorts. In the government markets, this is not as easy to accomplish with the formal processes in place to put controls on spending public funds. 

One way vendors avoid having to address due diligence issues with IT is to go around IT.



Technology companies know the value in selling directly to the line-of-business.



Often this “end-around” is a normal sales tactic.



Today, many commercial managers themselves want to avoid the IT process.

Security Security remains the #1 concern among IT executives. This includes network security, as well as data protection and privacy, physical security and application security from cloud providers. The key ﬁnding of the Ponemon Study of April 2011 was that providers of cloud computing resources are not focused on security in the cloud. Rather, their priority is delivering the features their customers want, such as low-cost solutions with fast deployment that improves customer service and increases the eﬃciency of the IT function. 

The majority of cloud vendors admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.



The majority of cloud vendors believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.



Buyer beware – on average, providers allocate 10 percent or less of their operational resources to security and most do not have conﬁdence that customers’ security requirements are being met.

Only 36 percent of U.S. and 57 percent of European cloud computing users strongly agree or agree that their organization is vigilant in conducting audits or assessments of cloud computing providers before deployment. A cloud vendor should be able to oﬀer world-class security and data privacy better than its customers can do on their own, and at no additional cost. Processes and policies should encompass physical, network, application and data level security, as well as full back-up and disaster recovery. The provider should be compliant with security-oriented laws, certiﬁcations and auditing programs, including Safe Harbor, ISO 27001/2, and SSAE 16 (replaced SAS 70 eﬀective 6/15/11) and the NIST standards.

www.GTIBookstore.com

Contracting for Cloud Services

16

Data Issues 

Data ownership



Conﬁdentiality



Will you get your data?



How and when?



What format?



Will it be transitioned?



Will it be blocked from future access?

These issues are addressed later in this book when we examine the key contract issues in detail. Multi-tenancy/Shared Services Multi-tenancy refers to a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants). Multi-tenancy is the key common attribute of both public and private clouds, and it applies to all three layers of a cloud: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Cloud computing services go beyond tactical features such as virtualization, and head towards implementing billing—or chargeback in the case of private clouds—based on metered usage. Cloud computing service also features improved accountability using service-level-agreements (SLAs), identity management for secured access, fault tolerance, disaster recovery, dynamic procurement and other key properties. By incorporating these shared services at the infrastructure layer, all clouds automatically become multitenant. Then tenants can enjoy the full spectrum of common services from a cloud, starting at the hardware layer and going all the way up to the user-interface layer. The challenge is how to eﬀectively share infrastructure resources among multiple users, while at the same time ensuring data isolation between users, as if they are running on completely physically separate servers. If not done well this could lead to unauthorized data access, or unintentional intermingling of data.

Vendor Lock-In Lack of data portability makes it diﬃcult to migrate to another provider or migrate to an in-house IT environment. A Gartner survey in 2010 found that many customers considered the fear of lockin a greater deterrent to cloud computing than security. Lock-in makes the customer contractually dependent on the vendor for products and services, and there are usually substantial costs in switching to another vendor. One concern is that information might not be easily transferable if vendor A uses one technology, i.e., a proprietary platform, and vendor B uses another. However, as more

17

Step 1. Understanding Cloud Computing

customers choose multiple vendors to provide the diﬀerent services required, cloud vendors may be forced to provide better transportability of information. Note. The Storage Networking Industry Association’s Technical Work Group is developing an API called the Cloud Data Management Interface that would allow providers to migrate customer data from one vendor’s cloud to the next – a move aimed at alleviating vendor lock-in. When that occurs, you will have the issue of cloud vendor acceptance and use among others. The CDMI is a step in the right direction that customers should be requiring once it is ﬁnalized. Contract Term Lock-In Another form of vendor lock-in is a term of agreement provision. In the example previously noted, the vendor required a ﬁve-year term. That ﬁve-year term posed many risks including: 1. The solution required tailoring without an acceptance process for the solution. 2. The customer had to pay before the solution was developed, tested and accepted. 3. If better technology came along, you were stuck with this solution during contract term. 4. The cloud vendor could change the price and terms of the agreement at any time. 5. The vendor may not be around for ﬁve years. Generally, start with a short term of around one year from acceptance of the services with renewals at customer’s option. Have an agreed renewal/extension price ceiling included in the original agreement. Vendor Viability With the explosion in cloud computing, many vendors are jumping on the bandwagon to provide products and services. Some are well prepared to do this and have a proven traﬃc record. Others do not. Selecting the right vendor is critical. The vendor must not only be the owner of the services it is providing, it should prove that it has adequate arrangements and expertise in place to guarantee long-term viability. You should always ask the following questions: 

Is the company ﬁnancially stable?



Does it have a proven backup strategy?



What do other users say about the company and its performance?

Must Do Do your due diligence when choosing a vendor.

Also, in many customer agreements, there is a requirement for annual ﬁnancial statements and interim reports required when signiﬁcant events occur, such as a vendor oﬃcer resigns, there is a lawsuit instigated that may impact your rights to use the service, there is a decision to ﬁle for chapter 11 bankruptcy or other events that impact the company’s ability to stay in business. www.GTIBookstore.com

Contracting for Cloud Services

18

This provision would be one that both public and private organizations should incorporate in their contracts. Ask for ﬁnancial information from the company itself, and use whatever other resources are available to you to check this. Some cloud vendors may be private companies so a lot of their ﬁnancial information is not made public. If they want your business they should be willing to provide ﬁnancial documents. If they refuse to do so, suspect the worse and refuse to contract in such circumstances. There are several ways you can still check out private companies. Check out their online investor relations information, and ﬁnd out which venture capitalists (VCs) are supporting them. You can check out the track record of the VCs, and see how well they have done in this arena and what experience they have supporting other cloud vendors. Check out the vendor’s management team – who are they, what experience do they have, are there any skeletons in their closet—(i.e., did the CEO’s previous two companies declare bankruptcy!).

Recent Vendor Problems EMC shut down its Atmos EMC and offered no guarantee that its customers could retrieve their data once the service closed. Vaultscape also closed. In April 2011, Iron Mountain announced it had stopped accepting new customers for its Virtual File Store service and was planning to shut it down over the next two years. Also in April 2011, Cirtas Systems announced it was leaving the market to regroup. The Sony PlayStation Network reported a data breach that compromised the personal data of more than 100 million customers because of IT failure to safeguard (including encryption) personal data. Reuters reported that the data breach “may claim another victim – the cloud computing industry.” These failures are more prevalent than people want to accept, and they existed well before the cloud did. Microsoft’s Business Online Professional Services (BPOS) experienced a series of major outages. BPOS was down for six to nine hours for most customers in early May 2011, followed by sporadic outages over the next couple days. During that time, productivity was significantly impacted, since much of getting business done relies on being able to send and receive emails. Online backup company Carbonite alerted the public that it had lost data belonging to more than 7,500 customers over a number of separate incidents by filing a lawsuit against a hardware vendor and systems integrator. Carbonite claims that the cloud storage disaster was the result of $3M in faulty equipment provided by a vendor. In fact, according to Carbonite, it turned out that only 54 customers were unable to retrieve their data. Regardless of the number, companies lost data that they were not able to retrieve.

19

Step 1. Understanding Cloud Computing

Cloudy SLAs When moving to cloud services, Service Level Agreements (SLAs) are a cornerstone to success. Having a part of the agreement with SLAs to align with business goals is a key. Those vendor agreements that do have SLAs (generally only for system availability during a deﬁned period) are inadequate in that availability is only one of the key elements relating to one’s business goals and measures of success. Additionally, the vendor SLA generally has minimal downtime credits (if any), some downtime not applicable and other escapes that do not give you much protection. For example, the vendor may limit the amount of credits and start downtime at a point lower than the promised threshold. One vendor limited credits to 15 percent of the monthly revenue even if the system was down for 100 percent of the time. Regardless the downtime, credits do not address your lost revenue, lost customers, lost data and other things. Availability/downtime SLAs should address a Recovery Point Objective (RPO) and a Recovery Time Objective (RTO) in order to be eﬀective and to allow you to understand the full risk. If a system goes down at 2:00 pm local time, and you have a four-hour RTO and an eight-hour RPO, you may be looking at the next business day for restart of services and the prior business day where your data is recoverable. RTO and RPO are also key elements of a disaster recovery/business continuity plan. Business SLAs fall into these major categories: Availability, Performance/Workload (including latency), Accuracy/Quality, Recoverability, and Security and Cost. The cost consequences of failures to meet a requirement is a key SLA negotiation issue. A due diligence process can help one focus on areas that need attention and/or improvement. Another point is to have a few key SLAs that are reasonable and measurable. For example, If you are focusing on availability you don’t need to include in the SLAs all the elements that go into availability, such as response time, trained technicians, responsive call handlers and so forth. You may want to include a vendor’s report on these elements as key performance indicators (KPIs) to help understand what went wrong in the process that led to a failed SLA. The SLA KPI diﬀerence is that the vendor monetary credits are based on missing SLA targets, not missing KPI matrices. Some additional tips: 

When a vendor owes credits, have a process to take the credits quickly.



Have an “at risk pool” to set up SLA process.



All SLAs should include root-cause analysis ﬁndings for failures to meet the SLA.



Consider using a third party to monitor SLAs.



Monitor SLAs on a frequent basis, ideally on a continual basis.



Have a clause to review the SLAs at least monthly and apply credits for mal-performance.

www.GTIBookstore.com

20

Contracting for Cloud Services

An “at risk” pool is a sum of money available for allocation to the SLA. The “at risk” amount can be a percentage of total monthly charges held back and placed at risk by the service provider, and it is tied to attainment of critical service levels. The risk pool may be a percentage of the total contract amount set aside as a payment-for-performance amount. The result is a ﬁxed price of 80 percent, with 20 percent set aside as payment for performance of SLAs. A proportion of the “at risk” pool is usually allocated to each performance category. For the service provider, it establishes the maximum “at risk” amount without excessive risk, ﬁxes the size of the “at risk” pool and allows for earn-back if it meets the performance requirements or targets speciﬁed in the SLA. For the customer, it provides a meaningful “at risk” amount which can be applied to critical service levels, and it can be tied to annual performance reviews to ensure performance, as well as continuous improvement discussions and implementation.

Legal “Cloudy and Foggy” In the past many legal issues involved in commercial cloud computing were resolved during contract evaluation (i.e., when making comparisons between diﬀerent providers) similar to the days of the mainframe computer vendors when their contract was required by them for the project. Opportunities exist for prospective customers of cloud services to choose providers whose contracts are negotiable. Employing an RFP process (such as used in the GSA cloud eﬀorts for email and IaaS) helps your negotiation eﬀorts. Standard contract clauses require additional review because of the nature of cloud computing. The parties to a contract should pay particular attention to their rights and obligations related to notiﬁcations of breaches in security, data transfers, data ownership, change of control and access to data by law enforcement entities. Because the cloud can be used to outsource critical internal infrastructure, and the interruption of that infrastructure may have wide-ranging eﬀects, the parties should carefully consider whether standard limitations on liability adequately represent allocations of liability, given the parties’ use of the cloud or responsibilities for infrastructure. Until legal precedent and regulations address security concerns speciﬁc to cloud computing, customers and cloud providers alike should look to the terms of their contract to eﬀectively address security risks. In commercial agreements most companies will “carve out” exceptions to limitations of liability. These carve outs would be for gross negligence, willful misconduct, violations of conﬁdentiality or intellectual property matters. Use a lawyer to help you with speciﬁc language, in the event your template agreements do not address the limitation of liability and carve-outs from the limitation of liability. The following is a list of areas the customer should pay particular attention to when assessing SLAs and other agreement documents for cloud services (from European Network and Information Security Agency (ENISA):

Step 1. Understanding Cloud Computing

21

1. Data Protection: attention should be paid to choosing a processor that provides suﬃcient technical security measures and organizational measures governing the processing to be carried out, and ensuring compliance with those measures. 2. Data Security: attention should be paid to mandatory data security measures that potentially cause either the cloud provider or the customer to be subject to regulatory and judicial measures if the contract does not address these obligations. 3. Data Transfer: attention should be paid to what information is provided to the customer for information security regarding how data is transferred within the cloud provider’s proprietary cloud, outside that cloud, and within and outside the United States. 4. Law Enforcement Access: each country has unique restrictions on, and requirements providing for, law enforcement access to data. The customer should pay attention to information available from the provider about the jurisdictions in which data may be stored and processed, and evaluate any risks resulting from the jurisdictions which may apply. 5. Conﬁdentiality and Non-disclosure: the duties and obligations related to this issue should be reviewed. Deﬁne personal identiﬁable information as conﬁdential information. 6. Intellectual Property: in the case of IaaS and PaaS, intellectual property, including original works created using the cloud infrastructure, may be stored. The cloud customer should ensure that the contract respects their rights to any intellectual property or original works as far as possible, without compromising the quality of service oﬀered (e.g., backups may be a necessary part of oﬀering a good service level). 7. Risk Allocation and Limitation of Liability: when reviewing their respective contract obligations, the parties should underscore those obligations that present signiﬁcant risk to them by including monetary remediation clauses, or obligations to indemnify, for the other party’s breach of that contract obligation. Furthermore, any standard clauses covering limitations of liability should be evaluated carefully. 8. Change of Control: transparency concerning the cloud provider’s continuing ability to honor their contract obligations in the case of a change of control, as well as any possibility to rescind the contract.

Private Cloud Challenges 

Cloud services with slower implementation – you keep data on your machines and software, but lose some of the economic and fast implementation beneﬁts.



May not provide the scalability and agility of public cloud services – the expense of maintenance, upgrades, new servers and new technology are foregone.



Have to procure and manage hardware and software.



Generally more expensive than public cloud. www.GTIBookstore.com

Contracting for Cloud Services

22

PaaS Issues First Generation PaaS solutions may necessitate from you redundancy and higher costs, and result in proprietary lock-in. Developing on a particular PaaS platform may require that a customer write using the vendor’s potentially unique code. This may not be easily transferable to another PaaS platform, so could lead to lock-in. Ideally PaaS should support your current programming models and applications, enable cloud portability, and provide the abstraction and management capabilities necessary to simplify application development and deployment. PaaS systems should have ﬂexibility and portability designed into the architecture to prevent technology lock-in.

Other Key Challenges to Consider 

Where do the applications and/or servers reside?



What is their capacity?



What support is provided?



What are your options to minimize the impact if the cloud vendor has service interruption?



In the event of a security breach, what are the privacy and legal liabilities – as databases housing sensitive information will not be housed oﬀsite?

23

STEP 2

Understanding The Federal Government’s New Approach To Cloud Computing

Why is Cloud Computing Important? The global cloud-computing market is expected to reach $241 billion in 2020, up from $41 billion in 2010, according to Forrester Research. In a nutshell, cloud computing can save time and money, as well as provide for quick solution deployments. How you implement it is important since you must address security (including personal data privacy), consider vendor viability and how to measure performance and success among other factors. The federal government’s “Cloud First” policy is energizing agencies’ movement to the cloud.

Cloud First To harness the beneﬁts of cloud computing, the White House has instituted a Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments. By leveraging shared infrastructure and economies of scale, cloud computing presents a compelling business model for federal leadership. Organizations will be able to measure and pay for only the IT resources they consume, increase or decrease their usage to match requirements and budget constraints, and leverage the shared underlying capacity of IT resources via a network. Resources needed to support mission critical capabilities can be provisioned more rapidly, and with minimal overhead and routine provider interaction. www.GTIBookstore.com

Contracting for Cloud Services

24

Cloud computing can be implemented using a variety of deployment models—private, community, public or a hybrid combination. Cloud computing oﬀers the government an opportunity to be more eﬃcient, agile and innovative through more eﬀective use of IT investments, and by applying innovations developed in the private sector. If an agency wants to launch a new innovative program, it can quickly do so by leveraging cloud infrastructure without having to acquire signiﬁcant hardware, lowering both time and cost barriers to deployment. This Federal Cloud Computing Strategy is designed to: 

Articulate the beneﬁts, considerations and trade-oﬀs of cloud computing



Provide a decision framework and case examples to support agencies in migrating towards cloud computing



Highlight cloud computing implementation resources



Identify federal government activities, and roles and responsibilities, for catalyzing cloud adoption

Must Do Each agency is required to reevaluate its technology sourcing strategy to include consideration and application of cloud computing solutions as part of the budget process.

Consistent with the Cloud First policy, agencies must modify their IT portfolios to take full advantage of the beneﬁts of cloud computing in order to maximize capacity utilization, improve IT ﬂexibility and responsiveness, and minimize cost. “The cloud will do for the government what the Internet did in the ’90s. We’re interested in consumer technology for the enterprise. It’s a fundamental change to the way our government operates by moving to the cloud. Rather than owning the infrastructure, we can save millions.” Vivek Kundra, former federal CIO.

In testimony before the Senate Subcommittee on Federal Financial Management, Government Information Services, Federal Services and International Security Committee on Homeland Security and Homeland Aﬀairs, on April 28, 2009, the Government Accountability Oﬃce (GAO) said management and oversight of projects totaling billions of dollars needed more attention. David A. Powner, Director of Information Technology Management Issues at GAO, said billions of taxpayer dollars are spent on federal information technology (IT) projects each year. Given the size of these investments and their signiﬁcance to the health, economy, and security of the nation, it is important that the Oﬃce of Management and Budget (OMB) and federal agencies are providing adequate oversight and ensuring transparency of these programs. Appropriate oversight and transparency will help ensure that programs are delivered on time, within budget and with the promised capabilities.

Step 2. The Federal Government’s New Approach

25

President’s Cyber Policy In the Memorandum on Transparency and Open Government, issued on January 21, 2009, President Obama instructed the Director of the Oﬃce of Management and Budget (OMB) to issue an Open Government Directive. Responding to that instruction, OMB issued its Directive on December 8, 2009. It directs executive departments and agencies to take speciﬁc actions to implement the principles of transparency, participation and collaboration set forth in the President’s Memorandum. The three principles of transparency, participation and collaboration form the cornerstone of an open government. Transparency promotes accountability by providing the public with information about what the government is doing. Participation allows members of the public to contribute ideas and expertise, so that their government can make policies with the beneﬁt of information that is widely dispersed in society. Collaboration improves the eﬀectiveness of government by encouraging partnerships and cooperation within the federal government, across levels of government, and between the government and private institutions. This Open Government Directive establishes deadlines for action. But because of the presumption of openness that President Obama has endorsed, agencies are encouraged to advance their open government initiatives well ahead of those deadlines. As part of the open government initiative, federal departments have also been urged to exchange information and best practices and to contribute to the federal dashboard which is designed to help them assess the eﬀectiveness of government IT spending – and make this information available to the public. Departments are also being encouraged to review their data center policies and consider the economics of switching to cloud computing.

25-Point Implementation Plan to Reform Federal Information Technology Management Information technology should enable government to better serve the American people. But despite spending more than $600 billion on information technology over the past decade, the federal government has achieved little of the productivity improvements that private industry has realized from IT. Too often, federal IT projects run over budget, behind schedule or fail to deliver promised functionality. Many projects use “grand design” approaches that aim to deliver functionality every few years, rather than breaking projects into more manageable chunks and demanding new functionality every few quarters. In addition, the federal government too often relies on large, custom, proprietary systems when “light technologies” or shared services exist. Government oﬃcials have been trying to adopt best practices for years – from the Raines Rules of the 1990s through the Clinger-Cohen Act and the acquisition regulations that followed. But obstacles have always gotten in the way. A 25-point action plan has been designed to clear these obstacles and deliver more value to the American taxpayer. It should allow agencies to leverage information technology to create a more eﬃcient and eﬀective government. These actions have been planned to take place over the next 18 months and place ownership with OMB and agency operational centers, as appropriate. While the 25 points may not solve all federal IT challenges, they will address many of the most pressing, www.GTIBookstore.com

Contracting for Cloud Services

26

persistent challenges. This plan requires a focus on execution and is designed to establish some early wins to garner momentum for the federal government’s continued eﬀorts. Active involvement from agency leadership is critical to the success of these reforms. As such, the federal CIO will work with the president’s Management Council to successfully implement this plan. Some highlights of the implementation plan include: 

Turnaround or terminate at least one-third of underperforming projects in IT portfolio within the next 18 months.



Shift to “Cloud First” policy. Each agency will identify three “must move” services within three months, and move one of those services to the cloud within 12 months and the remaining two within 18 months.



Reduce number of federal data centers by at least 800 by 2015.



Only approve funding of major IT programs that:





Have a dedicated program manager and a fully staﬀed integrated program team;



Use a modular approach with usable functionality delivered every six months; and



Use specialized IT acquisition professionals.

Work with Congress to: 

Consolidate commodity IT funding under agency CIOs;



Develop ﬂexible budget models that align with modular development; and



Launch an interactive platform for pre-RFP agency-industry collaboration.

27

Step 2. The Federal Government’s New Approach

The 25 Points 1.

Complete detailed implementation plans to consolidate at least 800 data centers by 2015.

2.

Create a government-wide marketplace for data center availability.

3.

Shift to a “Cloud First” policy.

4.

Stand-up contract vehicles for secure IaaS solutions.

5.

Stand-up contract vehicles for commodity services.

6.

Develop a strategy for shared services.

7.

Design a formal IT program management career path.

8.

Scale IT program management career path government-wide.

9.

Require integrated program teams.

10. Launch a best-practices collaboration platform. 11. Launch technology fellows program. 12. Enable IT program-manager mobility across government and industry. 13. Design and develop a cadre of specialized IT acquisition professionals. 14. Identify IT acquisition best practices and adopt government-wide. 15. Issue contracting guidance and templates to support modular development. 16. Reduce barriers to entry for small innovative technology companies. 17. Work with Congress to develop IT budget models that align with modular development. 18. Develop supporting materials and guidance for flexible IT budget models. 19. Work with Congress to scale flexible IT budget models more broadly. 20. Work with Congress to consolidate commodity IT spending under agency CIOs. 21. Reform and strengthen Investment Review Boards. 22. Redefine the role of agency CIOs and Federal CIO Council. 23. Rollout “TechStat” model at bureau-level. 24. Launch “myth-busters” education campaign. 25. Launch interactive platform for pre-RFP agency-industry collaboration.

www.GTIBookstore.com

28

Contracting for Cloud Services

Federal CIO Statements Launching the government’s Federal Cloud Computing Strategy in February 2011, the then Chief Information Oﬃcer, Vivek Kundra, said, “The federal government’s current Information Technology (IT) environment is characterized by low asset utilization, a fragmented demand for resources, duplicative systems, environments which are diﬃcult to manage, and long procurement lead times. These ineﬃciencies negatively impact the federal government’s ability to serve the American public. “Cloud computing has the potential to play a major part in addressing these ineﬃciencies and improving government service delivery. The cloud computing model can signiﬁcantly help agencies grappling with the need to provide highly reliable, innovative services quickly despite resource constraints. Commercial service providers are expanding their available cloud oﬀerings to include the entire traditional IT stack of hardware and software infrastructure, middleware platforms, application system components, software services and turnkey applications. The private sector has taken advantage of these technologies to improve resource utilization, increase service responsiveness and accrue meaningful beneﬁts in eﬃciency, agility and innovation. Similarly, for the federal government, cloud computing holds tremendous potential to deliver public value by increasing operational eﬃciency and responding faster to constituent needs. “An estimated $20 billion of the federal government’s $80 billion in IT spending is a potential target for migration to cloud computing solutions”, he said. In 1998, the government had 432 data centers. Today, the ﬁgure stands at 2,094 facilities. The U.S. manages more than 12,000 major applications across the federal government. It spends $24 billion on IT infrastructure per annum, Mr. Kundra said during a panel discussion at Salesforce.com’s Dreamforce event in San Francisco. “Think about where all the money is going and think about how we actually serve our constituents, because all that money’s being spent on redundant infrastructure, redundant application that we’re not able to optimize,” Kundra told conference delegates. The Cloud First policy that he championed had a few wins. The General Services Administration shaved IT costs by 50 percent by moving to a cloud model. We’re already seeing agencies such as GSA, the Recovery Board and USDA actually adopt the Cloud First policy. Mr. Kundra said if $20 billion worth of IT projects were transitioned to the cloud, it would deliver savings of $5 billion.

Cybersecurity Gets a Boost As the federal government moves to the cloud, it must be vigilant to ensure the security and proper management of government information to protect the privacy of citizens and national security. The transition to an outsourced, cloud computing environment is in many ways an exercise in risk management. Risk management entails identifying and assessing risk, and taking the steps to reduce it to an acceptable level. Throughout the system lifecycle, risks that are identiﬁed must be carefully balanced against the security and privacy controls available and the expected beneﬁts. Too

29

Step 2. The Federal Government’s New Approach

many controls can be ineﬃcient and ineﬀective. Federal agencies and organizations should work to ensure an appropriate balance between the number and strength of controls and the risks associated with cloud computing solutions. The federal government will create a transparent security environment between cloud vendors and cloud consumers. The environment will move us to a level where the federal government’s understanding and ability to assess its security posture will be superior to that which is provided within agencies today. The ﬁrst step in this process was the 2010 Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP FedRAMP was established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for government and commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud vendors results in a common security risk model that can be leveraged across the federal government. The use of this common security risk model provides a consistent baseline for cloud-based technologies. This common baseline ensures that the beneﬁts of cloud-based technologies are eﬀectively integrated across the various cloud computing solutions currently proposed within the government. The risk model enables the government to “approve once, and use often” by ensuring multiple agencies gain the beneﬁt and insight of the FedRAMP’s Authorization and access to service provider’s authorization packages. FedRAMP deﬁnes requirements for cloud computing security controls, including vulnerability scanning, and incident monitoring, logging and reporting. Implementing these controls will improve conﬁdence and encourage trust in the cloud computing environment. FedRAMP is covered in more detail later in this book. To strengthen security from an operational perspective, Department of Homeland Security (DHS) will prioritize a list of top security threats every six months or as needed, and work with a government-wide team of security experts to ensure that proper security controls and measures are implemented to mitigate these threats. Potential security beneﬁts of using cloud computing services include: 

The ability to focus resources on areas of high concern as more general security services are assumed by the cloud vendor.



Potential platform strength resulting from greater uniformity and homogeneity, and resulting improved information assurance, security response, system management, reliability and maintainability.



Improved resource availability through scalability, redundancy and disaster recovery capabilities; improved resilience to unanticipated service demands.



Improved backup and recovery capabilities, policies, procedures and consistency. www.GTIBookstore.com

Contracting for Cloud Services

30



Ability to leverage alternate cloud services to improve the overall security posture, including that of traditional data centers.



Agencies should also weigh the additional potential vulnerabilities associated with various cloud computing service and deployment models, such as:



The inherent system complexity of a cloud computing environment, and the dependency on the correctness of these components and the interactions among them.



The dependency on the service provider to maintain logical separation in a multi-tenant environment. (Note. This is not unique to the cloud computing model)



The need to ensure that the organization retains an appropriate level of control to obtain situational awareness, weigh alternatives, set priorities, and eﬀect changes in security and privacy that are in the best interest of the organization.

Key security considerations include the need to: 

Carefully deﬁne security and privacy requirements during the initial planning stage at the start of the systems development lifecycle.



Determine the extent to which negotiated service agreements are required to satisfy security requirements; and the alternatives of using negotiated service agreements or cloud computing deployment models which oﬀer greater oversight and control over security and privacy.



Assess the extent to which the server and client-side computing environment meets organizational security and privacy requirements.



Continue to maintain security management practices, controls and accountability over the privacy and security of data and applications.

In the short- and long-term, these actions will continue to improve the federal government’s conﬁdence in the use of cloud services by helping to mitigate security risks.

More on FedRAMP Agencies are concerned about the risks of housing data oﬀsite in a cloud, if FISMA security controls and accountabilities are not in place. In other words, agencies need to have a valid certiﬁcation and accreditation (C&A) process and a signed Authority to Operate (ATO) in place for each cloud-based product Remember they use. While vendors are willing to meet security One of the most significant requirements, they would prefer not to go through the obstacles to the adoption of expense and eﬀort of obtaining a C&A and ATO for cloud computing is security. each use of that product in all the federal departments and agencies. The PMO formed a security working group, initially chaired by NIST to address this problem. The group developed a process and corresponding security controls that were agreed to by multiple agencies – which is the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a government-wide initiative to provide joint authorizations and continuous security monitoring services for all federal agencies with an initial focus on cloud computing. By providing

Step 2. The Federal Government’s New Approach

31

a uniﬁed government-wide risk management for enterprise level IT systems, FedRAMP will enable agencies to either use or leverage authorizations with: 

Vetted interagency approach;



Consistent application of federal security requirements;



Improved community-wide risk management posture; and



Increased eﬀectiveness and management cost savings.

FedRAMP allows agencies to use or leverage authorizations. Under this program, agencies will be able to rely upon review security details, leverage the existing authorization, and secure agency usage of the system. This should greatly reduce cost, enable rapid acquisition and reduce eﬀort. FedRAMP has three components: 

Security Requirement Authorities which create government-wide baseline security requirements that are interagency developed and approved. This will initially be the Federal Cloud Computing Initiative and ultimately live with the ISIMC Working Group.



The FedRAMP Oﬃce which will coordinate authorization packages, manage authorized system lists and provide continuous monitoring oversight. This will be managed by GSA.



A Joint Authorization Board which will perform authorizations and on-going risk determinations to be leveraged government-wide. The board will consist of representatives from GSA, DoD, DHS and the sponsoring agency of the authorized system.

To vet this program and ensure that it will meet the security requirements of the government while streamlining the process for industry, GSA is working with OMB, the marketplace and security groups including the Federal CIO Council’s Information Security and Identity Management Committee. The decision to embrace cloud computing technology is a risk-based decision, not a technologybased decision. As such, this decision from a risk management perspective requires inputs from all stakeholders, including the CIO, CISO, Oﬃce of General Counsel (OGC), privacy oﬃcial and the program owner. Once the business decision has been made to move towards a cloud computing environment, agencies must then determine the appropriate manner for their security assessments and authorizations.

Cloud Computing and Government-Wide Risk and Authorization Cloud computing systems are hosted on large, multi-tenant infrastructures. This shared infrastructure provides the same boundaries and security protocols for each customer. In such an environment, completing the security assessment and authorization process separately by each customer is redundant. Instead, a government-wide risk and authorization program would enable providers and the program oﬃce to complete the security assessment and authorization process once and share the results with customer agencies.

www.GTIBookstore.com

Contracting for Cloud Services

32

Additionally, the Federal Information Security Management Act (FISMA) and NIST special publications provide federal agencies with the guidance and framework needed to securely use cloud systems. However, interpretation and application of FISMA requirements and NIST standards vary greatly from agency to agency. Not only do agencies have varying numbers of security requirements at or above the NIST baseline, many times additional requirements from multiple agencies are not compatible on the same system. A government-wide risk and authorization program for cloud computing would allow agencies to completely leverage the work of an already completed authorization or only require an agency to complete delta requirements (i.e., unique requirements for that individual agency). Finally, security authorizations have become increasingly time-consuming and costly both for the federal government and private industry. A government-wide risk and authorization program will promote faster and cost-eﬀective acquisition of cloud computing systems by using an “authorize once, use often” approach to leveraging security authorizations. Additionally, such a program will promote the Administration’s goal of openness and transparency in government. All of the security requirements, processes, and templates will have to be made publicly available for consumption not only by federal agencies but private vendors as well. This will allow federal agencies to leverage this work at their agency but private industry will also ﬁnally have the full picture of what a security authorization will entail prior to being in a contractual relationship with an agency.

Cloud Computing Security Requirements Baseline In the case of FedRAMP, two sets of security controls have been deﬁned for low-impact and moderate-impact cloud information systems respectively. The impact levels are based on the sensitivity and criticality of the federal information being processed, stored and transmitted by cloud information systems as deﬁned in Federal Information Processing Standard 199. All NIST security standards and guidelines used to deﬁne the requirements for the FedRAMP cloud computing initiative are publicly available at csrc.nist.gov. The FedRAMP deﬁned security controls are organized by the 17 control families identiﬁed in NIST Special Publication 800-53, Revision 3 and provide the following information: 

Control Number and Name – The control number and control name relate to the control as deﬁned in NIST Special Publication 800-53, Revision 3.



Control Baseline – The control is listed in either the Low or Moderate impact column where applicable to that baseline. If the control is not applicable, a blank will appear in that column. If a control enhancement is applicable, the enhancement is designated inside of parenthesis. Additional security controls and control enhancements that are not included in the low and moderate control baselines deﬁned in NIST Special Publication 800-53 Revision 3 (Appendix D) are denoted in bold font. For example, AC-2: Control is included in the NIST Baseline AC-2 (1): Control enhancement is included in the NIST Baseline AC-2 (7): FedRAMP speciﬁc control enhancement.

33

Step 2. The Federal Government’s New Approach 

Control Parameter Requirements – Certain controls are deﬁned with implementation parameters. These parameters identify the scope, frequency and other considerations for how cloud service providers address speciﬁc controls and enhancements.



Additional Requirements and Guidance – These entries represent additional required security controls for cloud computing applications and environments of operation selected from the security control catalog in NIST Special Publication 800-53 Revision 3 (Appendix F). Required parameter values for the variable parts of security controls and control enhancements (designated by assignment and selection statements) are also provided.

Continuous Monitoring Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not suﬃcient condition to demonstrate security due diligence. An eﬀective organizational information security program also includes a rigorous continuous monitoring program integrated into the Must Do System Development Life Cycle (SDLC). The objecA critical aspect of managing tive of the continuous monitoring program is to deterrisk to information from the mine if the set of deployed security controls continue to operation and use of information be eﬀective over time, in light of the inevitable changes systems involves the continuous monitoring of the security that occur. controls employed within or inherited by the system.

Continuous monitoring is a proven technique to address the security impacts on an information system resulting from changes to the hardware, software, ﬁrmware or operational environment. A well-designed and well-managed continuous monitoring program can eﬀectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational oﬃcials in order to take appropriate risk mitigation actions and make cost-eﬀective, risk-based decisions regarding the operation of the information system. Continuous monitoring programs provide organizations with an eﬀective mechanism to update Security Plans, Security Assessment Reports, and Plans of Action and Milestones (POA&Ms). An eﬀective continuous monitoring program includes: 

Conﬁguration management and control processes for information systems;



Security impact analyses on proposed or actual changes to information systems and environments of operation;



Assessment of selected security controls (including system-speciﬁc, hybrid and common controls) based on the deﬁned continuous monitoring strategy;

www.GTIBookstore.com

Contracting for Cloud Services

34



Security status reporting to appropriate oﬃcials; and



Active involvement by authorizing oﬃcials in the ongoing management of information system-related security risks.

FedRAMP is designed to facilitate a more streamlined approach and methodology to continuous monitoring. Accordingly, service providers must demonstrate their ability to perform the deﬁned IT security boundary. While FedRAMP will not prescribe speciﬁc toolsets to perform these functions, FedRAMP does prescribe their minimum capabilities. Furthermore, FedRAMP will prescribe speciﬁc reporting criteria that service providers can utilize to maximize their FISMA reporting responsibilities while minimizing the resource strain that is often experienced. Reporting and Continuous Monitoring Maintenance of the security Authority To Operate (ATO) will be through continuous monitoring of security controls of the service providers system and its environment of operation to determine if the security controls in the information system continue to be eﬀective over time, in light of changes that occur in the system and environment. Through continuous monitoring, security controls and supporting deliverables are updated and submitted to FedRAMP. The submitted deliverables provide a current understanding of the security state and risk posture of the information systems. They allow FedRAMP authorizing oﬃcials to make credible risk-based decisions regarding the continued operations of the information systems and initiate appropriate responses, as needed, when changes occur. The deliverable frequencies are to be considered standards. However, there will be instances, beyond the control of FedRAMP in which deliverables may be required on an ad hoc basis. The deliverables required during continuous monitoring are depicted in the table: FedRAMP Continuous Monitoring. This table provides a listing of the deliverables, responsible party and frequency for completion. The table is organized into: 

Deliverable – Detailed description of the reporting artifact. If the artifact is expected in a speciﬁc format, that format appears in BOLD text.



Frequency – Frequency under which the artifact should be created and/or updated.



Responsibility – Whether FedRAMP or the Cloud Service Provider is responsible for creation and maintenance of the artifact.

Routine Systems Change Control Process The Change Control Process is instrumental in ensuring the integrity of the cloud computing environment. As the system owners as well as other authorizing oﬃcials approve changes, they are systematically documented. This documentation is a critical aspect of continuous monitoring since it establishes all of the requirements that led to the need for the change as well as the speciﬁc details of the implementation. To ensure that changes to the enterprise do not alter the security posture beyond the parameters set by the FedRAMP Joint Authorization Board ( JAB) the key documents in the authorization package, which include the security plan, security assessment report, and plan

35

Step 2. The Federal Government’s New Approach

of action and milestones, are updated and formally submitted to FedRAMP within 30 days of approved modiﬁcation. There are, however, changes that are considered to be routine. These changes can be standard maintenance, addition or deletion of users, the application of standard security patches or other routine activities. While these changes individually may not have much eﬀect on the overall security posture of the system, in aggregate they can create a formidable security issue. To combat this possibility, these routine changes should be documented as part of the CSP’s standard change management process and accounted for via the CSP’s internal continuous monitoring plan. Accordingly, these changes must be documented, at a minimum, within the current SSP of the system within 30 days of implementation. Configuration Change Control Process (CCP) Throughout the System Development Lifecycle (SDLC), system owners must be cognizant of changes to the system. Since systems routinely experience changes over time to accommodate new requirements, new technologies or new risks, they must be routinely analyzed in respect to the security posture. Minor changes typically have little impact to the security posture of a system. These changes can be standard maintenance, adding or deleting users, applying standard security patches or other routine activities. However, signiﬁcant changes require an added level of attention and action. NIST deﬁnes a signiﬁcant change as “a change that is likely to aﬀect the security state of an information system.” Changes such as installing a new operating system, port modiﬁcation, new hardware platforms or changes to the security controls should automatically trigger a re-authorization of the system via the FedRAMP process. Minor changes must be captured and documented in the SSP of the system within 30 days of implementation. This requirement should be part of the CSP’s documented internal continuous monitoring plan. Once the SSP is updated, it must be submitted to FedRAMP, and a record of the change must be maintained internally. Major or signiﬁcant changes may require re-authorization via the FedRAMP process. In order to facilitate a re-authorization, it is the responsibility of both the CSP and the sponsoring agency to notify FedRAMP of the need to make such a signiﬁcant change. FedRAMP will assist and coordinate with all stakeholders the necessary steps to ensure that the change is adequately documented, tested and approved. FISMA Reporting Requirements FISMA established the IT security reporting requirements. OMB in conjunction with DHS enforces these reporting requirements. FISMA reporting responsibilities must be clearly deﬁned. FedRAMP will coordinate with CSPs and agencies to gather data associated with the cloud service oﬀering. Only data related to the documented system security boundary of the cloud service oﬀering will be collected by FedRAMP and reported to OMB at the appropriate time and frequency. www.GTIBookstore.com

36

Contracting for Cloud Services

Agencies will maintain their reporting responsibilities for their internal systems that correspond to the inter-connection between the agency and the cloud service oﬀering. Ongoing Testing of Controls and Changes to Security Controls Process System owners and administrators have long maintained the responsibility for patch and vulnerability management. However, it has been proven time and again that this responsibility often requires a heavy use of resources, as well as a documented, repeatable process to be carried out consisMust Do tently and adequately. This strain on resources and lack Vulnerability patching is critical. of processes has opened the door to many malicious entities through improper patching, signiﬁcant lapse in time between patch availability and patch implementation, and other security oversights. Routine system scanning and reporting is a vital aspect of continuous monitoring and, thus, maintaining a robust cyber security posture. Proprietary operating system vendors (POSV) are constantly providing patches to mitigate vulnerabilities that are discovered. In fact, regularly scheduled monthly patches are published by many POSV to be applied to the appropriate operating system. It is also the case that POSV will, from time to time, publish security patches that should be applied on systems as soon as possible due to the serious nature of the vulnerability. Systems running in virtual environment are not exempted from patching. In fact, not only are the operating systems running in a virtual environment to be patched routinely, but often-times the virtualization software itself is exposed to vulnerabilities and, thus, must be patched either via a vendor-based solution or other technical solution. Open source operating systems require patch and vulnerability management, as well. Due to the open nature of these operating systems there needs to be a reliable distribution point for system administrators to safely and securely obtain the required patches. Database platforms, web platforms and applications and virtually all other software applications come with their own security issues. It is not only prudent, but also necessary to stay abreast of all of the vulnerabilities that are represented by the IT infrastructure and applications that are in use. While vulnerability management is indeed a diﬃcult and daunting task, there are proven tools available to assist the system owner and administrator in discovering the vulnerabilities in a timely fashion. These tools must be updated prior to being run. Updates are available at the corresponding vendor’s Website. 

With these issues in mind FedRAMP will require CSPs to provide the following:



Monthly vulnerability scans of all servers. Tools used to perform the scan must be provided, as well as the version number reﬂecting the latest update. A formal report of all vulnerabilities discovered, mitigated or the mitigating strategy must be made. This report should list the vulnerabilities by severity and name. Speciﬁcity is crucial to addressing the security posture of

Step 2. The Federal Government’s New Approach

37

the system. All “High-level” vulnerabilities must be mitigated within thirty days (30) days of discovery. “Moderate-level” vulnerabilities must be mitigated within ninety (90) days of discovery. It is accepted that, at certain times, the application of certain security patches can cause negative eﬀects on systems. In these situations, it is understood that compensating controls (workarounds) must be used to minimize system performance degradation while serving to mitigate the vulnerability. These workarounds must be submitted to FedRAMP and the sponsoring agency for acceptance. All reporting must reﬂect these activities. 

Quarterly FDCC and/or system conﬁguration compliance scans, with a Security Content Automation Protocol (SCAP) validated tool, across the entire boundary, which veriﬁes that all servers maintain compliance with the mandated FDCC and/or approved system conﬁguration security settings.



Weekly scans for malicious code. Internal scans must be performed with the appropriate updated toolset. Monthly reporting is required to be submitted to FedRAMP, where activity is summarized. All software operating systems and applications are required to be scanned by an appropriate tool to perform a thorough code review to discover malicious code. Mandatory reporting to FedRAMP must include tool used, tool conﬁguration settings, scanning parameters, application scanned (name and version) and the name of the third party performing the scan. Initial report should be included with the SSP as part of the initial authorization package.



Performance of the annual Self-Assessment in accordance with NIST guidelines. CSP must perform a self-assessment annually or whenever a signiﬁcant change occurs. This is necessary if there is to be a continuous awareness of the risk and security posture of the system.



Quarterly POA&M remediation reporting. CSP must provide to FedRAMP a detailed matrix of POA&M activities using the supplied FedRAMP POA&M Template. This should include milestones met or milestones missed, resources required and validation parameters.



Active Incident Response capabilities allow for suspect systems to be isolated and inspected for any unapproved or otherwise malicious applications.



Quarterly boundary-wide scans are required to be performed on the deﬁned boundary IT system inventory to validate the proper HW and SW conﬁgurations, as well as search and discover rogue systems attached to the infrastructure. A summary report, inclusive of a detailed network architecture drawing must be provided to FedRAMP. Change Control Process meetings, to determine and validate the necessity for suggested changes to HW/SW within the enterprise, must be coordinated with FedRAMP to ensure that the JAB is aware of the changes being made to the system.

Incident Response Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited and restoring computing services. www.GTIBookstore.com

Contracting for Cloud Services

38

Remember Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented.

To that end, NIST SP 800-61 provides guidelines for development and initiation of an incident handling program, particularly for analyzing incident-related data and determining the appropriate response to each incident.

The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. As part of the authorization process the system security plan will have documented all of the “IR” or Incident Response family of controls. One of these controls (IR-8) requires the development of an Incident Response plan that will cover the lifecycle of incident response as documented in the NIST SP 800-61 guidelines. The plan should outline the resources and management support that is needed to eﬀectively maintain and mature an incident response capability. The incident response plan should include these elements: 

Mission



Strategies and goals



Senior management approval



Organizational approach to incident response



How the incident response team will communicate with the rest of the organization



Metrics for measuring the incident response capability



Roadmap for maturing the incident response capability



How the program ﬁts into the overall organization

The organization’s mission, strategies and goals for incident response should help in determining the structure of its incident response capability. The incident response program structure should also be discussed within the plan. The response plan must address the possibility that incidents, including privacy breaches and classiﬁed spills, may impact the cloud and shared cloud customers. In any shared system, communication is the biggest key to success. As part of the continuous monitoring of a system, responding to incidents will be a key element. The FedRAMP concern and its role in continuous monitoring will be to focus on how a provider conducted the incident response and any after-incident actions.

One of the most important parts of incident response is also the most often omitted – learning and improving.

39

Step 2. The Federal Government’s New Approach

Each incident response team should evolve to reﬂect new threats, improved technology and lessons learned including a root cause analysis of the incident. Many organizations have found that holding a “lessons learned” meeting with all involved parties after a major incident, and periodically after lesser incidents, is extremely helpful in improving security measures and the incident handling process itself. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held within several days of the end of the incident. Questions to be answered in the lessons learned meeting include: 

Exactly what happened, and at what times?



How well did staﬀ and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?



What information was needed sooner?



Were any steps or actions taken that might have inhibited the recovery?



What would the staﬀ and management do diﬀerently in a future occurrence?



What corrective actions can prevent similar incidents in the future?



What tools/resources are needed to detect, analyze and mitigate future incidents?

Small incidents need limited post-incident analysis, with the exception of incidents performed through new attack methods that are of widespread concern and interest. After serious attacks have occurred, it is usually worthwhile to hold post-mortem meetings that cross team and organizational boundaries to provide a mechanism for information sharing. The primary consideration in holding such meetings is ensuring that the right people are involved. Not only is it important to invite people who have been involved in the incident that is being analyzed, it is also wise to consider who should be invited for the purpose of facilitating future cooperation. Independent Verification and Validation Independent Veriﬁcation and Validation (IV&V) is going to be an integral component to a successful implementation of FedRAMP. With this in mind, it must be noted that establishing and maintaining an internal expertise of FedRAMP policies, procedures and processes is going to be required. This expertise will be tasked to perform various IV&V functions with CSPs, sponsoring agencies and commercial entities obtained by CSPs with absolute independence on behalf of FedRAMP. FedRAMP IV&V will be on behalf of the JAB. As part of these eﬀorts, FedRAMP will periodically perform audits (both scheduled and unscheduled) related strictly to the cloud computing service oﬀering and the established system boundary. This will include, but not be limited to: 

Scheduled annual assessments of the system security documentation;



Veriﬁcation of testing procedures; www.GTIBookstore.com

Contracting for Cloud Services

40



Validation of testing tools and assessments;



Validation of assessment methodologies employed by the CSP and independent assessors;



Veriﬁcation of the CSP continuous monitoring program; and



Validation of CSP risk level determination criteria.

There are several methods that must be employed to accomplish these tasks. In accordance with the new FIMSA requirement, and as a matter of implementing industry best practices, FedRAMP IV&V will be performing penetration testing. This testing will be performed with strict adherence to the speciﬁc guidelines established by a mutually agreed upon Rules of Engagement agreement between FedRAMP IV&V and the target stakeholders. Unless otherwise stated in the agreement, all penetration testing will be passive in nature to avoid unintentional consequences. No attempts to exploit vulnerabilities will be allowed unless speciﬁed within the Rules of Engagement agreement.

Potential Assessment and Authorization Approach Cloud computing presents a unique opportunity to increase the eﬀectiveness and eﬃciency of the A&A and Continuous Monitoring process for federal agencies. The nature of cloud computing systems does not allow federal agencies to enforce their own unique security requirements and policies on a shared infrastructure, as many of these unique requirements are incompatible. Hence, cloud computing provides an opportunity for the federal agencies to work together to create a common security baseline for authorizing these shared systems. The implementation of a common security baseline requires a joint approach for the A&A and Continuous Monitoring process. Any joint approach to this process requires a coordinated eﬀort of many operational components working together. These operations need to interact/interplay with each other to successfully authorize and monitor cloud systems for government-wide use. FedRAMP operations could potentially be executed by diﬀerent entities and in many diﬀerent models. However, the end goal is to establish an ongoing A&A approach that all federal agencies can leverage. To accomplish that goal, the following beneﬁts are desired, regardless of the operating approach: 

Inter-agency vetted Cloud Computing Security Requirement baseline that is used across the federal government;



Consistent interpretation and application of security requirement baseline in a cloud computing environment;



Consistent interpretation of cloud service provider authorization packages using a standard set of processes and evaluation criteria;



More consistent and eﬃcient continuous monitoring of cloud computing environment/systems fostering cross-agency communication in best practices and shared knowledge; and



Cost savings/avoidance realized due to the “Approve once, use often” concept for security authorization of cloud systems.

41

Step 2. The Federal Government’s New Approach

FedRAMP operations could be conducted under many delivery models. The Federal Cloud Computing Initiative (FCCI) has focused on exploring three models in particular. The three models for assessment vetted within government and industry are: 

A centralized approach working through a FedRAMP program oﬃce;



A federated model using capabilities of multiple approved agency centers; and



Some combination of these that combines public and private sector partners.

IT Reform Push, Nine Months After ‘Cloud First’ Introduction As part of a broader IT transformation, the federal government needs to fundamentally shift its mindset from building custom systems to adopting light technologies and shared solutions. Too often, agencies build large standalone systems from scratch, segregated from other systems. These systems often duplicate others already within the federal government, wasting taxpayer dollars. The growth in data centers, from 432 in 1998 to 2,094 in 2010, highlights this problem. Leading private sector companies have taken great strides to improve their operating eﬃciencies. Cloud technologies enable IT services to eﬃciently share demand across infrastructure assets, reducing the overall reserve capacity across the enterprise. Additionally, leveraging shared services of “commodity” applications, such as email across functional organizations, allows organizations to redirect management attention and resources towards value-added activities. The massive scale of the federal government allows for great potential to leverage these eﬃciencies. On August 8, 2011, Jacob Lew, Director, Office of Management and Budget, issued the following memorandum: In December 2010, the Administration released the 25-Point Implementation Plan to Reform Federal Information Technology (IT) Management. The reforms are focused on eliminating barriers that get in the way of eﬀectively managing IT programs throughout the federal government. Too many federal IT projects have run over budget, fallen behind schedule or failed to deliver promised functionality, hampering agency missions and wasting taxpayer dollars. As the federal government implements the reform agenda, it is changing the role of Agency Chief Information Oﬃcers (CIOs) away from just policymaking and infrastructure maintenance, to encompass true portfolio management for all IT. This will enable CIOs to focus on delivering IT solutions that support the mission and business eﬀectiveness of their agencies and overcome bureaucratic impediments to deliver enterprise-wide solutions. This memo is designed to clarify the primary area of responsibility for Agency CIOs throughout the government, as identiﬁed in the IT Reform Plan.

Agency CIOs must be positioned with these responsibilities and authorities to improve the operating efficiency of their agencies.

www.GTIBookstore.com

42

Contracting for Cloud Services

In addition to their statutory responsibilities through the Clinger-Cohen Act and related laws, under the IT Reform Plan there are four main areas in which Agency CIOs shall have a lead role: 1. Governance. CIOs must drive the investment review process for IT investments and have responsibility over the entire IT portfolio for an agency. CIOs must work with Chief Financial Oﬃcers and Chief Acquisition Oﬃcers to ensure IT portfolio analysis is an integral part of the yearly budget process for an agency. The IT Reform plan restructured the investment review boards (lRBs) by requiring Agency CIOs to lead “TechStat” sessions – actionable meetings designed to improve line-of-sight between project teams and senior executives. Outcomes from these sessions must be formalized and followed up through completion, with the goal of terminating or turning around one third of all underperforming IT Investments by June 2012. 2. Commodity IT. Agency CIOs must focus on eliminating duplication and rationalize their agency’s IT investments. Agency commodity services are often duplicative and sub-scale and include services such as: IT infrastructure (data centers, networks, desktop computers and mobile devices); enterprise IT systems (email, collaboration tools, identity and access management, security and Web infrastructure); and business systems (ﬁnance, human resources and other administrative functions). The CIO shall pool their agency’s purchasing power across their entire organization to drive down costs and improve service for commodity IT. In addition, enterprise architects will support the CIO in the alignment of IT resources, to consolidate duplicative investments and applications. CIOs must show a preference for using shared services as a provider or consumer instead of standing up separate independent services. 3. Program Management. Agency CIOs shall improve the overall management of large federal IT projects by identifying, recruiting and hiring top IT program management talent. CIOs will also train and provide annual performance reviews for those leading major IT programs. CIOs will also conduct formal performance evaluations of component CIOs (e.g., bureaus, sub-agencies, etc.). CIOs will be held accountable for the performance of IT program managers, based on their governance process and the IT Dashboard. 4. Information Security. CIOs, or senior agency oﬃcials reporting to the CIO, shall have the authority and primary responsibility to implement an agency-wide information security program and to provide information security for both the information collected and maintained by the agency, or on behalf of the agency, and for the information systems that support the operations, assets and mission of the agency. Part of this program will include well-designed, well-managed continuous monitoring and standardized risk assessment processes, to be supported by “CyberStat” sessions run by the Department of Homeland Security to examine implementation. Taken together, continuous monitoring and CyberStats will provide essential, near real-time security status information to organizational oﬃcials and allow for the development of immediate remediation plans to address any vulnerabilities. With responsibilities for these four areas, Agency CIOs will be held accountable for lowering operational costs, terminating and turning around troubled projects and delivering meaningful functionality at a faster rate while enhancing the security of information systems. These additional

Step 2. The Federal Government’s New Approach

43

authorities will enable CIOs to reduce the number of wasteful duplicative systems, simplify services for the American people and deliver more eﬀective IT to support their agency’s mission. In addition, under the IT Reform Plan, Agency CIOs are required to play a cross-agency portfolio management role through the Federal CIO Council (CIOC). The CIOC charter will be amended to reﬂect these new responsibilities, which will allow more eﬀective development and management of shared services, cross-agency initiatives and government-wide policy. Just as CIOs are tasked to ﬁnd and eliminate duplicative systems in their agencies, the council will seek opportunities to reduce duplication, improve collaboration and eliminate waste across agency boundaries.

The First Federal CIO Leaves and Comments Vivek Kundra, the former federal CIO, wrote on August 15, 2011, that he transformed the government’s “image of red tape, long lines and cold, distant bureaucracies” through real-time analytics and American ingenuity. Kundra came into the job and immediately saw a major technology gap in the government compared with the private sector. “Closing this gap is the key to making government work better for the American people — the ultimate goal,” he wrote in the August 15 article titled, “Reﬂections on Public Service.” Kundra said he changed the status quo, but he also warned that the IT advances can still regress. “Left alone, things tend to move from order to disorder — and the hard work this administration has done to reform federal IT could fall back, unless we keep our shoulder to the wheel,” he wrote. The Second Federal CIO says, “We will Continue Vivek’s Initiatives” When the White House tapped former Microsoft executive Steven VanRoekel to serve as the next federal chief information oﬃcer, oﬃcials say they weren’t looking for someone to set plans for transforming federal information technology. “This is not a situation where we’re asking someone to come in and make radical changes to priorities or to the strategic agenda,” federal Chief Performance Oﬃcer Jeﬀ rey Zients, noted. “It’s continued execution in getting proven results.” VanRoekel took the reigns of an $80 billion IT budget and oversight of an IT reform agenda set by his predecessor Vivek Kundra in December, which includes shutting down 800 data centers by 2015 and moving government applications to a cloud computing environment. VanRoekel also serves as administrator for e-government. His nomination did not require Senate conﬁrmation. “Rarely do you get to take over in a place where so much good work has been done, so much momentum is already established and the team is charging ahead full steam. So I’m excited,” VanRoekel said. “We were in lockstep with Vivek’s team here on data center consolidation [and] our Cloud First policy on using tools, like TechStat,” VanRoekel said of his tenure at FCC. Achieving the IT Reform Plan: GSA’s Four Secrets of Success Published by Mary Davie , assistant commissioner with the General Services Administration’s Oﬃce of Integrated Technology Services on Monday, June 27, 2011. www.GTIBookstore.com

44

Contracting for Cloud Services

Government agencies are six months into implementing the federal CIO’s 25-Point IT Reform Plan, and according to agency CIO status blogs, we’re on schedule. That’s great news. However, how we ﬁnish is more important than how we stay on schedule. With Federal CIO Vivek Kundra moving on, we need to work that much harder. That’s why I want to share some secrets that will help us achieve the plan the Federal CIO set in motion: Secret #1 – GSA has the ﬁrst-mover advantage (and wants to share!) As Casey Coleman pointed out in her blog, GSA successfully addressed point 3 of the IT reform plan: We moved our email to the cloud using our own Alliant GWAC. We can share our scope of work and lessons learned with your agency. Secret #2 – GSA has the solutions to meet your IT reform plan challenges We’ve created the ﬁrst OMB-sanctioned cloud computing-speciﬁc contract vehicles for Infrastructure as a Service and Email as a Service, fulﬁlling points 4 and 5. We can also help you consolidate your commodity IT spending under agency CIOs (point #20), an area where government is behind the curve. We have stood up a new IT commodity buying program and are building our Federal Strategic Sourcing Initiative (FSSI) Wireless program to provide streamlined acquisition support. Secret #3 – Involve industry in any IT project Industry involvement is critical for any IT project, as is communicating early, often and throughout the process. At GSA, we are involving industry and agencies to develop new solutions, such as our cloud BPAs, our FSSI Wireless, and SmartBUY, as well as planning our Network Services program strategy. In addition to face-to-face conversations, we are using tools like wikis, discussion boards and ideageneration tools. We have found these tools to be great ways to augment traditional market research and requirements deﬁnition processes, reaching a broader audience, as well as increasing transparency and participation. Check out GSA’s use of a wiki to get input on RFIs, requirements and acquisition strategy at the BetterBuy Wiki. We’d be glad to share lessons learned and “how-tos” with your agency. Secret #4 – Pick the right partners As the government’s primary workplace solutions provider and a proving ground for new IT solutions, GSA can provide the tips, tools and technologies to enable you to see all of your IT projects through to successful conclusion.

Step 2. The Federal Government’s New Approach

45

Federal Data Center Closures According to the Oﬃce of Management and Budget, 137 data centers will be shuttered by the end of 2011 – 39 have been closed already. According to the plan, 16 agencies will close data centers this year. Fifty-two, or 38 percent, of the data centers belong to the Department of Defense. The Interior Department plans to close 18 facilities, NASA plans to close 14 and the Agriculture Department plans to close 10. Other agencies planning to close centers or consolidate are Commerce, Energy, GSA, Health and Human Services, Homeland Security, Justice, Labor, State, Transportation, Treasury, International Development and Veteran Aﬀairs.

TechStat Tool to Help Reform Federal IT TechStat is a face-to-face, evidence-based review of an IT investment. A TechStat is triggered when an agency determines that a project is underperforming, using data from the IT Dashboard and other sources. In the session, the agency CIO and other members of an agency’s leadership team meet for one Remember focused hour. They review a brieﬁng that highlights the In many cases, the immediate management of the investment, examine program perresult of a TechStat session is a formance data, and explore opportunities for corrective concrete action plan, developed action. TechStat sessions conclude with clear next steps collaboratively to address issues and turn around the troubled or formalized in a memo and tracked to completion. failing program.

However, in some cases, a TechStat session may reveal that the best course of action for an investment is to temporarily halt or even terminate the program. Finding these failed programs sooner saves taxpayers money and promotes accountability to high standards and program management success.

Technology Industry Recommends Accelerated Federal Government Cloud Adoption A report from the technology industry sponsored Commission on the Leadership Opportunity in U.S. Deployment of the Cloud, published in August 2011, (www.techamericafoundation.org/cloud2) found that Cloud technologies are transforming the way computing power is bought, sold and delivered. Rather than purchasing licenses or hardware, users may now obtain computing power as a service, buying only as much as they need, and only when they need it. This new business model brings vast eﬃciency and cost advantages to government agencies, individuals and companies of all sizes. The numerous beneﬁts of cloud computing have already won over many adopters and are generating signiﬁcant cost savings, eﬃciencies, ﬂexibility, innovation and new market opportunities. The Commission’s mandate was to generate recommendations for accelerating adoption of cloud technologies in the U.S. government and in the commercial space, and to identify public policies that will help foster U.S. innovation and leadership in cloud computing. The Commission identiﬁed four areas –Trust, Transnational Data Flows, Transparency and Transformation – and focused on www.GTIBookstore.com

46

Contracting for Cloud Services

why action is needed, how it should be implemented and what beneﬁts should be expected from implementation. Trust Users of cloud computing want assurance that when using cloud services, their workloads and data will be treated with the highest integrity and their security, privacy and availability needs will be met. To enable trust and conﬁdence in cloud services, the Commission recommends that government and industry develop common frameworks, best practices and metrics around security and information assurance to assist users in choosing and deploying the security level most appropriate for their workloads. The Commission also recommends strengthening the identity management ecosystem and data breach laws, as well as supporting increased research on cloud computing as an investment in future cloud innovation. Transnational Data Flows In a global economy, it is common for businesses to operate in multiple countries and for cloud vendors and users to work and transfer information across national borders. This adds complexity to cloud adoption because of the data, processes and people residing on multiple continents with diﬀerent laws and cultures. In this context, the Commission recommends that industry and the U.S. government promote privacy frameworks, that the U.S. government identify and implement mechanisms to clarify processes and mechanisms around lawful government access to data, and that the U.S. continue international discussions in these areas. We also recommend that the U.S. government lead by example by demonstrating its willingness to trust cloud computing environments in other countries for appropriate government workloads. Transparency Users want an abundance of information about the cloud services they buy and unfettered access to the data and processes they entrust to the service provider. To meet these needs, cloud vendors must be open and transparent regarding the characteristics and operations of the services they provide. Government and industry should collaboratively develop metrics that facilitate this information sharing and customers’ ability to compare cloud oﬀerings. Additionally, to ensure that data is available to customers should they wish to change cloud services, cloud vendors should enable portability through industry standards and best practices. Transformation The transition to cloud computing is placing new requirements on purchasing processes, infrastructure and people’s skills. For government agencies, the fact that buying cloud computing services can be fundamentally diﬀerent from buying in-house IT systems poses a challenge. Therefore, agencies, the Oﬃce of Management and Budget (OMB) and Congress must demonstrate more ﬂexibility around budgeting and acquisition processes. Such ﬂexibility, in combination with OMB incentives for moving to the cloud, will increase the rate of adoption by government agencies. Additionally, to accommodate the bandwidth and reliable connectivity necessary for the growth of cloud comput-

Step 2. The Federal Government’s New Approach

47

ing, the nation’s currently stretched and aging IT broadband infrastructure should be updated, in conjunction with embracing IPv6. To help acquisition and IT personnel understand and carry out the transition to the cloud, government agencies, companies and academia should develop and disseminate appropriate educational resources. The commission notes that the most eﬀective way for government to shape the evolution of the cloud is not through law and regulation, but by being smart users of the technology. This means addressing key issues in the RFP and contract. This is particularly true in the area of security, where some government agencies have especially challenging requirements. As agencies work with industry to ensure that the cloud services deployed are at least as secure and trusted as the IT systems in use today, the agencies can provide a model that cloud customers in governments and corporations around the world can emulate.

Cloud Services Successes There have already been several major successes as a result of agencies moving to the cloud for a growing number of its IT needs and services. These early trailblazers prove that cloud computing can, and is working for government. Some of these successes are listed next. Others are highlighted in later chapters.

GSA is in the Cloud Blog Posted by Martha Johnson, GSA Administrator on July 26, 2011: It’s oﬃcial! The U.S. General Services Administration is the ﬁrst federal agency to successfully migrate its employees to a cloud-based email service using Google Apps for Government. GSA’s successful transition is the ﬁrst step in our eﬀort to provide cloud email as a service option to other federal agencies. Our own transition to the cloud will save millions in taxpayer dollars annually. We expect that using a cloud-based system will reduce email operation costs by 50 percent over the next ﬁve years and save more than $15.2 million for the agency in that time. A large part of these savings will come from a decrease in the number of costly data centers requiring hardware, software licenses, maintenance and contractor support. In addition to the cost-saving beneﬁts, the new email environment provides our agency with an easily accessible suite of services, including email and collaboration tools that help GSA employees become a more mobile and more eﬃcient workforce. As the federal government’s workplace solutions expert, GSA helps agencies save money and concentrate on fulﬁlling their core missions by providing innovative workspace and acquisition tools. In May of this year, the U.S. General Services Administration requested bids from industry that will give government agencies options for secure, cost-eﬃcient cloud-based email solutions. The successes and challenges faced by GSA in implementing our new cloud email system will help inform our decision making and allow us to better serve our customer agencies as they begin moving to the cloud. www.GTIBookstore.com

48

Contracting for Cloud Services

Moving government agencies to the cloud is part of the Obama Administration’s “Cloud First” strategy, and GSA’s success broadly demonstrates that agile, secure, reliable and cost-eﬀective cloud options exist. President Obama has challenged federal agencies across government to close the information technology gap with the private sector by identifying and migrating three IT capabilities to the cloud within 18 months. Already, 15 agencies have identiﬁed 950,000 email boxes across 100 email systems that are going to move to the cloud. Cloud IT systems help streamline agency operations, reduce ineﬃciencies, and free resources for other essential programs. With GSA’s contracting knowledge, cloud email experience and customer-focused expertise, we will help other agencies transition to the cloud — moving our government forward and saving taxpayer dollars.

AF Awards $50M Contract to ISS Intelligent Software Solutions (ISS) were awarded a $49.9-million task order contract by the U.S. Air Force Research Labs to support the United States Central Command (USCENTCOM) and other U.S. government customers with intelligence gathering and analysis software aimed at improving situational awareness. The work will also involve the creation of a cloud-based informationsharing system that will eventually help bridge data gaps across various organizations. The one-year contract is the latest task order to be awarded under the existing $500-million program which the Air Force awarded to ISS in 2009. The program is aimed at providing the software tools and services that allow users to process, analyze and visualize large amounts of intelligence information from multiple, disconnected sources. Under terms of this contract, ISS will expand its support of CENTCOM’s intelligence, surveillance and reconnaissance (ISR) operations around the world. ISS’ software, known as Web-Enabled Temporal Analysis System (WebTAS), will gather and analyze intelligence information to determine and improve mission situational awareness during ISR mission planning and execution. The technology will also assess how ISR eﬀorts are supporting CENTCOM operations and commanders’ intent. The project will also create a cloud-based system to integrate and share intelligence information in support of strategic Air Force projects, and will eventually bridge information gaps between various services. “This is part of the U.S. military and government’s goals of improving their ability to ‘connect the dots’ across disparate information networks,” said Carl Houghton, vice president, strategic initiatives, ISS. “In the war on terror, it is critical to quickly communicate with other organizations, regardless of diﬀerences in networks or system platforms. Putting intelligence analysis technology into the cloud helps to cover those gaps and improve analysts’ ability to see trends and patterns.” The WebTAS-TK contract encompasses over 100 projects for 70 diﬀerent user communities. Associated projects range from eﬀorts supporting advanced research and development of machine learning and complex event processing to the development and deployment of state of the art command and control applications, as well as intelligence analysis tools. In addition to providing a vehicle for many software development eﬀorts, this program enables ISS to maintain its ongoing support to combat operations in Afghanistan and Iraq, as well as onsite support at many locations around the

Step 2. The Federal Government’s New Approach

49

United States and internationally. The ISS team currently has more than 120 personnel in Iraq and Afghanistan supporting the bundled tools under this contract.

Dept. of Agriculture – Microsoft Cloud In December 2010, the United States Department of Agriculture (USDA) moved its on-premises email and productivity applications to Microsoft’s cloud infrastructure, becoming the ﬁrst cabinetlevel federal agency to embrace the cloud. In one of the largest cloud federal government deployments ever, the USDA moved its 120,000 users to Microsoft Online Services, consolidating 21 diﬀerent messaging and collaboration systems into one, said Chris Smith, the USDA’s Chief Information Oﬃcer. “This is really about increasing collaboration and communications across the breadth of 120,000 users in 5,000 oﬃces across the country and 100 countries around the globe to better deliver on the USDA’s mission,” he said. “For us a move to the cloud was a question of performance, service and cost, and this solution will help us streamline our eﬀorts and use taxpayer dollars eﬃciently.” The USDA is using Microsoft Exchange Online for messaging and calendaring, SharePoint Online for document collaboration, Oﬃce Communications Online for instant messaging and Oﬃce Live Meeting for Web conferencing. Smith said that improvements in productivity and communication, such as the ability to see colleagues’ availability and choose whether they want to communicate via chat, voice or mail, mean that employees will now be able to collaborate more eﬃciently. “We have a distributed workforce and a broad mission that ranges from resource management to homeland security to food safety to helping rural communities create prosperity so they’re selfsustaining,” Smith said. “This will help us fulﬁll the IT side of our mission. The more robust set of tools we can put in place, the better we’ll deliver goods and services for our mission to citizens here and around the world.” The USDA is deploying a version of Microsoft Online Services optimized to meet the security, privacy and compliance needs of U.S. federal government agencies and other customers that require the highest levels of security features and protocols.

USAID Provides Apps to its Field Office The U.S. Agency for International Development has invested in a cloud-based virtual desktop infrastructure that provides IT services for users located around the world. With ﬁeld oﬃces around the world, USAID works with private voluntary organizations, indigenous organizations, universities, U.S. businesses, international governments and U.S. government agencies to promote U.S. national security and foreign policy and reduce terrorism by addressing a key root cause of violence in the world today: poverty fueled by the lack of economic opportunity. Hundreds of users have already been moved to the new cloud-based service that allows them to access Google Apps Premier through a cloud-based General Services Administration IT Schedule www.GTIBookstore.com

50

Contracting for Cloud Services

70 contract award. The plan calls for completing the deployment to as many of USAID’s 11,000 users as possible by the end of 2011. USAID is moving a total of 50 applications — including email, oﬃce productivity and some business applications — into the cloud-based environment that will enable secure access to IT services. According to Jerry Horton, CIO for USAID, this migration is important for three primary reasons. “First, we must reduce our costs. At the same time, we can’t reduce the IT services we deliver to employees around the globe. And third, we needed to improve security for our increasingly mobile workforce,” he said. The cloud-based solution improves security by limiting data loss in the event of the loss or theft of a mobile device or any malicious software attacks. Overall, desktop virtualization is expected to lower costs associated with providing and maintaining desktop services and, by moving IT services to the cloud, help to reduce costs associated with developing and maintaining multiple data centers, Horton said.

LBL Moves to Google Federal Premier Apps The Department of Energy is exploring cost and energy eﬃciencies that can result from leveraging cloud computing. This initiative explores how to use cloud computing to address needs across the enterprise, in speciﬁc business services and in scientiﬁc study. Although started in 2009, these efforts at Lawrence Berkeley National Labs (LBL) are already showing promise. LBL has already deployed over 2,300 mailboxes on Google Federal Premier Apps, and will end up with 5,000 email accounts deployed by August 2010. This solution uses an LBL Identity Management System to provide authentication. Additionally, Google Docs and Google Sites have already been deployed and are being used by small- and medium-sized scientiﬁc research teams to foster collaboration and community documentation. Presently, LBL is evaluating the use of Amazon’s EC2 to handle excess capacity for mid-range computers during peak usage periods. LBL is also investigating the use of a federated identity to provide access for the scientiﬁc community to a wide range of cloud computing oﬀerings. LBL estimates they will save $1.5 million over the next ﬁve years in hardware, software and labor costs from the deployments they have already made.

NOAA Cloud Movement In June 2011, NOAA announced an $11.5-million, three-year award to Earth Resources Technologies, Inc., for cloud-based uniﬁed messaging services. The agency-wide transition will modernize email and calendar infrastructure, integrate collaborative tools and facilitate synchronization with mobile devices to better support NOAA’s mission and its nationwide workforce. NOAA will migrate 25,000 mailboxes to the cloud rather than utilizing in-house servers. NOAA’s decision to pursue the cloud solution supports the Obama Administration’s direction to pursue a Cloud First approach. “The cost to the taxpayer will be 50 percent less than an in-house solution,” said NOAA Chief Information Oﬃcer Joseph Klimavicz. “As the new standard, cloud computing has great value al-

Step 2. The Federal Government’s New Approach

51

lowing us to ramp up quickly, avoid redundancy and provide new services and capabilities to large groups of customers.” The award was made using small business vendors identiﬁed through NOAALink, the agency’s innovative acquisition model, which allows for the standardization of information technologies and solutions. Earth Resources Technologies, Inc., based in Laurel, Md., will deliver the “Google Apps for Government” in partnership with Google, Unisys and Tempus Nova. The new service will be operational by the end of the year. “NOAA personnel are located coast to coast, on the oceans and in the air. This system will allow them to share information and strengthen collaborative productivity,” added Klimavicz. “As a cutting-edge science agency, we are looking forward to bringing up-to-the-minute workplace technologies to our personnel.”

Interior Dept. to Slash $500M The Department of Interior expects to save $500 million through a ﬁve-year plan to modernize and consolidate its IT operations using cloud solutions. The department also plans to cut back on the oﬃce space it rents and streamline administration. The strategic plan is a high-level roadmap to transform the Interior’s IT operations for the 21st century, using advances in technology to provide better service for less. IT managers in Interior’s bureaus and oﬃces are working with the Oﬃce of the CIO to transform the department’s $1 billion IT operation. The plan identiﬁes an initial set of high-priority IT services as part of the transformation process, including a single email system for the department, telecommunications, account management, hosting services, workplace computing services, risk management and an enterprise service desk. “Through this plan, we are making smart changes to IT services across the department that will make our IT more cost-eﬀective and customer-friendly while saving taxpayers half a billion dollars over the next decade,” said Secretary of the Interior Ken Salazar. The department expects cost savings of $100 million per year in the ﬁve years following consolidation, between 2016 and 2020. Once operational and data-center consolidation is complete, oﬃcials will then direct savings to IT tasks, including the modernization of legacy applications, some of which are decades old, the department said. Other modernization eﬀorts will include more technology standardization, adopting common enterprise services, and simplifying business processes across common lines of business, the department said. Savings also will be used to address security needs and radio communications.

Cloud Service Migration for Government Agencies Twenty-ﬁve federal agencies have identiﬁed 78 services suitable for migration to the cloud, according to the Oﬃce of Management and Budget. The most common application is email, with 14 agencies having decided to choose a cloud version. It is closely followed by Website hosting, with 10 agencies having named it as a cloud-suitable function. www.GTIBookstore.com

52

Contracting for Cloud Services

Agencies include: The Department of Commerce (DOC) has moved its capital planning tool (eCPIC) to GSA’s private cloud hosting platform. This budget management and reporting tool allows DOC to more eﬀectively manage its resources and track how it is spending taxpayer dollars. By moving to a cloud solution, DOC is now able to have a centralized capital planning tool across the agency – allowing for insight into all programs at once instead of each program in isolation. The Department of Homeland Security (DHS) launched E-Verify Self Check in March 2011 as a free, Internet-based service application that workers can use to conﬁrm employment eligibility in the United States. Self Check is currently available in Arizona, Colorado, Idaho, Mississippi, Virginia and the District of Columbia, and it will be available nationwide within the next 12 months. This new service improves the security posture of government IT systems by providing a mechanism by which DHS can validate identity and, therefore, control secure access to applications and services. DHS is implementing a private cloud capability within its two enterprise data centers to enhance sharing sensitive information across the department. By June 2012, DHS will have migrated 100,000 email boxes and 90,000 collaboration accounts to these new services, and the more than 230,000 DHS employees will be able to use enterprise-wide authentication services, streamlining their access to departmental applications and services. The Department of Defense’s (DoD) Trip Cost Estimator (TCE) is a Web-based budget planning tool that allows users to calculate the travel costs of temporary duty assignments, including air, hotel, car and meals. By hosting this service in the cloud, DoD will be able to extend access to the entire federal government. The Department of Transportation (DOT) is creating a central, collaborative Web management tool hosted in the cloud. This Content Management System will help standardize content for consistency across DOT Websites, while reducing the time and cost of development. By summer 2011, DOT will have migrated its initial modal Website to this new management tool. Up to three additional Websites are expected to be deployed the following year. The Department of Education is making eﬀorts to shift to cloud deployment for email. Education plans on migrating to a split-domain hybrid model allowing for some users to run on-premise and some to run in the cloud. Education also plans on migrating up to 6,200 inboxes to the cloud in an eﬀort to reduce cost and increase operational eﬃciencies. The Department of Energy’s (DOE) is in the process of developing a single enterprise-wide, endto-end grants management system that will use a standardized process for the management of grants. By using a cloud system, DOE will now have insight into grants (from application to award) across all oﬃces in an eﬀort to streamline the grants process and strive to reduce the overall cost of a grant transaction. The Environmental Protection Agency (EPA) has moved to a cloud-based service in order to provide the agency with perimeter security and intrusion detection capabilities on its infrastructure.

Step 2. The Federal Government’s New Approach

53

This allows EPA to have timely identiﬁcation and response to emerging Internet threats and cyberattacks on its network and systems. By moving to a cloud solution, EPA was able to realize a three times performance increase at the same current cost. The EPA has endeavored over the last several years to consolidate a highly distributed email hosting infrastructure – reducing both the number of hosting locations and the total number of servers required to service EPA’s federal and contractor staﬀ. These eﬀorts give EPA a strong technical transition governance structure allowing EPA to analyze cloud email solutions in an eﬀort to reduce the overall cost of its current email solution and provide more reliable services to more than 25,000 users. The General Service Administration’s (GSA) current email solution is hosted on traditional infrastructure. GSA is in the process of moving to a cloud hosted solution for more than 17,000 users. This new cloud solution will provide faster upgrades, reduce costs to centralized management, reduce need for lengthy and costly procurements of IT assets and overall better customer service. Additionally, GSA will save over $3 million a year (a reduction of 50 percent) in operating costs by using a cloud solution. The Food and Drug Administration (FDA) designed and is in the process of creating and operating three private cloud implementations incorporating JAVA-based systems and databases to create applications for use across the FDA. By using the cloud, FDA was able to reduce systems to service by a ratio of 24 to 1 which reduced comparable hosting costs by 87.5 percent. Part of Health and Human Services, the Administration for Children and Families (ACF) is deploying its Audit Resolution system as a cloud-based service. The system links audit reports with the appropriate grantees. By launching it in the cloud, ACF is expecting to reduce the cost of hosting this solution by 49 percent. By migrating the production environment to the cloud, ACF expects to be capable of supporting periods of high-volume processing with over 25,000 grants processed per year. The Department of Housing and Urban Development (HUD) currently uses a traditional hosting environment for its Storage Area Network. By moving to a cloud-based model for this service, HUD expects to cut the provisioning time for new servers and storage space by 50 percent, as well as have more predictable costing for services used. HUD’s current email system, Lotus Notes, was previously hosted on traditional infrastructure. HUD expects to have faster and more agile provisioning while experiencing more predictable costs. HUD is currently exploring transitioning its email and SharePoint services for 13,000 users to a cloud technology solution. The current email and SharePoint environment is supported via a traditional infrastructure managed service requiring dedicated software, services, storage and management components. By evaluating a cloud environment, HUD expects to have faster provisioning of new users, be able to rapidly scale services and have more predictable costs for the services used.

www.GTIBookstore.com

54

Contracting for Cloud Services

The Department of Interior (DOI) is looking to the cloud to replace its current email solution. By moving to the cloud, DOI will replace 13 separate email systems with a single email system that supports approximately 85,000 users across DOI. The resulting cloud-based system will provide new capabilities, such as instant messaging, and a guaranteed uptime of 99.9 percent. DOI.gov is DOI’s primary Website used for communicating with DOI’s various stakeholders and broad constituency with over ﬁve million visits a year. DOI currently hosts DOI.gov in a traditional hosting environment and is susceptible to service outages when there are surges in hits on the site. By moving to a cloud-based implementation, DOI will improve reliability due to the guaranteed uptime of 99.9 percent.

The Department of Justice (DOJ) is looking to the cloud to provide a hybrid cloud storage solution for the Executive Oﬃce for United States Attorneys (EOUSA) to increase the overall data storage capacity for all United States Attorneys’ Oﬃces (USAO) and reduce the overall cost of data storage for the organization (reduce cost per gigabyte of storage). DOJ plans on procuring a 100-terabyte vendor storage solution to allow 18,000 USAO employees across 250 locations and 94 districts to have an easily accessible storage service within the USAO Wide Area Network. The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is looking to move its 7,500 users in 260 oﬃce locations across the country to a cloud hosting solution. By moving from its current solution to a cloud solution, ATF expects to reduce operational costs by $100/user per year, eliminate over 10 servers, improve scalability, add enterprise collaboration services, add email archiving and increase service reliability. The Department of Labor (Labor) uses Disability.gov in order to provide thousands of resources to create an interactive, community-driven information network of disability-related programs, services, laws and beneﬁts to the American public. By using a cloud hosting solution, the department expects to avoid 60-75 percent of additional bandwidth charges and save approximately $55,000 per year. Additionally, this cloud solution will allow Disability.gov to triple the number of people it serves by making it possible for the site to host special events for outreach, a capability not previously available. Currently, the Department of Labor has nine diﬀerent email systems serving over 17,000 email inboxes. Labor is looking to the cloud in order to consolidate these email solutions into a uniﬁed email solution which will achieve cost savings, as well as provide new collaboration capabilities not available currently. The National Science Foundation (NSF) has over 2,100 staﬀ at its headquarters that use email on a daily basis to conduct business. NSF is implementing a cloud-based disaster recovery email service to provide immediate continuity of operations for email services, ensuring that all headquarters staﬀ will still have access to email in case of a disruption in services due to natural disasters, electrical problems at a data center, etc. NSF currently has a legacy ﬁle system infrastructure that hosts all historical records that the agency is required to maintain. In order to enable more rapid and eﬃcient management and archiving of

Step 2. The Federal Government’s New Approach

55

records, research proposals and award records, NSF is implementing an e-Records solution in the cloud. By utilizing an IaaS model, NSF will have optimal hosting of records which will now also be indexable in searches, something not available currently on the legacy system. The Oﬃce of Personnel Management (OPM) manages over 30 separate Websites and tracks over three million visits per month. In order to ensure that its Websites are delivering relevant content to its visitors – and to ensure that content is being delivered in a timely fashion – OPM will implement a free cloud Web analytics service. With this service, OPM staﬀ will be able to analyze Web traﬃc (number of visitors, page views, time spent on site, etc.), as well as analyze Website errors that impede a positive user experience. OPM.gov is OPM’s main public-facing Website, providing critical information to federal agencies and to U.S. citizens. Traﬃc to OPM’s site is highly variable with large spikes in traﬃc – sometimes causing outages, such as during the Washington, D.C., area snow storms in December 2009. By moving to a cloud solution, OPM.gov can respond dynamically to changes in demand. Additionally, OPM is expanding its cloud hosting solution to begin handling dynamic content with expected cost savings of up to $130,000 a year.

The Small Business Administration (SBA) Website has over 10 million visitors a year. SBA.gov is focused on providing small businesses, lenders and resource partners with information about SBA programs and services. In its current hosting environment, SBA.gov is unable to quickly scale in the event of a demand surge for the Website. By moving to a cloud hosting environment, SBA.gov will be able to handle peaks in traﬃc and ensure the Website is always available. The Management and Technical Assistance Line of Business will provide enhanced agency and resource partner services to assist more than 25 million small business owners and over 1,000 small business lenders with taking better advantage of SBA programs, services and loan options. This new service will be developed and implemented in a cloud services solution. Currently the Social Security Administration (SSA) receives 85 million calls a year in order to support retirement, disability, entitlement and other claims by citizens. SSA has launched a cloud telephony system that will provide faster access to SSA agents and greater eﬃciency. When SSA receives a Freedom of Information Act (FOIA) request from a citizen, it must respond in the most expeditious manner possible. Currently, SSA manages this process diﬀerently across oﬃces. SSA is currently analyzing cloud solutions that could potentially allow SSA to manage the 30,000 FOIA requests received annually and track them in an integrated system across the agency, providing greater accountability to citizen requests. SSA currently hosts its email capability internally, at a high cost per user. SSA is currently analyzing cloud hosting solutions to potentially migrate up to 108,000 email inboxes to a cloud solution in an eﬀort to realize cost savings over the current hosting solution. The Department of State’s (State) Oﬃce of the Historian makes available tens of thousands of government documents, as well as other unclassiﬁed publications and databases, regarding the history of state, diplomacy and foreign relations in a robust way to meet increased public demand. By www.GTIBookstore.com

56

Contracting for Cloud Services

hosting History.State.gov in the cloud, information is now keyword-searchable and in downloadable form. The Website’s broad audience includes scholars, students, policymakers and the public in the U.S. and abroad. The Ralph Bunche Electronic Library provides staﬀ of all 50 states, domestic and overseas, with direct access to a wide variety of information in over 50 databases. The move to the cloud enabled the library to reduce infrastructure and maintenance costs by 66 percent and provide scalability to meet the increased peak demands of the states’ employees. In the Department of the Treasury (Treasury), the Enterprise Content Management (ECM) Initiative allows the Treasury to electronically capture, store, search/analyze, share and manage documents. Additionally, this initiative will work with current Treasury services to provide more robust functionalities, including Go-FOIA/e-Discovery – reducing the median time to respond to an FOIA request by 25 days. Further, by using a cloud environment, Treasury is looking to oﬀer these services for other federal agencies to leverage. The new Consumer Financial Protection Bureau (CFPB) plans to procure all of its data center services through cloud computing or leased resources in private federal clouds and avoid owning any data center assets. Currently, 100 percent of CFPB’s Web hosting is hosted in a cloud solution. Additionally, CFPB stood up a cloud data center for development, testing and production environments in April 2011. The Treasury recently moved the Treasury.gov Website and four other Treasury Websites (SIGTARP.gov, MyMoney.gov, TIGTA.gov, and IRSOversightBoard.treasury.gov) to a cloud hosting environment – the ﬁrst cabinet level agency to do so. By moving to a cloud hosting environment, the Treasury has saved over 13 percent in monthly costs versus the prior legacy hosting solution. The Treasury is currently in the process of modernizing the Bureau of Engraving and Printing’s (BEP) business process. By moving to a cloud environment, BEP plans to save over 50 percent in operating and maintenance costs while also automating processes for manufacturing, ﬁnancial management, acquisition and supply chains. The Department of Veterans Aﬀairs’ (VA) current email is hosted on an internal solution. VA is piloting 30,000 email inboxes with the hope of migrating all 417,000 inboxes to a cloud hosted solution. VA hopes to reduce overall cost for email and provide quicker provisioning for new users. One of the many services VA provides to veterans is through the Post 9/11 Veteran Education Assistance Act. In order to process claims through this act, VA uses a cloud development, testing and hosting environment to create customer-facing software applications. By creating new applications and management with this cloud service, VA has been able to cut education claims processing time by 40 percent. The Veterans Beneﬁts Management System (VBMS) is being developed to process Veteran Compensation and Pension claims in a paperless environment. VBMS is being developed in a cloud environment and has a goal of processing Veterans claims within 125 days, improve claim quality to 98 percent, and increase overall performance and accountability.

57

Step 2. The Federal Government’s New Approach

Some agencies, especially Defense and State, are proceeding to the cloud more slowly than others. The chief information oﬃcer for the Defense Department said their agency’s use of cloud computing would be limited for the near future to keep conﬁdential data within the military’s advanced security systems. “With the increasing frequency and sophistication of cyber-attacks on defense systems, we are concerned with any new approaches that can introduce new risks,” the DOD CIO wrote in an email. The Pentagon, with its global reach and hundreds of thousands of users, could beneﬁt from the capabilities of cloud computing. The CIO’s twist on Mr. Kundra’s vision is the concept of “MissionOriented Resilient Clouds”’ a security-minded approach that the Pentagon is developing for use in military operations.

DARPA efforts for Mission-Oriented Resilient Clouds With cloud computing rapidly emerging as a critical Defense Department mission support platform, the Defense Advanced Research Projects Agency is asking commercial and academic computer researchers to help build stronger cloud networks. DARPA’s Mission-oriented Resilient Clouds program, introduced in May, aims to help DOD protect its mission-focused cloud infrastructures from external threats and provide continued mission effectiveness during any type of cyber-attack. Upon completion, the MRC program will run alongside DOD’s Clean-slate design of Resilient, Adaptive, Secure Hosts program for limiting host vulnerabilities. According to DARPA’s MRC program announcement release, the agency would like bidders to turn the tables on attackers and develop security approaches that take advantage of a distributed network’s ability to rapidly amplify and propagate attacks, and “use the network as a vulnerability damper and a source of resiliency.” To achieve its target, DARPA is urging bidders to consider several possible design approaches, including using redundant hosts, correlating attack information between hosts and creating network-wide resource diversity. To this end, DARPA is asking project bidders not only to address known cloud system security technologies and processes, but also pursue new approaches to the design of networked computations and cloud computing infrastructures.

“When done with the proper considerations and planning, cloud computing will be a very eﬀective and eﬃcient tool,” the DOD CIO said.

www.GTIBookstore.com

58

Contracting for Cloud Services

The State Department is moving ahead only with low-risk projects, such as a Website for its Oﬃce of the Historian, which oﬀers public information about the history of American diplomacy, the agency’s CIO said.

GSA Seeks Further Advice on Buying Technology In June 2011, the GSA restarted a pilot project to provide a wiki designed to improve the federal government’s technology acquisition process. It has provided an online forum that allows vendors to provide feedback on acquisitions and suggest ways to improve the process before making the actual request for proposal for bids on projects. The project was halted because of ﬁscal end-of-year issues, but has now been restarted with new requirements to its BetterBuy Wiki. This project is concerned primarily with the pre-contract-award stages of the acquisition process – the activities that take place before the government “signs on the dotted line” to buy a product or service.

59

STEP 3

Identifying/Determining Your Needs

Determining your needs and wants is a basic task to start determining how to proceed. Your needs may suggest that the cloud is not right for you. Most organizations will have a number of cloud possibilities. The possible projects then may require a polling of those with vested interest in the projects. From that, a team should evolve and that team will deﬁne the goals, requirements and objectives, as well as prioritize those in importance. See more details in the Performance-Based Acquisition Process. The broad scope and size of the cloud transformation will require a meaningful shift in how government organizations think of IT. Organizations that previously thought of IT as an investment in locally owned and operated applications, servers and networks will now need to think of IT in terms of services, commoditized computing resources, agile capacity provisioning tools and their enabling eﬀect for American citizens. This new way of thinking will have a broad impact across the entire IT service lifecycle – from capability inception through delivery and operations. The following structured framework presents a strategic perspective for agencies in terms of thinking about and planning for cloud migration.

www.GTIBookstore.com

Contracting for Cloud Services

60

Decision Framework For Cloud Migration Select Identify which IT services to move and when Identify sources of value for cloud migrations; efficiency, agility, innovation Determine cloud readiness: security, market availability, government readiness, and technology lifecycle

Provision

Manage

Aggregate demand at Department level where possible

Shift IT mindset from assets to services

Ensure interoperability and integration with IT portfolio

Actively monitor SLAs to ensure compliance and continuous improvement

Contract effectively to ensure agency needs are met

Build new skill sets as required

Re-evaluate vendor and service Realize value by repurposing or models periodically to maximize decommissioning legacy assets benefits and minimize risks and redeploying freed resources

Successful organizations carefully consider their broad IT portfolios and create roadmaps for cloud deployment and migration. To maximize beneﬁts received and minimize delivery risk, these roadmaps prioritize services that have high expected value and high readiness. Deﬁning exactly which cloud services an organization intends to provide or consume is a fundamental initiation phase activity in developing an agency roadmap. Some agencies may stress innovation and security while others may stress eﬃciency and government readiness. However, the logic and structure of the framework should be applicable for all agencies. Cloud computing provides three primary sources of business value: eﬃciency, agility and innovation. Listed next are a number of considerations for each value category. Agencies should feel free to stress one or more of these sources of value according to their individual needs and mission goals. For instance, some agencies may place a higher value on agility, while others may stress cost savings brought about by greater computing eﬃciency. Eﬃciency: Eﬃciency gains can come in many forms, including higher computer resource utilization due to the employment of contemporary virtualization technologies and tools that extend the reach of the system administrator, lowering labor costs. Eﬃciency improvements can often have a direct impact on ongoing bottom-line costs. Further, the nature of some costs will change from being capital expense in hardware and infrastructure (CapEx) to a pay-as-you-go operational expense (OpEx) model with the cloud, depending on the cloud deployment model being used. Services that have relatively high per-user costs, have low utilization rates, are expensive to maintain and upgrade or are fragmented should receive a relatively high priority for consideration. Agility: Many cloud computing eﬀorts support rapid automated provisioning of computing and storage resources. In this way, cloud computing approaches put IT agility in the hands of users, and this can be a qualitative beneﬁt. Existing services that require long lead times to upgrade or increase/decrease capacity should receive a relatively high priority for consideration, and so should new or urgently needed services to compress delivery timelines as much as possible. Services that are easy to upgrade, are not sensitive to demand ﬂuctuations or are unlikely to need upgrades in the long-term can receive a relatively low priority.

Step 3. Identifying/Determining Your Needs

61

Innovation: Agencies can compare their current services to contemporary marketplace oﬀerings, or look at their customer satisfaction scores, overall usage trends and functionality to identify the need for potential improvements through innovation. Services that would most beneﬁt from innovation should receive a relatively high priority.

Provision of Selected IT Services To eﬀectively provision selected IT services, agencies will need to rethink their processes as provisioning services rather than simply contracting assets. Contracts that previously focused on metrics, such as number of servers and network bandwidth, now should focus on the quality of service fulﬁllment. Organizations that are most successful in cloud service provisioning carefully think through a number of factors, including: 

Aggregate demand: When considering “commodity” and common IT services, agencies should pool their purchasing power by aggregating demand to the greatest extent possible before migrating services to the cloud. Where appropriate, demand should be aggregated at the departmental level and as part of the government-wide shared services initiatives, such as government-wide cloud-based email.



Integrate services: Agencies should ensure that the provided IT services are eﬀectively integrated into their wider application portfolio. In some cases, technical experts may be required to evaluate architectural compatibility of the provided cloud service and other critical applications. Rather than a one-time event, this principle should be followed over time to guarantee that systems remain interoperable as individual IT services evolve within the portfolio. Business process change may similarly be required to properly integrate the systems (e.g., adjusting call center processes).



Contract eﬀectively: Agencies should also ensure that their contracts with cloud service providers set the service up for success. Agencies should minimize the risk of vendor lock-in, for instance, to ensure portability and encourage competition among providers. Agencies should include explicit service level agreements (SLAs) for security, continuity of operations and service quality that meet their individual needs. Agencies should include a contractual clause enabling third parties to assess security controls of cloud vendors. The SLA should specify the support steps that the consumer can take when the service is failing to meet the terms speciﬁed in the agreement, and should include points-of-contact and escalation procedures. It is important to be precise in the deﬁnition of metrics and specify when and where they will be collected. For example, performance is diﬀerent when measured from the consumer or provider due to the network delays. Metrics should measure characteristics under the control of the vendor. Finally, the SLA should describe a mutual management process for the service levels, including periodic reporting requirements and meetings for management assessments.

www.GTIBookstore.com

Contracting for Cloud Services

62



Realize value: Agencies should take steps during migration to ensure that they fully realize the expected value. From an eﬃciency standpoint, legacy applications and servers should be shut down and decommissioned or repurposed. Data center real estate used to support these systems should be closed down or used to support higher-value-added activities. Where possible, staﬀ supporting these systems should be trained and re-deployed to higher-value-added activities. From an agility and innovation standpoint, processes and capabilities may also need to be reﬁned in order to fully capture the value of the investment.

Manage

To be successful, agencies must manage cloud services differently from traditional IT assets.

As with provisioning, cloud computing will require a new way of thinking to reﬂect a service-based focus rather than an asset-based focus. Listed next are a few considerations for agencies to eﬀectively manage their cloud services. Shift mindset: Organizations need to re-orient the focus of all parties involved – providers, government agencies and end users – to think of services rather than assets. Organizations that successfully make this transition will eﬀectively manage the system towards output metrics (e.g., SLAs) rather than input metrics (e.g., number of servers). Actively monitor: Agencies should actively track SLAs and hold vendors accountable for failures. Agencies should stay ahead of emerging security threats and ensure that their security outlook is constantly evolving faster than potential attacks. Agencies may also consider incorporating business user feedback into evaluation processes. Finally, agencies should track usage rates to ensure charges do not exceed funded amounts. It can be advantageous for a consumer to “instrument” key points on the network to measure performance of cloud service providers. For example, commercial tools can report back to a centralized data store on service performance, and instrumentation agents can be placed with participating consumers and at the entry point of the service provider on the network. By gathering data across providers on the performance of pre-planned instrumented service calls throughout typical work periods, service managers can better judge where performance bottlenecks arise. Agencies should include requirements for service instrumentation where appropriate. Re-evaluate periodically: Agencies should periodically re-evaluate the choice of service and vendor to ensure that eﬃciency, agility and innovation are maximized. Agencies should ensure portability and hold competitive bids for cloud services at regular intervals. Agencies should also consider increasing the scope of cloud-provided services as markets mature (e.g., moving from IaaS solutions to PaaS and SaaS solutions). Opportunities to consolidate and standardize solutions between agencies should be periodically evaluated as well, particularly for ‘commodity’ services. To eﬀectively conduct

Step 3. Identifying/Determining Your Needs

63

re-evaluations, agencies should maintain awareness of changes in the technology landscape, in particular, the readiness of new cloud technologies, commercial innovation and new cloud vendors.

Determine Cloud Readiness It is not suﬃcient to consider only the potential value of moving to cloud services. Agencies should make risk-based decisions which carefully consider the readiness of commercial or government providers to fulﬁll their federal needs. These can be wide-ranging, but likely will include: security requirements, service and marketplace characteristics, application readiness, government readiness and program’s stage in the technology lifecycle. Similar to the value estimation, agencies should be free to stress one or more of these readiness considerations according to their individual needs. Security Requirements: Federal government IT programs involve a wide range of security requirements. Federal Information Security Management Act (FISMA) requirements include but are not limited to: compliance with Federal Information Processing Standards agency speciﬁc policies; Authorization to Operate requirements; and vulnerability and security event monitoring, logging and reporting. It is essential that the decision to apply a speciﬁc cloud computing model to support mission capability considers these requirements. Agencies have the responsibility to ensure that a safe, secure cloud solution is available to provide a prospective IT service, and should carefully consider agency security needs across a number of dimensions, including but not limited to: 

Statutory compliance to laws, regulations and agency requirements



Data characteristics to assess which fundamental protections an application’s data set requires



Privacy and conﬁdentiality to protect against accidental and nefarious access to information



Integrity to ensure data is authorized, complete and accurate



Data controls and access policies to determine where data can be stored and who can access physical locations



Governance to ensure that cloud computing service providers are suﬃciently transparent, have adequate security and management controls, and provide the information necessary for the agency to appropriately and independently assess and monitor the eﬃcacy of those controls

Service characteristics: Service characteristics can include service interoperability, availability, performance, performance measurement approaches, reliability, scalability, portability, vendor reliability and architectural compatibility. Storing information in the cloud will require a technical mechanism to achieve compliance with records management laws, policies and regulations promulgated by both the National Archives and Records Administration (NARA) and the General Services Administration (GSA).The cloud solution has to support relevant record safeguards and retrieval functions, even in the context of a provider termination. www.GTIBookstore.com

64

Contracting for Cloud Services

Depending on the organizational missions supported by the cloud capability, Continuity of Operations (COOP) can be a driving solution requirement. The purpose of a COOP capability is to ensure that mission-essential functions continue to be available in times of crisis or against a spectrum of threats. Threats can include a wide range of potential emergencies, including localized acts of nature, accidents, and technological and/or attack-related emergencies. The organization should consider scalability requirements concerning the ability of the cloud solution architecture to either grow or shrink over time, with varying levels of processing, storage or service handling capability. They should also consider both the impact on their business processes if network connectivity to their cloud vendor fails, resulting in a loss of IT capability and the possibility (likelihood) of this occurrence. Requirements concerning administrative support should be included as well, covering topics, such as the daily hours of prime support, problem escalation times, resolution of recurring problems and trouble ticket submission methods. Market characteristics: Agencies should consider the cloud market competitive landscape and maturity, including both fully commercial and government-provided cloud services. Agencies can consider whether cloud markets are suﬃciently competitive and are not dominated by a small number of players. Agencies can consider whether there is a demonstrated capability to move services from one provider to another, and whether there is a demonstrated capability to distribute services between two or more providers in response to service quality and capacity. Agencies should consider the availability of technical standards for cloud interfaces which reduce the risk of vendor lock-in. Network infrastructure, application and data readiness: Before migrating to the cloud, agencies must ensure that the network infrastructure can support the demand for higher bandwidth and that there is suﬃcient redundancy for mission critical applications. Agencies should update their continuity of operations plans to reﬂect the increased importance of a high-bandwidth connection to the Internet or service provider. Another key factor to assess when determining readiness for migration to the cloud is the suitability of the existing legacy application and data to either migrate to the cloud (i.e., rehost an application in a cloud environment) or be replaced by a cloud service (i.e., retire the legacy system and replace with commercial SaaS equivalent). If the candidate application has clearly articulated and understood interfaces and business rules, and has limited and simple coupling with other systems and databases, it is a good candidate along this dimension. If the application has years of accumulated and poorly documented business rules embedded in code, and a proliferation of subtle or poorly understood interdependencies with other systems, the risks of “breakage” when the legacy application is migrated or retired make this a less-attractive choice for early cloud adoption. Government readiness: In addition, agencies should consider whether or not the applicable organization is pragmatically ready to migrate their service to the cloud. Government services which have capable and reliable managers, the ability to negotiate appropriate contract terms and SLAs, related technical experience and supportive change management cultures should receive a relatively high priority. Government services which do not possess these characteristics, but are otherwise strong cloud candidates, should take steps to alleviate any identiﬁed concerns as a matter of priority.

65

Step 3. Identifying/Determining Your Needs

Technology lifecycle: Agencies should also consider where technology services (and the underlying computing assets) are in their lifecycle. Services that are nearing a technology refresh, approaching the conclusion of their negotiated contract, or are dependent upon ineﬃcient legacy software or hardware should receive a relatively high priority. Technology services that were recently upgraded, locked within contract and are based on leading-edge technology may want to wait before migrating to the cloud.

Develop a Business Use Case To comply with the Cloud First policy, federal agencies must carefully evaluate cloud computing services and solutions to determine which ones meet their needs and then move to implement them where appropriate.

Cloud First is an opportunity for government to build on the beneﬁts that consumers and businesses have realized from cloud computing and to deploy new technologies with the goal of signiﬁcantly improving the eﬃciency of governmental operations and the public services it oﬀers. Although the shift to cloud computing raises new issues that must be considered, existing federal government procurement practices are ﬂexible enough to enable acquisition of the new capabilities. Define Requirements Government agencies should begin with a business case that outlines their requirements and performance objectives, not with a particular cloud model (public, private, hybrid or community). Defaulting to a particular cloud deployment or service model rather than using agency performance objectives to deﬁne the approach will result in missed opportunities to beneﬁt from available cloud services. In making the transition to the cloud, federal agencies should ﬁrst focus on workloads and cloud services and solutions that have already been widely deployed in the cloud in the private sector and government. Among those workloads, services and solutions immediately suitable for government adoption are (1) storage, computing, Web hosting and backup, which fall under the category of infrastructure as a service (IaaS); (2) database services, identity management services, security services, geospatial information systems and customized applications in areas of IT management, which fall under the category of platform as a service (PaaS).; and (3) email, customer relationship management (CRM), collaboration, payment processing and service centers, which fall under the category of software as a service (SaaS). These workloads and services have already been successfully deployed in the cloud in both the private sector and government. After agencies have identiﬁed initial targets for transition to the cloud, they should explore the business and mission beneﬁts of emerging cloud applications, such as enterprise applications and agency-speciﬁc mission support systems.

www.GTIBookstore.com

66

Contracting for Cloud Services

Map Agency Priorities Government agencies should have a clear understanding of the cloud attributes that are most important to them. Following is a list of cloud attributes to be considered; diﬀerent agencies will place diﬀerent weight on diﬀerent attributes. Automatic Upgrades and Patches. Some in-house IT deployments can carry high maintenance fees and necessitate expensive upgrades. Agencies concerned about upgrading and patching legacy software should seek cloud services and solutions in which systems are maintained cost-eﬀectively, schedules and processes for upgrades are clear and there is transparency around pricing for substantially new functionalities. Collaboration. Agencies that want to work together across stovepipes should explore secure cloud collaboration tools and social networking applications that connect people and their underlying information within the context of relevant security requirements. Compliance. Agencies should evaluate the cloud service provider’s ability to fulﬁll the necessary compliance requirements, such as HIPAA. Development. Many government agencies will want to develop their own customized PaaS and SaaS cloud applications instead of purchasing commercially available solutions. These agencies should make sure that their cloud service includes a robust development platform that accommodates multiple programming languages, industry standard frameworks and tools for access controls, logging, security, real-time transparency and privacy. Ease-of-Use. For agencies deploying cloud services to a population with diverse IT skills, easeof-use will be essential. SaaS and PaaS cloud applications should demonstrate high utilization and satisfaction rates. Agency stakeholders should talk with their peers to conﬁrm customer satisfaction with cloud services and conduct market research to determine best practices. Energy Eﬃciencies. Overall energy savings from shifting to the cloud can be signiﬁcant. In addition, using cloud services to meet government data center consolidation requirements will facilitate signiﬁcant energy-eﬃciency savings and beneﬁts. Integration. End-to-end processes may require integration between cloud applications and inhouse applications. Agencies should consider this integration upfront. Interoperability. Agencies should make sure that their cloud services support open standards that have already been widely accepted. Mobility. If mobility is important to mission requirements, look for a comprehensive mobile platform that can be quickly deployed across a variety of mobile devices and operating systems. Portability. Clarify that the agency can extract and move its data in a commonly accepted standard format. Price. For some agencies, price will be the overriding consideration. If this is the case, they should require documentation of the total price of the cloud services and solutions and insist on a predict-

Step 3. Identifying/Determining Your Needs

67

able pricing structure. Current procurement law requires past performance assessments, which can be used to determine whether those estimates are supported by customer experience. Scale. Scale is often a primary concern for broadly delivered government services with unpredictable demand spikes. If scale is vital, agencies should validate the performance and reliability of the cloud service at the maximum anticipated scale and ask about the real-time monitoring tools available for the cloud service. Security. Because security is such a critical consideration, it is discussed separately (see the following section). Speed. Other agencies will ﬁnd that rapid deployment is the primary goal. This is especially true when responding to disasters, government mandates, and performance requirements with tight deadlines. In order to ensure rapid deployment or agility, agencies should request demonstrations, implement pilots and include mutually binding deployment deadlines in cloud service contracts. Sustainability. Agencies may need the cloud service vendor to build and deploy new capabilities for future needs. They should evaluate the cloud vendor’s strategy, alignment with the agency’s mission, future product roadmap, ﬁnancial and corporate stability and ability to address needs in a timely fashion. Transparent Performance. Availability, reliability and performance are priorities for government IT deployments. Agencies concerned about performance should ask for real-time Web dashboards that show the status, availability, reliability and speed of cloud services. Understand the Security Requirements Security usually tops the list of government concerns about IT, including cloud computing. Cloud services are not inherently more or less secure than in-house IT implementations. In both cases, security depends on technology, policies, and practices. A robust implementation of cloud services is capable of meeting a variety of security requirements. In assessing the security of cloud services, government agencies should rely on the same Federal Information Remember Security Management Act (FISMA) authorizations One of the differences that are required for in-house IT implementations. between cloud and in-house Today, security Assessment and Authorization (A&A) IT implementations is who is performed on an agency-by-agency basis. The goal manages and controls the security processes. of Federal Risk and Authorization Management Program (FedRAMP) is to provide a more comprehensive government security framework that will enable diﬀerent government agencies to leverage the same security authorization, as the federal government moves to an updated FISMA framework. NIST standards on security are now in place to help in the federal arena. www.GTIBookstore.com

Contracting for Cloud Services

68

Agencies should focus on managing the agreements between the agency and provider to ensure that a consistent security posture is maintained independent of who is responsible for the various layers of the system. Consider how your Agency will Implement the Cloud Government agencies should choose those services that map to their business and mission needs and that they can readily share with other agencies with similar needs. In matching cloud services and mission objectives, federal agencies should consider the following: 

Is the cloud service easy to conﬁgure? Government agencies should be able to conﬁgure solutions themselves and should not require deployment of complex IT processes. Changes by one agency should not aﬀect the usage or conﬁguration of the service for the other agencies using the shared service.



Does the cloud service exist elsewhere within government and can that service be shared elsewhere within government?



Does the cloud service provider enable portability of user data through an eﬀective combination of documents, tools and support for agreed-upon industry standards and best practices? If not, are there third-party solutions to provide access to the data in the cloud service? Government agencies should avoid vendor lock-in solutions that make it diﬃcult for them to extract and move their data in translatable formats for use in other cloud platforms.



Will the cloud service provider, the government agency or third party integrate cloud applications with in-house applications where needed to ensure seamless end-to-end processes? Government agencies can clarify the technologies and standards used and perform testing to verify compliance and understand the diﬀerences with the stated standards.

Outline Mission Requirements in an RFP Requests for Proposals (RFPs) should focus on mission and business requirements and service performance guidelines rather than detailed technical speciﬁcations or an architectural approach. They should be ﬂexible enough to allow vendors to craft a variety of cloud solutions to meet these requirements. Cloud computing technologies are rapidly evolving, and it is important to evaluate the track record of the cloud services and cloud vendors under consideration. In addition to making sure that the RFP process considers attributes relevant to cloud services, it is important to streamline the RFP process to reﬂect the rapid deployment of cloud services. The topics and sections of the traditional RFP still largely apply, including background descriptions about the provider, client references, startup and ongoing cost models, and required certiﬁcations; however, other typical requirements, such as key personnel requirements, may not make sense for a self-service cloud application. Take Advantage of Government-wide Initiatives In the federal government, much thought has gone into analyzing how agencies can use the cloud within the federal security, technology and acquisition context – from exploring centralized security

69

Step 3. Identifying/Determining Your Needs

authorizations, such as the proposed FedRAMP, GSA’s Blanket Purchase Agreement (BPA) for IaaS, to evaluating National Institute of Standards and Technology (NIST) standards and guidance. By building on these eﬀorts, agencies can meet mandated timetables and accelerate potential savings. Look Beyond Technology Hype Claims to Include People and Process in Decision Making Cloud technology will not deliver the desired return on investment without addressing the people and process issues that are needed to manage eﬀective systems. Leverage a Common Service Measurement Framework to Evaluate Providers Once an agency has prioritized its requirements, the agency should use a data-driven approach to evaluate cloud oﬀerings based on those requirements. Several eﬀorts are underway to develop data-driven approaches to evaluate competing oﬀerings based on measurable criteria, such as those previously mentioned. One example is DMADV which is a data-driven quality strategy for designing products and services consisting of ﬁve interconnected phases: Deﬁne, measure, analyze, design and verify. Understanding Timing and Triggers for Considering Cloud Deployment The following kinds of IT activities may oﬀer an opportunity to introduce a cloud solution that will drive signiﬁcant savings: Systems Scheduled to Replace Existing Computer Equipment. Agencies should identify their systems that require updates to computer equipment or that need to acquire new functionalities and then evaluate if the workloads running on those systems are candidates for moving to the cloud, potentially eliminating signiﬁcant costs associated with the scheduled IT infrastructure improvements. Three factors contribute to the anticipated savings: 

First, the agency leverages the cloud vendor’s global economies of scale in computer equipment acquisition, pooled expert IT infrastructure staﬀ, and investments in IT service management technology and operating procedures.



Second, the agency shifts to paying only for the computing services it needs. For example, the agency can access the computing power it needs to run everyday operations, later add more scale for high-volume spikes and reduce resources when they are no longer needed (instead of leasing new computers to support peak operations and paying for unused computing power during lower-volume periods).



Third, the agency can avoid the time and cost of infrastructure-speciﬁc security authorization and accreditation activities. Agencies can look to leverage security authorizations from other agencies with similar security needs or the proposed FedRAMP for cloud infrastructure, and focus time and resources on certifying the security of the agency’s applications running on that infrastructure. www.GTIBookstore.com

70

Contracting for Cloud Services

Planned New System Implementations and System Upgrades. New system implementations and major upgrades also typically trigger a need for new computing equipment. Agencies can realize signiﬁcant savings by deploying these systems directly into an IaaS cloud environment where they can rent, instead of buy, the required new machines. They can also achieve signiﬁcant savings by using SaaS and PaaS solutions that do not require any infrastructure investments, and limit or eliminate software upgrade costs. IT Infrastructure Requests for System Conversion, Testing or Development. Acquiring development and testing environments in the cloud can reduce the cost of creating and maintaining these environments. The agency can provision servers (and incur costs) in the cloud only when needed instead of paying for unnecessary continuous capacity. Pilot Projects and Investments in New Capabilities that are Only Used Periodically. If an agency does not require or desire ownership, the cloud approach provides access to new or additional functionality with minimal costs. This access also applies to capabilities required only on an as-needed or trial basis. For example, in advance of the next ﬁscal year budgeting cycle, an agency might want to pilot software that automates budget formulation. The agency can acquire the access it needs for the pilot, expand its use of the software during the peak budget preparation season, and then scale back or eliminate the capability as desired. Investment Requests to Develop Systems. For development needs, a cloud approach provides the ability to develop custom applications or capabilities without having to purchase infrastructure or development software. The agency can rent a development platform in the cloud, build the capability it needs and migrate the application into steady-state operation. If agency-speciﬁc development environments are not commercially available, the IaaS cloud approach provides the ability to develop custom applications or capabilities without having to purchase infrastructure. NIST Cloud Computing Program Strategic Efforts - Business Use Case Working Group - Cloud Computing Business Use Case Template Business Use Case 1. Use Case Identiﬁcation 1.1. Use Case Name State a concise, results-oriented name for the use case. 1.2. Agency Record the agency sponsoring this use case. 1.3. Model Matrix Identify which intersections of the service/deployment matrix the use case addresses.

71

Step 3. Identifying/Determining Your Needs

Cloud Service Models Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (Iaas)

Cloud Deployment Private Models Community Public Hybrid

1.4. Created By Supply the name of the person who initially documented this use case. 1.5. Date Created Enter the date on which the use case was initially documented. 1.6. Last Updated By Supply the name of the person who performed the most recent update to the use case description. 1.7. Date Last Updated Enter the date on which the use case was most recently updated. Created By:

Last Updated By:

Date Created:

Date Last Updated:

Version

Changes

2. Background An abstract describing the purpose of the business use case. 3. Deﬁnitions 4. Concept of Operations 4.1. Current System Describe at a high level how the current system works. Does the system integrate with other systems, what are security requirements? Do network considerations vary among users (local versus remote, for example) and so on? 4.2. Desired Cloud Implementation Describe how a cloud implementation of the system should work, whether or not capabilities currently exist. www.GTIBookstore.com

72

Contracting for Cloud Services

5. Primary Actors Provide a concise description of the primary roles in the use or delivery of the system or service. 6. Business Goal Describe what should be expected from the implemented system or service, and how the actors previously identiﬁed would use or beneﬁt. What beneﬁts does the cloud solution bring that a traditional implementation would not? 7. Service Model Why are the particular service models (SaaS, PaaS, IaaS) selected for this implementation? What beneﬁts are expected for the particular chosen service models, and what are some of the shortcomings of the service models not selected? 8. Deployment Model What drove the selection of the particular deployment model (private cloud, community cloud, hybrid cloud, public cloud)? What are the beneﬁts of the selected model and drawbacks of the models not selected? 9. Necessary Conditions Identify the conditions that must be met for the system or service to be implemented successfully. 9.1. Security What security requirements must be met for successful implementation, and how do they address business needs? 9.2. Interoperability Describe any interoperability requirements (public APIs, data exchange formats, standard ﬁle formats, etc.). What are the business needs that drive these requirements? 9.3. Portability Explain any portability requirements (for example, the ability to seamlessly and transparently change email providers in the future) and the business need driving the requirements. 9.4. Other Categorize and describe any other business needs not previously addressed. 10. Priorities and Risks Describe the priority of this project in your organization. What risks are there in using cloud computing for this solution?

73

Step 3. Identifying/Determining Your Needs 11. Essential Characteristics

Describe how the system meets the ﬁve essential characteristics of a cloud computing system along with the beneﬁts provided by each of these characteristics. 

On-demand self service



Broad network access



Resource pooling



Rapid elasticity



Measured service

12. Normal Flow Provide a description of the primary user actions and system responses that will take place during execution of the use case under normal, expected conditions. How is the task in the use case name accomplished? 13. Frequency of Use Estimate the number of times this use case will be performed by the actors per some appropriate unit of time. 14. Special Requirements Identify any additional requirements for the use case that need to be addressed. Examples include performance or availability requirements. 15. Notes and Issues List any additional comments about this use case or any remaining open issues. 16. Risk Register This section is optional or can be a separate appendix. Create a list of known risks, their likelihood, impact and status. An excel spreadsheet can be used to track this. 16.1. Date Record the date that a risk is identiﬁed or modiﬁed. 16.2. Description of the Risk Provide a phrase that describes the risk.

www.GTIBookstore.com

Contracting for Cloud Services

74

16.3. Likelihood of Occurrence Provide an assessment on how likely it is that this risk will occur. 

L-Low (<30%)



M-Medium (31-70%)



H-High (>70%)

16.4. Severity of Eﬀect An assessment of the impact that the occurrence of this risk would have on the project. 

L-Low (<30%)



M-Medium (31-70%)

Prepared by Knowcean Consulting, Inc., for NIST under SPAWAR contract January 28, 2011. 

H-High (>70%)

16.5. Countermeasures Actions that can be taken to prevent, reduce or transfer the risk. 16.6. Status Indicate whether this is a current risk or if risk has been resolved. Date

Description

Likelihood

Severity

Countermeasures

Status

Successful Move to the Cloud Requires Agency Introspection First Before moving to the cloud, an agency must ask itself a number of questions. As part of this exercise, it is a good idea to create an enterprise cloud computing roadmap. It should help provide some of the answers to questions, such as: Where do we want to go? How are we going to get there? What will we do when we get there? What are the beneﬁts? How much will it cost? How much will we save? The “Why do we want to move to the Cloud” question is the most important one because it will drive all the others. Are you moving to save money, increase eﬃciency, provide a better service or all of these things? When you have decided the answer to “why,” it will enable you to better deﬁne your needs and deﬁne the procurement parameters which, in turn, will help you to ﬁnd the vendors best able to meet those needs. Choosing the right vendor has become much easier thanks to FedRAMP which provides a security accreditation and authorization program that vets cloud vendor vendors. Before talking with vendors, you should conduct a cloud computing pilot to identify and capture metrics about cost and time savings, beneﬁts to be achieved and so on. These will provide benchmarks for determining the success of both the upcoming cloud contract and future implementations.

Step 3. Identifying/Determining Your Needs

75

Assessment and Authorization (A&A) Activities Basic requirement for Assessment and Authorization. One gateway necessary for government contractors in order to provide services is codiﬁed in NIST 800-37. The implementation of a new federal government IT system requires a formal approval process known as Assessment and Authorization with continuous monitoring. National Institute of Standards and Technology Special Publication 800-37, Revision 1, “Guide for applying the Risk Management Framework to Federal Information Systems,” gives guidelines for performing the Assessment and Authorization (A&A) process. Contracts may be awarded, but the contractor must get the A&A prior to providing services. NIST Special Publication 800-37 gives guidelines for performing the A&A process. For federal orders, an appropriate moderate impact Assessment & Authorization (A&A) as deﬁned by FIPS 199 and FIPS 200 must be completed before any order can be fulﬁlled. For federal orders of Lot 1c, a high-impact Assessment & Authorization (A&A) by the ordering activity must be completed before any order can be fulﬁlled. The failure to obtain and maintain a valid authorization will be grounds for cancellation of the award and termination of any outstanding orders. All selected NIST 800-53 controls must be tested/assessed continuously. Assessment of System The Quoter shall comply with NIST Special Publication 800-37 requirements as mandated by federal laws and policies, including making available any documentation, physical access and logical access needed to support this requirement. The Level of Eﬀort for the A&A is based on the System’s NIST Federal Information Processing Standard (FIPS) Publication 199 categorization. The Quoter shall create, maintain and update the following A&A documentation: 

System Security Plan (SSP) completed in agreement with NIST Special Publication 800-18, Revision 1. The SSP shall include as appendices required policies and procedures across 18 control families mandated per FIPS 200, Rules of Behavior and Interconnection Agreements (in agreement with NIST Special Publication 800-47).



Contingency Plan (including Disaster Recovery Plan) completed in agreement with NIST Special Publication 800-34.



Contingency Plan Test Report completed in agreement with GSA IT Security Procedural Guide 06-29, “Contingency Plan Testing.”



Plan of Actions and Milestones completed in agreement with GSA IT Security Procedural Guide 09-44, “Plan of Action and Milestones (POA&M).”



Independent Penetration Test Report documenting the results of vulnerability analysis and exploitability of identiﬁed vulnerabilities.

www.GTIBookstore.com

Contracting for Cloud Services

76



Information systems must be assessed whenever there is a signiﬁcant change to the system’s security posture in accordance with NIST Special Publication 800-37 Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” At the Moderate impact level, the Quoter will be responsible for providing an independent Security Assessment/Risk Assessment in accordance with NIST Special Publication 800-37 Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.”

The government reserves the right to perform a Penetration Test. If the government exercises this right, the Quoter shall allow government employees (or designated third-party auditors) to conduct Assessment and Authorization (A&A) activities to include control reviews in accordance with NIST 800-53/NIST 800-53A. Review activities include but are not limited to operating system vulnerability scanning, Web application scanning and database scanning of applicable systems that support the processing, transportation, storage or security of government information. This includes the general support system infrastructure. Identiﬁed gaps between required 800-53 controls and the quote’s implementation as documented in the Security Assessment/Risk Assessment report shall be tracked for mitigation in a Plan of Action and Milestones (POA&M) document. Depending on the severity of the gaps, the government may require remediation before an Authorization to Operate is issued. The Quoter is responsible for mitigating all security risks found during A&A and continuous monitoring activities. All high-risk vulnerabilities must be mitigated within 30 days and all moderaterisk vulnerabilities must be mitigated within 90 days from the date vulnerabilities are formally identiﬁed. The government will determine the risk rating of vulnerabilities. Authorization of System Upon receipt of the documentation described in the NIST Special Publication 800-37 and as previously documented, the ordering activity’s Authorizing Oﬃcials (AOs) for the system (in coordination with the ordering activity Senior Agency Information Security Oﬃcer (SAISO), system Program Manager, Information System Security Manager (ISSM), and Information System Security Oﬃcer (ISSO) will render an Authorization decision to: 

Authorize system operation without any restrictions or limitations on it operation;



Authorize system operation with restriction or limitation on its operation; or



Not authorize for operation.

The Quoter shall provide access to the federal government, or their designee acting as their agent, when requested, in order to verify compliance with the requirements for an Information Technology security program. The government reserves the right to conduct onsite inspections. The Quoter shall make appropriate personnel available for interviews and documentation during this review. If documentation is considered proprietary or sensitive, these documents may be reviewed onsite under the hosting Quoter’s supervision.

Step 3. Identifying/Determining Your Needs

77

Reporting and Continuous Monitoring Maintenance of the security Authorization to Operate will be through continuous monitoring and periodic audit of the operational controls within a Quoter’s system, environment and processes to determine if the security controls are meeting government regulatory and compliance requirements. Through continuous monitoring, security controls and supporting deliverables will be maintained and submitted to an ordering activity in accordance with customer IT security standards, policies and reporting requirements. NIST published SP800-86 Guide to Integrating Forensic Techniques into Incident Response. SP800-86 deﬁnes in a much more precise and speciﬁc way the procedures, issues and technologies required to move an incident from the point of discovery all the way through to resolution.

Organization Structure The Management Team directly responsible for each individual acquisition should include the following positions: Acquisition Manager Evaluating RFPs. Ask for transparent prices in the form of subscription or pay-as-you-go pricing; verify that automatic upgrades appropriate to the service type provided are included; and conﬁrm that the cloud service can accommodate scale to a level consistent with the agency’s requirements. Verifying Goals. Make sure that agency mission goals and security requirements have been fully addressed in the proposed contract. Developing an Appropriate Work Statement Document. Shift from deﬁning deliverables to deﬁning service level agreements (SLA) and their required outcomes (focus on measurable operating quality metrics, not inputs, such as number of labor hours). Require cloud service providers to include in their service price all upgrade and maintenance fees appropriate to the infrastructure, platform or software service being procured (or similarly make sure the price is ﬁxed and have a contract requirement to include all upgrades and maintenance as part of the service). Deﬁning the Legal and Regulatory Requirements. Ask the cloud service provider to explain its information handling practices and disclose the performance and reliability of its services on its public Websites. Verify that the cloud service provider does not claim any ownership right to government data and agrees to maintain it securely and use it only as the government customers instruct them to or to fulﬁll contractual or legal obligations. Managing Services-Based Contracts. Make sure that subscription-based cloud service contracts that specify periodic payments in exchange for deﬁned services do not raise any new contractual issues. Handle use-based cloud service contracts (i.e., based on frequency of usage) as managed service contracts with an overall obligation and periodic draw-downs.

www.GTIBookstore.com

78

Contracting for Cloud Services

Program Manager Customer Success. Talk to peers in other government agencies and in the commercial sector who have successfully implemented cloud services similar in scope and complexity to those being considered. Make sure that the cloud service is production-ready. Budget. Talk with acquisition and budget teams about expected utilization and potential surge scenarios to ensure budget is appropriately developed and the contracts with service providers have enough ﬂexibility to scale up or down based on utilization. Factor in the costs and resources needed to make the application or service cloud-ready. Productivity. Ask for documented results about collaboration and operational eﬃciencies. Proven cloud service vendors should be able to provide this evidence. Agency-Wide Information Sharing. Request collaboration tools that enable information and document sharing through ﬁlters and feeds with appropriate protections for proprietary information. Look for data and cloud integration tools that enable cloud information sharing with existing IT systems. Mobility. If mobility is important to mission requirements, look for a comprehensive mobile platform that can be quickly deployed across a variety of mobile devices and operating systems. Reusable. Determine if cloud services, including custom cloud applications and conﬁgurations, already acquired by the government would be reusable without having to be re-architected for mission requirements. Pilots. Implement pilots to verify speed of deployment, ease-of-use and performance. Cloud applications can be built, customized and deployed quickly, so government agencies should not hesitate to ask for pilots to be deployed promptly depending on the deployment model. Chief Financial Officer (CFO) Price Transparency. Conﬁrm that the prices are predictable, auditable and transparent. Cloud subscription agreements should include all software, maintenance and upgrade fees appropriate to the infrastructure, platform or software service being procured so that it is easy to assess and forecast prices. Cost Reduction and Avoidance. Ask for evidence that shows the cloud service will reduce the total lifecycle costs, relative to in-house technologies. Request references to clarify the ongoing cost of the service. Understand speciﬁc costs to make the application or service cloud-ready, not just the cost to purchase the cloud service. Infrastructure. Verify that the cloud solution is production-ready, without extensive upfront IT infrastructure costs or requirements for third-party hardware, telecommunications capacity, network devices or software. Understand what system requirements may require conﬁguration or engineering changes to existing applications to make them cloud-ready.

Step 3. Identifying/Determining Your Needs

79

Evaluating Cloud Service Contracts. The following are among the key areas that cloud service contracts should cover: security; reliability and availability; redundancy, backup and restoration; disaster recovery and continuity of operations; maintenance; customer support; capacity planning and dynamic provisioning of resources; access and user administration; operating system and application administration; documentation; and technology refresh management. Chief Information Officer/Chief Information Security Officer (CIO/CISO) Security. CIOs and CISOs should work with the mission/business stakeholders to assess the potential risks in moving to cloud services. Based on that assessment, they should deﬁne their risk management plan and put controls in place that are appropriate for their determined risk proﬁle. They should require an A&A commensurate with the sensitivity of the data being processed (low, moderate, high). They should also look for complementary industry security certiﬁcations and best practices and determine any identity management requirements. IT Organization. Consider the impact of cloud services on the IT workforce. Some skills, such as patching legacy IT systems, may not be needed by the agency, while others, such as service management and contract management, will be in demand. As a result, career paths and reporting relationships may change. Readiness and Migration Path. Understand what work must be done to enable the migration of the application or service to the cloud. Look for tools that enable integration of the cloud service with existing systems and processes. Open Standards. Make sure the components support open industry standards that have already been widely accepted. Automatic Upgrades. Verify the schedule, process, downtime and costs associated with upgrades related to security and functionality. The impact of upgrades for cloud services is generally less than with in-house IT implementations. Reusable Services. Determine if cloud services, including custom cloud applications and conﬁgurations, that have already been acquired by the government would be reusable without having to be re-architected for mission requirements. Chief Human Capital Officer (CHCO) Training. The CHCO should coordinate with the CAO to ensure adequate and appropriate training is provided for the acquisition workforce within the agency to understand and eﬀectively acquire cloud services and solutions. Workforce. The CHCO should coordinate with the CIO to ensure that the IT workforce is prepared for the shift from internal management and operations of in-house systems to provisioning and deploying cloud capabilities for the agency. This preparation should include both hiring people with new skills and training those already in the agency workforce. www.GTIBookstore.com

Contracting for Cloud Services

80

Agency Leadership (Assistant Secretary/COO) Mission Support. Understand the impact that migrating services to the cloud will have on agency mission and eﬀectiveness. Be prepared to address mission improvements or projected mission improvements in external forums, such as Congressional hearings and interagency meetings. Own the decision to move services to the cloud. Budget. Seek information and justiﬁcation on budgetary impacts of the move to cloud solutions. Understand the total cost of migrating solutions to the cloud, including agency and contractor time to make existing applications cloud ready. Ask for clariﬁcation on the budget and pricing implications of surges and the costs to move from one provider to another. Customer Success. Talk to your peers in other government agencies that have successfully implemented cloud services to learn from their experiences. Anticipate challenges and prepare agency executive leadership for risks and successes. Additional positions that play a role in supporting the Management Team include: Chief Acquisition Oﬃcer (CAO) has overall agency responsibility for management and oversight of acquisition and is assisted by the Senior Procurement Executive (SPE). Main areas of responsibility: 

Monitors the performance of acquisition programs



Increases the use of competition



Increases the use of performance-based acquisition



Accountable and responsible for acquisition decisions and performance



Manages the direction of the agency’s acquisition policy



Develops and maintains an adequate professional acquisition workforce

The CAO is expected to collaborate with agency senior leadership, especially the agency Senior Procurement Executive, in building and managing the appropriate business relationships and strategies to achieve mission-based results and comply with statutory, regulatory and policy requirements. Although the basic responsibilities are the same for all agencies, this position can be very diﬀerent in some agencies depending on the agency mission and authorizing legislation. Senior Procurement Executive (SPE) The SPE leads the agency’s procurement executive and is responsible for the agency’s acquisition system, including policy development; establishment of acquisition goals; evaluation and monitoring of agency organizations; strategic sourcing, governance of procurement systems; career management; and continuous improvement of the acquisition environment. The SPE supports the use of streamlined, cost eﬀective, best-value procurement strategies. Project Managers (PMs), Contracting Oﬃcers (Cos) and Contracting Oﬃcers Representatives (CORs) – sometimes called Contracting Oﬃcers Technical Representatives (COTRs) – and other professionals who have a shared expertise – whether through experience, training or other devel-

Step 3. Identifying/Determining Your Needs

81

opmental activities – of the commercial IT marketplace, vendor base, acquisition environment and program management techniques are generally better able to deﬁne requirements, establish appropriate business strategies, and monitor contractor performance for IT procurements. Moreover, intra-agency communication and collaboration is generally more eﬀective when there is a common understanding of each other’s role in the process, but this doesn’t always happen. The 2010 Acquisition Workforce Competency Survey showed that contracting professionals rated project management as their lowest competency, and PMs rated themselves low in contracting competencies. Many agencies have developed specialized cadres, such as the Department of Veterans Aﬀairs (VA) at its Technology Acquisition Center and the General Services Administration’s Assisted Acquisition Service, that are permanent organizations of acquisition professionals who support the major IT needs of an agency or organization – from requirements development through test and acceptance to contract closeout. By centralizing these functions, some agencies have found that they can achieve economies of scale, gain specialized IT experience, and develop centers of excellence to reduce program risk and increase the chance of successful program outcomes. Further, IT vendors – from large ﬁrms to small businesses – can target their communication eﬀorts and build better, more eﬀective relationships with the cadre’s PMs, COs and CORs. Integrated Program Teams (IPTs) are cross-functional or multidisciplinary groups of individuals that are organized and collectively responsible for the speciﬁc purpose of delivering a product to an external or internal customer. They are led by a Program Manager (PM) and similar to a specialized cadre but are generally established to support a particular program for a limited period of time. IPTs include members of the specialized cadre and their customers, and also other key experts and stakeholders for the program. Each IPT for an IT program should include government staﬀ with expertise in program management, resource management, procurement, systems architecture and engineering, security, requirements analysis, test management, conﬁguration management and other disciplines, as necessary, to act in the best interest of the government, evaluate all aspects of the project, and ensure delivery of promised functionality. Key members of the IPT should: 1) Be in place throughout the program lifecycle, and 2) Be co-located during the most critical junctures of the program, to the maximum extent possible. Specialized IT acquisition cadres are generally composed of highly-trained, experienced acquisition professionals. At a minimum, cadres require the skills of the following: 

Contracting Oﬃcers and contract specialists – COs legally obligate the government when they enter into contracts, and contract specialists support the COs in accomplishing their many duties during the pre- and post-award acquisition phases.



Program Managers – PMs have a high-level understanding of the program and its supporting projects. The PM develops requirements, supports the CO throughout the acquisition process, and monitors all program activities closely to ensure desired outcomes or to identify remediation needs. When appropriate, some agencies may also have Project Managers who generally manage one or more projects. www.GTIBookstore.com

Contracting for Cloud Services

82



Contracting Oﬃcer’s Representatives – CORs are designated and authorized in writing by the CO to perform speciﬁc technical or administrative functions on contracts or orders.

Other support team members: Customer Liaisons –Customer liaisons are the bridge between the CO and the customer. Customer participation is critical throughout the program lifecycle to ensure that the user’s needs are appropriately described. Because COs may not have suﬃcient time to work closely with the customer in developing requirements, and because customers may need additional support to develop requirements that can be clearly explained in a solicitation, the customer liaison is a useful addition to the team. Technical writers can be very eﬀective in this role and are used in many agencies to improve communication.

Tip Several contracting organizations have improved requirements development through the use of customer liaisons.

In addition to assisting with requirements development, customer liaisons can support a variety of acquisition functions, such as independent cost estimating, source selection planning and organizing evaluation teams, etc. After award, customer liaisons can also work with the COR to bridge the communication gap if the COR was not involved earlier in the process.

Commodity Experts – Individuals with in-depth knowledge of a particular segment of the IT market, such as telecommunications, or with a particular kind of solution, such as cloud computing, are invaluable to the team.

Small Business Specialists – Small businesses play a critical role in the government’s IT environment. From programming to technical support services, small businesses support a wide range of efforts, so including small business specialists in the cadre can be especially helpful. They can identify new vendor partners, improve communication with existing partners, and increase opportunities generally. Industry Liaisons – Industry liaisons, such as those agencies, will identify in their vendor communications plan in support of OMB’s “Myth-Busting” eﬀort, provide targeted outreach and assistance to the vendor community and can serve as a focal point for vendors seeking to do business with the agency. Adding this support may lead to better competition, as it will help the CO reach vendors who may not previously have been considered.

The Myth-Busters OMB is working to reform contracting and has identiﬁed a number of common “myths” about vendor agreements that may be unnecessarily hindering dialog. A memo, released in February 2011, also provides facts and strategies to help acquisition oﬃcers beneﬁt from vendor’s knowledge and insight.

Step 3. Identifying/Determining Your Needs

83

The myths: 1. “We can’t meet one-on-one with a potential oﬀeror.” Government oﬃcials can generally meet one-on-one with potential oﬀerors, as long as no vendor receives preferential treatment. 2. “Communication with contractors is like communication with registered lobbyists - it must be disclosed. This additional disclosure burden means we should avoid these meetings.” Most contractors do not fall into the category of requiring disclosure. Even when they do, it is a minimal burden that should not prevent useful meetings from taking place. 3. “A protest is something to be avoided at all costs – even if it limits conversation.” Restricting communication won’t prevent a protest, and actually might increase the chances of a protest. 4. “Conducting discussions after receipt of proposals will add too much time to the schedule.” Avoiding discussions solely out of schedule concerns could be counterproductive, and may cause delays or other problems during performance. 5. “If the government meets with vendors, it may cause them to submit an unsolicited proposal that delays the procurement process.” Submission of such a proposal is separate from the process for a known agency requirement and should not aﬀect the schedule. 6. “When government awards a task or delivery order using the Federal Supplies Schedules, debrieﬁng isn’t required so it shouldn’t be done.” Providing feedback is important, both for offerors and the government, so agencies should provide feedback whenever possible. 7. “Industry days and similar events attended by multiple vendors aren’t valuable to agencies or vendors because industry won’t provide useful information in front of competitors, and the government doesn’t release information.” Well-organized industry days, as well as pre-solicitation and pre-proposal conferences are valuable opportunities for the government and vendors. 8. “The program manager already talked to industry to develop the technical requirements, so the contracting oﬃcer doesn’t need to do anything else before issuing the RFP.” Technical requirements are only part of the acquisition; getting feedback on terms and conditions, pricing structure, performance metrics, evaluation criteria and contract administration will improve the award and implementation process. 9. “Giving industry only a few days to respond to an RFP is OK since the government has been talking to industry about the procurement for over a year.” Providing only short response times may result in the government receiving fewer proposals and the ones received may not be as well-developed, which can lead to a ﬂawed contract. It also signals that the government isn’t really interested in competition. 10. “Getting broad participation by many diﬀerent vendors is too diﬃcult; we’re better oﬀ dealing with established companies we know.” The government loses when we limit ourselves to the companies we already work with. Instead we need to look for opportunities to increase competition and ensure that all vendors, including small businesses, get fair competition. www.GTIBookstore.com

Contracting for Cloud Services

84

Cost/Price Analysts – Cost/price analysts and cost estimators can assist the CO in many areas, such as providing independent cost estimates, analyzing proposals and developing negotiation positions. Though COs are required to take training in this area, cost and price analysis is a time-intensive activity, and individuals with this expertise can be especially helpful on complex acquisitions. Also they can help perform a “should cost” analysis. A should-cost analysis can be translating the cost or price of similar services to the current procurement. Financial/Budget Analysts – Involvement of ﬁnancial/budget analysts during the acquisition process can help to avoid potential problems in developing acquisition strategy areas related to ﬁnance and budgetary issues. Purchasing Agents/Procurement Technicians – Purchasing agents and procurement technicians can assist contracting professionals with a wide range of duties. They are typically trained in basic procurement, so can provide assistance with tasks ranging from market research and ﬁle preparation to tracking procurements and preparing awards for simple acquisitions. Key IT Knowledge Areas for Contracting Professionals: 

Principal laws and regulations governing information technology,



Elements of IT strategic planning,



Capital planning and investment management,



Systems-level acquisition strategies, including development and integration,



Enterprise architecture principles,



Information security requirements,



Contract law for IT, such as data rights, licensing, etc.,



IT marketplace, and



OMB guidance related to Earned Value Management and other performance management tools.

Key Acquisition Knowledge Areas for PMs and CORs: 

Acquisition process,



Market research,



Small business requirements,



Acquisition planning,



Requirements deﬁnition,



Vendor engagement,



Risk management, and



Contract management.

Step 3. Identifying/Determining Your Needs

85

Focus/Roadmap The initial focus is on exactly what it is that you what you want from the cloud and if the cloud is the best way to achieve this. You must deﬁne your business drivers – both current and future requirements and priorities – and then develop your vision – why we do what, for whom and how. What beneﬁts will be achieved, and cost savings made or both by migrating to the cloud, and will we be better able to achieve our vision as a result? It is your blueprint for how to get there. This will involve asking potential providers about security policies, Remember portability of data, interoperability and procurement – Once you have determined that the and verifying their answers as much as possible through cloud is the way to go, you need to third parties. The roadmap should detail all the steps develop a roadmap that will help to be taken – from initial discussions with potential you through the procurement and acquisition process. vendors to agreement on explicit requirements, uptime and availability, audit compliance, backup and security issues. The roadmap should also detail each party’s responsibilities and liabilities, rights and obligations. The roadmap should also contain speciﬁc investments and projects – if there is more than one – and time-phased milestones and performance metrics. You should not sign a contract until all these issues have been fully discussed and codiﬁed in clauses that leave no ambiguity.

Pricing Billing Terms Accounting Code. In modern accounting systems, a unique alpha/numerical reference given to a speciﬁc revenue or customer account to facilitate the reconciliation of transactions across various systems, including subscription management and billing, CRM and accounting. Activation Fee. A one-time fee paid in exchange for initiation of service. Annual Contract Value (ACV). Calculated as the total recurring charges and fees on a service, ACV is one of the most important metrics for SaaS businesses. Amendment. A change made to a contract or service, such as a change in product (e.g., upgrade or downgrade), number of users, payment terms or a contract renewal. API. Application Programming Interface (API) is a set of routines, data structures, object classes and/or protocols provided by libraries and/or operating system services in order to support the building of applications. Authorize.Net Authorize.Net, a CyberSource solution, is a payment gateway service provider allowing merchants to accept credit card and electronic-check payments through their Website.

www.GTIBookstore.com

86

Contracting for Cloud Services

Billing and Service Usage Metering. You can be billed for resources as you use them. This pay-asyou-go model means usage is metered and you pay only for what you consume. Billing in Advance. Charges for services provided at a later date. Billing in Arrears. Charges for services delivered in the previous billing period. Bill Run. Automated means of generating one or more invoices based on a number of billing preconditions, such as the date through which you would like to collect charges, a subset or entire group of customers, etc. Booking. In a service or SaaS company, calculated as the sum of all charges on an order, including recurring charges, one-time fees and service fees in a given contract period. Booking is an operational metric used to track the performance of a business. Business Cloud. Whereas the technology cloud makes it easy to build and launch new services or to build applications in the cloud, the business cloud enables developers to leverage commerce services to monetize or make money from the services that they’re building in the cloud via service or recurring revenue models. Churn. A measure of customer attrition, calculated as the number of customers who discontinue service during a speciﬁed time period, divided by the total number of customers at the start of that period. Churn is an operational metric used to gauge the overall health of a subscription business. Churn is measured in units or dollars. Close Rate. Sales terminology for the percent of sales prospects which result in actual paying business. Co-Location Facility (CoLo). A term for leasing a third party’s physical data center infrastructure, which usually includes the building, power, Internet connectivity and security. Consumption-Based Pricing Model. A pricing model whereby the service provider charges its customers based on the amount of the service the customer consumes, rather than a time-based fee. For example, a cloud storage provider might charge per gigabyte of information stored. Contract Eﬀective Date. Represents the date from which the contract terms take eﬀect. The date also can determine when certain charges can be billed to the customer, and often coincides with the start of the service. Contracted Monthly Recurring Revenue (CMRR). A key SaaS metric that is calculated for new customers, up-sells, cross-sells and removing churning customers. Cross-Sell. A key SaaS metric measuring new software functionality or modules added to an existing software subscription agreement. Customer Acceptance Date. The date from which the customer has accepted the delivery of the service or change order associated with the service. The date can also determine when certain charges can be billed to the customer.

87

Step 3. Identifying/Determining Your Needs

Customer Acquisition Costs (CAC). A key SaaS metric that measures sales eﬀectiveness based on how long it takes to pay back Sales and Marketing investments. Customer Lifetime Value (CLTV). A key SaaS metric that is used to measure customer value, usually over three to ﬁve years. Dashboard. A graphical representation of key business metrics, such as MRR (hyperlink to each key metric), ACV/TCV, churn, conversion and close rates. Often resembling a pilot’s cockpit, the dashboard provides a snapshot of the health of the business. Downgrade. A downgrade is a change order or amendment to an existing contract or service where a customer chooses a lower service level. This can be a less-expensive service oﬀering, or a smaller quantity (users, usage-level, etc.). Depending on business rules, this change may result in a prorated credit of the original service and/or a penalty fee associated with the change. Down-Sell. A key SaaS metric that measures when customers remove functionality, users or capability that lowers the CMRR. Due Upon Receipt. Payment term in which payment is due immediately upon receipt of invoice. Electronic Payment. Any non-paper-based form of payment; e.g., ACH, wire transfer, credit or debit card. Evergreen. A subscription that remains active until the service cancels. Freemium. A business model in which the SaaS or cloud computing provider oﬀers basic features to users at no cost and charges a premium for supplemental or advanced features. Invoice-to-Collect. Part of the order-to-cash process that refers to the collection of payments from the customer, based on an invoice. The process includes invoice creation, collection management and dispute management, if any. Monthly Recurring Expenses (MRE). Expenses incurred every month. MRR (Monthly Recurring Revenue). Calculates subscription fees normalized to a monthly value. Does not include set up, activation or overage costs. MRR is a key metric for businesses. Order-to-Cash. Order-to-cash refers to the process in which a customer places an order, either via a Website or through a sales rep, provision of the service, generating an invoice and ﬁnally collecting payment for that invoice. Order-to-cash is a recurring, ongoing process in a subscription business. Overage. Usage charges incurred when service level included in the rate plan is exceeded. Pay As You Go. A cost model for cloud services that encompasses both subscription-based and consumption-based models, in contrast to the traditional IT cost model that requires up-front capital expenditures for hardware and software.

www.GTIBookstore.com

88

Contracting for Cloud Services

PCI Compliance/PCI DSS (Payment Card Industry Data Security Standard). The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies which process, store or transmit credit card information maintain a secure environment. Quote-to-Cash. Term that refers to the end-to-end business process for creating a quote for a prospect or customer, order management, invoicing and cash receipt. Renewal. Agreeing to extend an existing software subscription agreement beyond the initial term. Renewal Rate. This is calculated as the percentage of service scheduled to expire during any one cycle for those who renew their service. Renewal rate is an operational metric which reﬂects overall customer satisfaction. It can be measured on a unit- or dollar-value basis. Revenue Recognition. The revenue recognition principle is a cornerstone of accrual accounting together with matching principle. They both determine the accounting period, in which revenues and expenses are recognized. According to the principle, revenues are recognized when they are (1) realized or realizable, and are (2) earned (usually when goods are transferred or services rendered), no matter when cash is received. In cash accounting, in contrast, revenues are recognized when cash is received no matter when goods or services are sold. Sandbox. A sandbox is a separate technical environment where customers or prospects can test software or services with a subset of data without disruption to their production environment. Service Level Agreement (SLA). A contractual agreement by which a service provider deﬁnes the level of service, responsibilities, priorities and guarantees regarding availability, performance and other aspects of the service. Set-Up Fee. Also known as activation fees (hyperlink to activation fees listing), set-up fees are a one-time charge levied to cover costs associated with getting a customer up and running on a service. SSAE 16. International regulatory standard developed by the American Institute of Certiﬁed Public Accountants that requires formal reviews on an organization’s control over information technology and related processes. Subscription. SaaS licensing method where customers rent their software from the provider usually over a one-to-three-year period. Subscription-Based Pricing Model. A pricing model that lets customers pay a fee to use the service for a particular time period often used for SaaS services. Total Contract Value (TCV). Calculates the total recurring charges over the lifetime of a service. TCV is a key performance metric for SaaS or service-based businesses. Tiered Pricing. A common service and usage charge model where pricing changes are based on the incremental number of units that are purchased. For instance, one to ﬁve users may be charged full price and ﬁve to 10 users may receive discounted pricing.

Step 3. Identifying/Determining Your Needs

89

Upgrade. A change order or amendment to an existing contract service where a customer chooses a higher service level. This can be a more expensive service oﬀering or a larger quantity (users, usagelevel, etc.). Up-Sell. A key SaaS metric measuring additional software functionality, users or capacity that is sold onto an existing software subscription agreement. Usage Charge. Charge associated with actual consumption of a given product or service. This can be measured in terms of time on a site, gigabytes of data, number of reports generated, miles driven or any other unit of measure. Usage Pricing. Pricing a service or item based on its consumption or usage, rather than a ﬂat rate for a given service or period of time. Vendor Lock-In. Dependency on the particular cloud vendor and diﬃculty moving from one cloud vendor to another due to lack of standardized protocols, APIs, data structures (schema) and service models. Volume Pricing. A common service and usage charge model where pricing changes based on the total number of units that are purchased.

www.GTIBookstore.com

90

Contracting for Cloud Services

91

STEP 4

Defining Potential Procurement Vehicles and Processes

Contracts and RFPs When you send out your RFP, it is a detailed list of requirements. Your RFP should be structured such that the response you get back from the vendors is a commitment and, as such should be included, or at least referenced, in your contract. Because the RFP may be a preliminary scope of work there are also arguments against including that in your contract, because the scope and services may change after discussions with your chosen vendor. Many of the items in the RFP are also procedural, such as how the vendor will be chosen and the contract awarded, so these do not need to be included in the ﬁnal document.

How do you Gather Information on Cloud Services? Some Pre-Agreement Due-Diligence Questions 

How long has the cloud vendor been oﬀering cloud services?



Are they proﬁtable? If so, for how long?



Does the company provide a reliable and secure service?



What compliance and controls are in place for the service?



Does the company provide 24x7 technical support?



Are there additional costs associated with the support provided?



What is included in the company’s technical support?



How many support techs are on the support team? www.GTIBookstore.com

Contracting for Cloud Services

92



What technologies are supported?



What is their product roadmap?



What SLAs are standard and negotiated for the service?



Is there a long-term contract to sign up for the service?



Are there any set-up costs for us, the customer?



Are there discounts for high-volume usage? If so, at what volume levels?



Is there a minimum monthly spend required?



Is there a free trial period?



How are new customers on-boarded?



Do you have a self-service trial on your primary sources?



Is there a community site to learn from others?



Do you have test results to prove scalability?



What are the mechanisms within your as-a-service oﬀering that supports scalability?



At what point will you typically saturate?



Do you have a self-service trial on your data (not demo data)?



How long does it take to get up and running on our data?



How quickly can we access additional capacity?



Who are your investors? When was your last round of funding?



Is your company proﬁtable?



How many customers do you have?



Who are some industry analysts to speak with about the strength of your company and solution?



Who holds ownership of the data?



Do you do anything with the data for your own purposes?



Does the vendor have strict policies on who can access data, including staff or other cloud tenants?



What does the provider do with access logs and other statistics?



Where is the data being stored?



Is your data kept separate from other clients’ data?



Who owns and has access to backups?



What regulations can the cloud vendor verify that they adhere to?



If data needs to be transferred back to the business, what form will it be delivered in?



How does vendor protect against bit rot, catastrophic site loss, connection outages?

Step 4. Potential Vehicles and Processes 

93

What happens when I need to transfer that data? 

The format of the data.



The turnaround time.



The assistance provided.

Leverage Multiple Resources 

The World Wide Web (LinkedIn, keyword search)



Request for Information



Peer Groups (IT, Procurement, vendor management)



Publications (Computerworld, Outsourcing, Tech Republic, Cloud Security Association, CIO Magazine, eWeek, Information Week, Baseline)

Customer References Continuing your due diligence, you must be convinced that the vendors you want to do business with have the expertise, ﬁnancial stability and proper safeguards in place to provide the services you want in a reliable and responsible manner. Ask prospective vendors for a list of clients they have done business with and contact them to see what they think of the vendor and the services provided. Ask if they are receiving the services the vendor promised. Make sure that the other customers are getting similar services so that you can compare like with like. The vendor might be very good in one area, but if that is not the area you are interested in there is no guarantee that the services he provides you will be as good. Remember that some customers might be getting beneﬁts from their vendor by acting as a reference. This beneﬁt might be in the form of preferential treatment, reduced charges or waiving service-visit fees. This is a common practice, although it certainly violates some organizations’ code of ethics – even if the beneﬁts are going to the organization and not to any individual. Ask the company if they receive any such beneﬁts, and then weigh any information they give you in the light of this.

A Process For Acquiring Cloud Computing Services The federal government has a process that it uses after award of a contract, such as under the GSA Schedule 70. This is a due-diligence required before an actual task order or work statement can be issued to a cloud vendor. Following are requirements from the GSA IaaS RFP that address the Assessment and Authorization process.

Assessment and Authorization (A&A) Activities The implementation of a new federal government IT system requires a formal approval process known as Assessment and Authorization (A&A) process. NIST Special Publication 800-37 gives guidelines for performing the A&A process. For federal orders of Lots 1a and 1b, an appropriate moderate impact Assessment & Authorization (A&A) as deﬁned by FIPS 199 and FIPS 200 must www.GTIBookstore.com

Contracting for Cloud Services

94

be completed before any order can be fulﬁlled. For federal orders of Lot 1c, a high-impact Assessment & Authorization (A&A) by the ordering activity must be completed before any order can be fulﬁlled. The failure to obtain and maintain a valid authorization will be grounds for cancellation of the award and termination of any outstanding orders. All selected NIST 800-53 controls must be tested/assessed continuously. Assessment of System (from GSA’s RFP) 1. The Quoter shall comply with NIST Special Publication 800-37 requirements as mandated by federal laws and policies, including making available any documentation, physical access and logical access needed to support this requirement. The Level of Eﬀort for the A&A is based on the System’s NIST Federal Information Processing Standard (FIPS) Publication 199 categorization. The Quoter shall create, maintain and update the following A&A documentation: 

System Security Plan (SSP) completed in agreement with NIST Special Publication 80018, Revision 1. The SSP shall include as appendices required policies and procedures across 18 control families mandated per FIPS 200, Rules of Behavior and Interconnection Agreements (in agreement with NIST Special Publication 800-47).



Contingency Plan (including Disaster Recovery Plan) completed in agreement with NIST Special Publication 800-34.



Contingency Plan Test Report completed in agreement with GSA IT Security Procedural Guide 06-29, “Contingency Plan Testing.”



Plan of Actions & Milestones completed in agreement with GSA IT Security Procedural Guide 09-44, “Plan of Action and Milestones (POA&M).”



Independent Penetration Test Report documenting the results of vulnerability analysis and exploitability of identiﬁed vulnerabilities.

2. Information systems must be assessed whenever there is a signiﬁcant change to the system’s security posture in accordance with NIST Special Publication 800-37 Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” 3. At the moderate impact level, the Quoter will be responsible for providing an independent Security Assessment/Risk Assessment in accordance with the same NIST Special Publication 800-37 Revision 1. 4. The government reserves the right to perform Penetration Test. If the government exercises this right, the Quoter shall allow government employees (or designated third-party auditors) to conduct Assessment and Authorization (A&A) activities to include control reviews in accordance with NIST 800-53/NIST 800-53A. Review activities include but are not limited to operating system vulnerability scanning, Web application scanning and database scanning of applicable systems that support the processing, transportation, storage or security of government information. This includes the general support system infrastructure.

95

Step 4. Potential Vehicles and Processes

5. Identiﬁed gaps between required 800-53 controls and the quote’s implementation as documented in the Security Assessment/Risk Assessment report shall be tracked for mitigation in a Plan of Action and Milestones (POA&M) document. Depending on the severity of the gaps, the government may require them to be remediated before an Authorization to Operate is issued. 6. The Quoter is responsible for mitigating all security risks found during A&A and continuous monitoring activities. All high-risk vulnerabilities must be mitigated within 30 days and all moderate-risk vulnerabilities must be mitigated within 90 days from the date vulnerabilities are formally identiﬁed. The government will determine the risk rating of vulnerabilities. Authorization of System 1. Upon receipt of the documentation described in the NIST Special Publication 800-37 and as previously documented, the ordering activity’s Authorizing Oﬃcials (AOs) for the system (in coordination with the ordering activity Senior Agency Information Security Oﬃcer (SAISO), system Program Manager, Information System Security Manager (ISSM) and Information System Security Oﬃcer (ISSO)) will render an authorization decision to: 

Authorize system operation without any restrictions or limitations on it operation;



Authorize system operation with restriction or limitation on its operation; or



Not authorize for operation.

2. The Quoter shall provide access to the federal government, or their designee acting as their agent, when requested, in order to verify compliance with the requirements for an Information Technology security program. The government reserves the right to conduct onsite inspections. The Quoter shall make appropriate personnel available for interviews and documentation during this review. If documentation is considered proprietary or sensitive, these documents may be reviewed onsite under the hosting Quoter’s supervision.

Reporting and Continuous Monitoring Maintenance of the security Authorization to Operate will be through continuous monitoring and periodic audit of the operational controls within a Quoter’s system, environment and processes to determine if the security controls are meeting government regulatory and compliance requirements. Through continuous monitoring, security controls and supporting deliverables will be maintained and submitted to an ordering activity in accordance with customer IT security standards, policies and reporting requirements. NIST published SP800-86 Guide to Integrating Forensic Techniques into Incident Response. SP800-86 deﬁnes in a much more precise and speciﬁc way the procedures, issues and technologies required to move an incident from the point of discovery all the way through to resolution.

www.GTIBookstore.com

Contracting for Cloud Services

96

Using the Performance-Based Services Acquisition Process for Cloud Acquisitions Benefits of Performance-Based Acquisition Performance-based service acquisition has many beneﬁts. They include: 

Increased likelihood of meeting mission needs



Focus on intended results, not process



Better value and enhanced performance



Less performance risk



No detailed speciﬁcation or process description needed



Contractor ﬂexibility in proposing solution



Better competition: not just contractors, but solutions



Contractor buy-in and shared interests



Shared incentives permit innovation and cost eﬀectiveness



Less likelihood of a successful protest



Surveillance: less frequent, more meaningful



Results documented for Government Performance and Results Act reporting, as by-product of acquisition



Variety of solutions from which to choose

The Process 1. Establish the team. 2. Decide what problems need solving. 3. Examine private-sector and public-sector solutions. 4. Develop a PWS or SOO. 5. Decide how to measure and manage performance. 6. Select the right contractor. 7. Manage performance. Establish the Team 

Who needs to be on the matrix team?



Structure of team - can be multi-tiered.



Responsibilities - who does what?



Single contact with vendor.

97

Step 4. Potential Vehicles and Processes Tasks, Features and Best Practices: 

Ensure senior management involvement and support.



Tap multi-disciplinary expertise.



Deﬁne roles and responsibilities.



Develop rules of conduct.



Empower team members.



Identify stakeholders and nurture consensus.



Develop and maintain the knowledge base over the project life.



“Incent” the team: Establish a link between the program mission and team members’ performance.

Ensure senior management involvement and support. Most best-practice studies agree: senior management involvement and support is a predictor of success. For example, the CIO Council document, “Implementing Best Practices: Strategies at Work” cited “strong leadership at the top” as a “success factor” in the selection, evaluation and control processes associated with acquisition investment review. By its very nature, an integrated solutions team has members whose aﬃliations cut across organizational boundaries. “Turf ” can become an issue unless there is strong, eﬀective senior management support and a shared vision. Program decision makers should be on the team and, in fact, are now required by the Federal Acquisition Regulation (FAR) to “describe the need to be ﬁlled using performance-based acquisition methods.” Creating “buy in” from leadership and establishing the realms of authority are essential to performance-based project success. Tap multi-disciplinary expertise. Because of the mission-based and program-based focus of acquisition that has resulted from acquisition reform and from mandates for performance-based acquisition, many more types of people play a role in acquisition teams today. In addition to contracting staﬀ, for example, are those from the program, ﬁnancial, user and even legal oﬃces. All of these skills and more can be required to create a true performance-based approach to an agency’s needs. It is important to recognize that integrated solution teams are not a “training ground.” They’re a “ﬁeld of operation” for not just four or six or eight people, but four or six or eight people who are among the best in their ﬁelds and have a grounding in, or have been trained in acquisition. Team composition is a critical success factor in performance-based acquisition. Deﬁne roles and responsibilities. It is important that the members of the team understand what their roles and responsibilities are. Regardless of its representation, the team is responsible for ensuring that the acquisition: 

Satisﬁes legal and regulatory requirements



Has performance and investment objectives consistent with the agency’s strategic goals



Successfully meets the agency’s needs and intended results



Remains on schedule and within budget www.GTIBookstore.com

Contracting for Cloud Services

98

Successful teams typically have a number of features: shared leadership roles, individual as well as mutual accountability, collective work-products, performance measures related to the collective work product and other ingredients. In a team environment, the roles and responsibilities of the members blur and merge, often with striking results. Develop rules of conduct. Seasoned facilitators and team leaders know this: It is important to develop rules of conduct for groups of people. Setting the rules, and then insisting on their use, is a key to eﬀective team operation. Given a clear purpose and deﬁned approach for working together, teams are much more likely to move quickly through the early phases of team performance and achieve the desired result. Empower team members. The “Statement of Guiding Principles for the Federal Acquisition System,” says it most simply, “Participants in the acquisition process should work together as a team and should be empowered to make decisions within their area of responsibility.” (FAR 1.102(a)) Clearly deﬁned levels of empowerment are critical to success. The Department of Commerce, in its CONOPS (Concept of Operations) acquisition program, has examined the concept of what “empowerment” means in detail. The department believes that empowerment is tied to responsibility, authority and autonomy. In the agency’s project planning tool are the lifecycle tasks of an acquisition and an identiﬁcation of where responsibility for the performance of that task typically resides. Identify stakeholders and nurture consensus. Stakeholders may include customers, the public, oversight organizations and members and staﬀ of Congress. It is important for the team to know who the stakeholders are and the nature of their interests, objectives and possible objections. At a minimum, stakeholders should be consulted and, at times, may participate on the team. In developing the acquisition, the key tools the team should use are consensus and compromise, without losing sight of the three key questions: 1. What do I need? 2. When do I need it? 3. How do I know it’s good when I get it?

Develop and maintain the knowledge base over the project life. “How do you predict the future ... you create it.” (Peter Drucker)

An emerging concern in the acquisition community is “knowledge management.” There are many deﬁnitions, but the simplest may well be “the right knowledge in the right place at the right time and in the right context.” Knowledge management is a people issue, not a technology issue. Consider the need to manage the project’s knowledge base in this light: Acquisitions often take months, and the contracts that are awarded are often performed over years. People join the team and people leave, taking their knowledge with them. Further, those people that began the project

99

Step 4. Potential Vehicles and Processes

and those that oversee the project are often diﬀerent. Modiﬁcation may begin right away. And we wonder why contract performance is sometimes a problem? The approach needs to shift from a focus on contracting to a focus on both acquisition and project management. Where possible, the same key members of the team (program manager, project manager and contracting oﬃcer) should be part of the integrated solutions team from the initial discussions of mission-based need, through contract performance and, indeed, to contract closeout. With this continuity, and a focus on maintaining the project’s knowledge base, the likelihood of success is exponentially greater. “Incent” the team: Link program mission and team members’ performance. If continuity is important, Tip what can be done to keep a team together? Added to If the acquisition has empowerment and a shared vision, incentives are key. performance objectives, and The most fundamental incentives are those that link the contractor has performance program mission and team members’ performance, and objectives, then the government team should also have then tie performance to pay. Like contractor incentives, performance objectives. the team’s objectives should carry a value in terms of pay, recognition and awards. Keep in mind that these performance objectives should be program-based, not acquisition-based. Who cares if the contract is awarded in two months, if it takes two years to get deliverables in the hands of the users? Make sure the incentives are tied to the “right” results. Decide What Problem Needs Solving Because a clearer, performance-based picture of the acquisition should be the team’s ﬁrst consideration, it is not yet time to retrieve the requirement’s former solicitation, search for templates, think about contract type or incentives, or decide on the contractor or the solution. Planning for an acquisition should begin with business planning that focuses on the desired improvement. The ﬁrst consideration is what problem the agency needs to solve. What results are needed? Will it meet the organizational and mission objectives? Changes made to the Federal Acquisition Regulation emphasize that acquisition planning must encompass performance-based considerations. FAR 7.105 (Contents of written acquisition plans) speciﬁcally provides that “Acquisition plans for service contracts or orders must describe the strategies for implementing performance-based acquisition methods or must provide rationale for not using those methods.” Moreover, the responsibility for performance-based strategies is tied back to program oﬃcials: 

“Agency program oﬃcials are responsible for accurately describing the need to be ﬁlled, or problem to be resolved, through service contracting in a manner that ensures full understanding and responsive performance by contractors and, in so doing, should obtain assistance from contracting oﬃcials, as needed. To the maximum extent practicable, the program oﬃcials shall describe the need to be ﬁlled using performance-based acquisition methods.”[FAR 37.102(e)] www.GTIBookstore.com

100



Contracting for Cloud Services The Government Performance and Results Act of 1993 requires that agencies establish and “manage to” mission-related performance goals and objectives. It stands to reason that any signiﬁcant, mission-critical acquisition should relate in some way to the Results Act objectives. Although many acquisitions do not make this link, performance-based acquisitions must make this connection to the agency’s strategic plan and to employees’ performance plans.

Link acquisition to mission and performance objectives. The most important foundation for an acquisition is the intended eﬀect of the contract in supporting and improving an agency’s mission and performance goals and objectives (reported to OMB and Congress under the Results Act’s strategic and annual performance planning processes). Describing an acquisition in terms of how it supports these mission-based performance goals allows an agency to establish clearly the relationship of the acquisition to its business, and it sets the stage for crafting an acquisition in which the performance goals of the contractor and the government are in sync. This mission-based foundation normally must be established by or in cooperation with people who work in the program area that the resources will support when they are acquired. (This is why assembling the team is the ﬁrst step in a performance-based acquisition.) Again, note that the focus is not what resources are required; the focus is what outcome is required. With this foundation, when the planning process is complete, an agency should be able to demonstrate clearly how an individual acquisition’s performance objectives will assist in achieving the agency’s mission and goals. In addition to the Government Performance and Results Act, the President’s Management Agenda has added the requirement for performance-based budgeting. This links funding to performance, and ensures that programs making progress towards achieving their goals will continue to receive funding. Conversely, programs unable to show adequate progress may lose option-year funding. Deﬁne (at a high level) desired results. Once the acquisition is linked to the agency’s mission needs, the thoughts of the team should turn to what, speciﬁcally, are the desired results (outcomes) of contract performance? Is it a lower level of defaults on federal loans? Is it a reduction in beneﬁt processing time? Is it broader dissemination of federal information? Is it a reduction in the average time it takes to get relief checks to victims? What is the ultimate intended result of the contract, and how does it relate to the agency’s strategic plan? Note that these are questions that a former solicitation, or someone else’s solicitation, cannot answer. This is one of the tough tasks that the integrated solutions team must face. These answers can normally be found, not with an exhaustive analysis, but through facilitated work sessions with program staﬀ, customers and stakeholders. By taking the process away from a review of paper or an examination of the status quo, greater innovation and insight is possible. Once aired, those thoughts need to be captured in the performance work statement (PWS) or statement of objectives (SOO). Note also that, to do this well, the team will need to plan to seek information from the private sector during market research (process number three).

101

Step 4. Potential Vehicles and Processes

Decide what constitutes success. Just as important as a clear vision of desired results is a clear vision of what will constitute success for the project. These are two distinct questions: Where do I want to go, and how will I know when I get there?

Remember Industry benchmarks and best practices from the “best in the business” may help sharpen the team’s focus on what the performance objectives should be.

In the Joint Direct Attack Munitions ( JDAM) research and development acquisition, for example, affordability (in terms of average unit production price) was a key element, along with “how well the product met the live-or-die criteria.” Aﬀordability was communicated in no uncertain terms from top-level management to the acquisition team and from the acquisition team to the competing contractors.

As the project manager recalled, “I had a strong sense of empowerment ... from the Air Force Chief of Staﬀ who said basically, ‘Do what you have to do to get the products under $40,000’... ” With that clear a mandate and the beneﬁts of head-to-head contractor competition, the ﬁnal, winning proposal included an average unit production price between $14,000 and $15,000 – far lower than the original cost target of $40,000 and the original cost estimate of $68,000 per unit. So it is important to establish a clear target for success, which will then serve to focus the eﬀorts of the integrated solutions team in crafting the acquisition, the contractors in competing for award and the government-industry team throughout contract performance. Determine the current level of performance. The main reason to determine the current level of performance is to establish the baseline against which future performance can be measured. If you don’t know where you started, you can’t tell how far you’ve come. In order to think about taking measurements of current performance, think about what happens when you rent a car. The company will give you a piece of paper with an outline of a car on it. You’re asked to go outside and mark on the diagram every nick and scratch you see, so that when you return the car, the baseline is clear. This is precisely what you need to do with your current contracts or operations. Keep in mind that the government doesn’t necessarily have to do the baseline measurement. Another approach is to require a set of metrics as a deliverable under a current contract. Even if there were no existing provision, this could easily be done via contract modiﬁcation. New solicitations can be written with provision for delivery of baseline and/or current performance levels, either annually, at the end of the contract or both. The integrated solutions team must determine the adequacy of the baseline data for the new contract, to ensure they achieve the best results. Collect and Prioritize Objectives 

Prioritize negotiating objectives to crystallize customer’s goals in the deal.



Gain team consensus.



Create a roadmap for negotiations. www.GTIBookstore.com

Contracting for Cloud Services

102



Where are you today – what is future vision – where do you want to be?



What type of data is involved?



Acquire Software or use Cloud Services?



Is it SaaS, IaaS or PaaS?

Examine Private- and Public-Sector Solutions Once the acquisition’s intended results have been identiﬁed, the integrated solutions team should begin to examine both private-sector and public-sector solutions. This is called “market research,” and it is a vital means of arming the team with the expertise needed to conduct an eﬀective performance-based acquisition. Market research is the continuous process of collecting information to maximize reliance on the commercial marketplace and to beneﬁt from its capabilities, technologies and competitive forces in meeting an agency need. Market research is essential to the government’s ability to buy best-value products and services that solve mission-critical problems. Acquisition reform has opened the door to eﬀective new approaches to market research that should be undertaken by the integrated solutions team long before attempting to write a performance work statement. Take a team approach to market research. In the past, it was not unusual for technical staﬀ to conduct market research about marketplace oﬀerings, while contracting staﬀ conducted market research more focused on industry practices and pricing. A better approach is for the entire integrated solutions team to be a part of the market research eﬀort. This enables the members of the team to share an understanding and knowledge of the marketplace – an important factor in the development of the acquisition strategy – and a common understanding of what features, schedules, terms and conditions are key elements. Spend time learning from public-sector counterparts. While many are familiar with examining private-sector sources and solutions as part of market research, looking to the public sector is not as common a practice. Yet it makes a great deal of sense on several levels. First, there is an increased interest in cross-agency cooperation and collaboration. If the need is for help-desk support, for example, many federal agencies have “solved” that problem and could potentially provide services through an interagency agreement or through an existing multiple-award contract vehicle. Alternatively, it could be that to provide seamless services to the public, two or more agencies need to team together to acquire a solution. Second, agencies with similar needs may be able to provide lessons learned and best practices. For example, the Department of Commerce COMMITS oﬃce has frequently briefed other agencies on the process of establishing a Government-wide Agency Contract (GWAC). (See www.contractdirectory.gov) Another agency that we are aware of is now conducting public-sector market research about seat management implementation in the federal government. So it is important for the integrated solutions team to talk to their counterparts in other agencies. Taking the time to do so may help avert problems that could otherwise arise in the acquisition.

Step 4. Potential Vehicles and Processes

103

Talk to private-sector companies before structuring the acquisition. With regard to the more traditional private-sector market research, it is important to be knowledgeable about commercial oﬀerings, capabilities and practices before structuring the acquisition in any detail. This is one of the more signiﬁcant changes brought about by acquisition reform. Some of the traditional ways to do this include issuing “sources sought” type notices at FedBizOps.gov, conducting “Industry Days,” issuing Requests for Information and holding pre-solicitation conferences. But it is also OK to simply pick up the phone and call private-sector company representatives. Contact with vendors and suppliers for purposes of market research is now encouraged. In fact, FAR 15.201(a) speciﬁcally promotes the exchange of information “among all interested parties, from the earliest identiﬁcation of a requirement through receipt of proposals.” The limitations that apply (once a procurement is underway) are that prospective contractors be treated fairly and impartially and that standards of procurement integrity (FAR 3.104) be maintained. But the real key is to begin market research before a procurement is underway. Consider one-on-one meetings with industry. While many may not realize it, one-on-one meetings with industry leaders are not only permissible—see Federal Acquisition Regulation 15.201(c) (4) – they are more eﬀective than pre-solicitation or pre-proposal conferences. Note that when market research is conducted before a solicitation or performance work statement is drafted, the rules are diﬀerent. FAR 15.201(f ) provides, for example, “General information about agency mission needs and future requirements may be disclosed at any time.” Since the requirements have not (or should not have) been deﬁned, disclosure of procurement-sensitive information is not an issue. It is eﬀective to focus on commercial and industry best practices, performance metrics and measurements, innovative delivery methods for the required services and incentive programs that providers have found particularly eﬀective. This type of market research can expand the range of potential solutions, change the very nature of the acquisition, establish the performance-based approach, and represent the agency’s ﬁrst step on the way to an “incentivized” partnership with a contractor. Look for existing contracts. FAR Part 10 requires that as part of market research to see if there is an existing contract available to meet agency requirements, the Integrated Solutions Team must go to www.contractdirectory.gov. Document market research. FAR Part 10 requires that a written market research report be placed in the contract ﬁle. The amount of research, given the time and expense, should be commensurate with the size of the acquisition. Develop a PWS or SOO There are two ways to develop a speciﬁcation for a performance-based acquisition: by using a performance work statement (PWS) or a statement of objectives (SOO). The PWS process is discussed in most existing guides on performance-based acquisition. Among its key processes are the conduct of a job analysis and development of a performance work statement and quality assurance and surveillance plan. When people talk about performance-based acquisition, this is typically the model www.GTIBookstore.com

Contracting for Cloud Services

104

they have in mind. The alternative process—use of the SOO – is a more recent methodology that turns the acquisition process around and requires competing contractors to develop the performance work statement, performance metrics and measurement plan, and quality assurance plan, all of which should be evaluated before contract award. If the SOO approach is used, FAR 37.602(c) directs you to remove the SOO when the contract or task order is awarded, and replace it with the awardee’s winning PWS. The SOO approach is described brieﬂy in the Department of Defense “Handbook for Preparation of Statement of Work (SOW),” Section 5, for example, the SOO is a government-prepared document incorporated into the RFP that states the overall solicitation objectives. It can be used in those solicitations where the intent is to provide the maximum ﬂexibility to each oﬀeror to propose an innovative development approach. The SOO is a very short document (e.g., under 10 pages) that provides the basic, high-level objectives of the acquisition. It is provided in the solicitation in lieu of a government-written statement of work or performance work statement. In this approach, the contractors’ proposals contain statements of work and performance metrics and measures (which are based on their proposed solutions and existing commercial practices). Clearly, use of the SOO opens the acquisition up to a wider range of potential solutions. The Veterans Beneﬁts Administration loan servicing acquisition discussed under step two and in this step was conducted (very successfully) using a SOO. The integrated solutions team should consider these two approaches and determine which is more suitable: 

Use of a PWS



Use of a SOO

Using a PWS – Conduct an analysis Preparing a PWS begins with an analytical process, often referred to as a “job analysis.” It involves a close examination of the agency’s requirements and tends to be a “bottom up” assessment with “reengineering” potential. This analysis is the basis for establishing performance requirements, developing performance standards, writing the performance work statement and producing the quality assurance plan. Those responsible for the mission or program are essential to the performance of the job analysis. A diﬀerent approach to the analytical process is described in the “Guidebook for PerformanceBased Services Acquisition (PBSA) in the Department of Defense.” It describes three “analysisoriented steps” that are “top down” in nature: 

Deﬁne the desired outcomes: What must be accomplished to satisfy the requirement?



Conduct an outcome analysis: What tasks must be accomplished to arrive at the desired outcomes?



Conduct a performance analysis: When or how will I know that the outcome has been satisfactorily achieved, and how much deviation from the performance standard will I allow the contractor, if any?

105

Step 4. Potential Vehicles and Processes

The integrated solutions team should consider the various approaches. Neither the Oﬃce of Federal Procurement Policy (OFPP) nor Department of Defense guide is mandatory; both describe an approach to analysis. Regardless of the analytical process adopted, the team’s task under step four is to develop certain information: 

A description of the requirement in terms of results or outcomes



Measurable performance standards



Acceptable quality levels (AQLs)

The AQL establishes the allowable error rate or variation from the standard. OFPP’s best-practices guide cites this example: In a requirement for taxi services, the performance standard might be “pickup within ﬁve minutes of an agreed upon time.” The AQL then might be ﬁve percent; i.e., the taxi could be more than ﬁve minutes late no more than ﬁve percent of the time. Failure to perform within the AQL could result in a contract price reduction or other action. With regard to performance standards and AQLs, the integrated solutions team should remember that an option is to permit contractors to propose standards of service, along with appropriate price adjustment or other action. This approach fosters a reliance on standard commercial practices. (Remember that all these points—performance standards, quality levels and price—are negotiable.)

Apply the “so what?” test. There is nothing as useless as doing efficiently that which should not be done at all. (Peter Drucker)

An analysis of requirements is often, by its nature, a close examination of the status quo; that is, it is often an analysis of process and “how” things are done – exactly the type of detail that is not supposed to be in a PWS. The integrated solutions team needs to identify the essential inputs, processes and outputs during job analysis. Otherwise, the danger is that contractors will bid back the work breakdown structure, and the agency will have failed to solicit innovative and streamlined approaches from the competitors. One approach is to use the “so what?” test during job analysis. For example, once job analysis identiﬁes outputs, the integrated solutions team should verify the continued need for the output. The team should ask questions such as, who needs the output? Why is the output needed? What is done with it? What occurs as a result? Is it worth the eﬀort and cost? Would a diﬀerent output be preferable?

www.GTIBookstore.com

106

Contracting for Cloud Services

Capture the results of the analysis in a matrix. As the information is developed, the integrated solutions team should begin capturing the information in a performance matrix. The Department of Treasury guide, “Performance-Based Service Contracting” illustrates a six-column approach with the following: 

Desired Outcomes: What do we want to accomplish as the end result of this contract?



Required Service: What task must be accomplished to give us the desired result? (Note: Be careful this doesn’t become a “how” statement.)



Performance Standard: What should the standards for completeness, reliability, accuracy, timeliness, customer satisfaction, quality and/or cost be?



Acceptable Quality Level (AQL): How much error will we accept?



Monitoring Method: How will we determine that success has been achieved?



Incentives/Disincentives for Meeting or Not Meeting the Performance Standards: What carrot or stick will best reward good performance or address poor performance? [This reﬂects priced and unpriced adjustments based on an established methodology. Reductions can be made for reduced value of performance.]

The Treasury guide provides templates for help desk, seat management, systems integration, software development and system design/business process re-engineering services. The Department of Defense approach is very similar: take the desired outcomes, performance objectives, performance standards and acceptable quality levels that have been developed during the analytical process, and document them in a Performance Requirements Summary (PRS). The PRS matrix has ﬁve columns: performance objective, performance standard, acceptable quality level, monitoring method and incentive. The PRS serves as the basis for the performance work statement. Write the performance work statement. There is no standard template or outline for a PWS. The Federal Acquisition Regulation only requires that agencies: 

Describe the work in terms of the required results rather than either “how” the work is to be accomplished or the number of hours to be provided.



Enable assessment of work performance against measurable performance standards.



Rely on the use of measurable performance standards and ﬁnancial incentives in a competitive environment to encourage competitors to develop and institute innovative and cost-eﬀective methods of performing the work.

In terms of organization of information, a SOW-like approach is suitable for a performance work statement: introduction, background information, scope, applicable documents, performance requirements, special requirements (such as security) and deliverables. However, the team can adapt this outline as appropriate. Before ﬁnishing, there should be ﬁnal checks: 

Examine every requirement carefully, and delete any that are not essential.



Search for process descriptions or “how” statements, and eliminate them.

107

Step 4. Potential Vehicles and Processes

Tip Many agencies have posted examples of performance-based solicitations that can provide some guidance or helpful ideas. (See LINKS section)

However, since the nature of performance-based acquisition is (or should be) tied to mission-unique or program-unique needs, keep in mind that another agency’s solution may not be a good model.

Let the contractor solve the problem, including the labor mix. FIRST, keep this important “lesson learned” in mind: Don’t spec the requirement so tightly that you get the same solution from each oﬀeror. SECOND, performance-based service acquisition requires that the integrated solutions team usually must jettison some traditional approaches to buying services, such as specifying labor categories, educational requirements or number of hours of support required. Those are “how” approaches. Instead, let contractors propose the best people with the best skill sets to meet the need and ﬁt the solution. The government can then evaluate the proposal based both on the quality of the solution and the experience of the proposed personnel.

In making the shift to performance-based acquisition, remember this: The significant problems we face cannot be solved at the same level of thinking we were at when we created them. (Albert Einstein)

The Department of Defense addresses this in the “Guidebook for Performance-Based Services Acquisition (PBSA) in the Department of Defense.” The guide provides as follows: Prescribing manpower requirements limits the ability of oﬀerors to propose their best solutions, and it could preclude the use of qualiﬁed contractor personnel who may be well suited for performing the requirement but may be lacking—for example—a complete college degree or the exact years of speciﬁed experience. For some services, in fact, such practices are prohibited. Congress passed a provision (section 813) in the 2001 Defense Authorization Act, now implemented in the FAR (with government-wide applicability, of course). It prescribes that, when acquiring information technology services, solicitations may not describe any minimum experience or educational requirements for proposed contractor personnel unless the contracting oﬃcer determines that needs of the agency either (1) cannot be met without that requirement or (2) require the use of other than a performance-based contract. Thirdly, note there are times when more prescriptive language is required in a PWS or in a SOO). For example, when acquiring services where life and limb are at stake, agencies may provide more details regarding what has to be done. Guard services typically follow an agency security plan, and there are certain aspects to the work that cannot be left to “contractor innovation.” Further, services of this type will have 100-percent performance standards (any intrusion is unacceptable), whereas for most other service types, the price for “perfection” would be unaﬀordable. Remember that how www.GTIBookstore.com

Contracting for Cloud Services

108

the performance work statement is written will either empower the private sector to craft innovative solutions, or limit (sometimes but not always properly) or cripple that ability. Using a SOO As discussed previously, an alternative approach to development of the PWS is to develop a statement of objectives. The FAR now provides that the SOO shall include “at a minimum” the following: 

Purpose



Scope or Mission



Period and Place of Performance



Background



Performance Objectives (i.e., required results)



Any Operating Constraints

The government-prepared SOO is usually incorporated into the RFP either as an attachment or as part of Section L. At contract award, the contractor-proposed statement of work (solution) can be incorporated by reference or integrated into Section C. Begin with the acquisition’s “elevator message.” How many solicitations have you seen that begin with a statement such as, “This is a solicitation for a time-and-materials contract,” or “The purpose of this solicitation is to acquire information technology hardware, software and services.” Or this one (true story): “This is a performance-based speciﬁcation to acquire services on a time-andmaterials basis.” In the context of performance-based acquisition, all are bad starts. The ﬁrst statement made in a statement of objectives should be an explanation of how the acquisition relates to the agency’s program or mission need and what problem needs solving (as identiﬁed under step two). For example, in a task order solicitation by the Veterans Beneﬁts Administration, this statement was made: The purpose of this task order is to obtain loan servicing in support of VA’s portfolio that will signiﬁcantly improve loan guaranty operations and service to its customers. This simple statement was a signal that the acquisition had made a huge break from the predecessor contract, which had started with something like, “This is a requirement for information technology resources.” The turnaround was the realization that the need was for loan servicing support services; technology was the enabler. Describe the scope. A short description of scope in the SOO helps the competitors get a grasp on the size and range of the services needed. The Veteran’s Beneﬁts Administration’s scope statement follows: The purpose of this [task order] is to provide the full range of loan servicing support. This includes such activities as customer management, paying taxes and insurance, default management, accounting, foreclosure, bankruptcy, etc., as well as future actions associated with loan servicing. This Statement of Objectives reﬂects current VA policies and practices, allowing oﬀerors to propose and price a solution to known requirements. It is anticipated that speciﬁc loan servicing requirements and

Step 4. Potential Vehicles and Processes

109

resulting objectives will change over the life of this order. This will result in VA modifying this order to incorporate in-scope changes. Another consideration for the integrated solutions team to consider is the budget authority (in dollars) available to fund the acquisition. In an acquisition approach as “wide open” as a statement of objectives, the competing contractors will need insight into funding authority so that they can size their solution to be both realistic and competitive. This may be listed as a constraint. Write the performance objectives into the SOO. In step two, the task of the integrated solutions team was to “decide what problem needs solving.” The basis for that analysis was information in the agency’s strategic and annual performance plans, program authorization documents, budget documents, and discussions with project owners and stakeholders. That information constitutes the core of the statement of objectives. In the case of the Veterans Administration, for example, the acquisition’s performance objectives were set forth in this opening statement: VA expects to improve its current loan servicing operations through this task order in several ways. Primary among these is to increase the number and value of saleable loans. In addition, VA wants to be assured that all payments for such items as taxes and insurance are always paid on time. As part of these activities, the VA also has an objective to improve Information Technology information exchange and VA’s access to automated information on an as required basis to have the information to meet customer needs and auditors’ requirements. What is immediately obvious is that these are mission-related, measurable objectives. Make sure the government and the contractor share objectives. When the acquisition’s objectives are “grounded in” the plans and objectives found in agency strategic performance plans, program authorization documents, and budget and investment documents, then the government and the contractor are clearly working in a partnership toward shared goals. This is a far cry from the oldschool acquisition approach, characterized by driving cost down and then berating the supplier to demand delivery. When the agency and the contractor share the same goals, the likelihood of successful performance rises dramatically. Identify the constraints. The purpose of a SOO is to provide contractors with maximum ﬂexibility to conceive and propose innovative approaches and solutions. However, in some cases, there may be constraints that the government must place on those solutions. For example, core ﬁnancial systems used by federal agencies must comply with requirements of OMB Circular A-127 and the guidance of the Joint Financial Management Improvement Program. Acquisitions related to technology will need to conform to the agency’s information technology architecture and accessibility standards. In addition, there may be considerations of security, privacy and safety that should be addressed. There may also be existing policies, directives and standards that are constraining factors. The integrated solutions team should work with program managers, staﬀ, customers and stakeholders to identify these and to conﬁrm their essentiality.

www.GTIBookstore.com

Contracting for Cloud Services

110

Develop the background. The background and current environment set forth in a SOO comprise important information for contractors. The Veterans Beneﬁts Administration’s statement of work included sections on: 

VA loan servicing history,



Current VA Portfolio Origination/Acquisition Process, and



Overview of the Current Servicing Process.

A best practice when using a SOO is to provide a brief overview of the program, listing links to Web-delivered information on the current contract, government-controlled, government-furnished equipment, and a hardware conﬁguration or enterprise architecture, as appropriate. The development of this information is essential so that contractors can perform meaningful due diligence. Make the ﬁnal checks and maintain perspective. Before ﬁnalizing the document, the integrated solutions team should examine the entire SOO carefully and delete anything that is not essential. Even more so than performance work statements, it is extremely unlikely that another agency’s SOO would prove very useful. Since this approach to performance-based acquisition is relatively new, the integrated solutions team should examine them critically. New processes take time to perfect – and require ongoing experimentation and innovation.

Developing a Performance-Based Work Statement A performance-based SOW is also called a Performance Work Statement (PWS). It forms the basis for successful performance by the contractor and eﬀective administration of the contract by the government. A well written PWS enhances the opportunity for all potential oﬀerors to compete equally for government contracts and serves as the standard for determining if the contractor meets the stated performance requirements. The SOW has to be written clearly and without ambiguity so that vendors bid only on the services required. The SOW process is discussed in most existing guides on performance-based service contracting and in the Federal Acquisition Regulation. Among its key processes are the conduct of a job analysis, development of a performance work statement, and a quality assurance and surveillance plan. When people talk about performance-based contracting, this is typically the model they have in mind. In performance-based contracting the SOW is replaced with a SOO and other documents. In essence, the ensuing contract will detail “what” is to be done rather than “how” it is to be done, i.e., it is performance-based. When a SOO is issued, potential vendors are required to submit a Performance-based Work Statement (PBWS) which explains how they will meet the agency’s objections. The PBWS gives the vendor a lot more ﬂexibility in coming up with creative solutions and measurable outcomes that meet objectives that the agency may not have considered. In a traditional SOW, the agency details what has to be done.

Step 4. Potential Vehicles and Processes

111

GSA Sample Work Statements The SOW is typically used when the task is well-known and can be described in speciﬁc terms. The SOO and PWS emphasize performance-based concepts, such as desired service outcomes and performance standards. Whereas PWSs and SOOs establish high-level outcomes and objectives for performance, and PWSs emphasize outcomes, desired results and objectives at a more detailed and measurable level, SOWs provide explicit statements of work direction for the contractor to follow. However, SOWs can also be found to contain references to desired performance outcomes, performance standards and metrics, which is a preferred approach. Samples of SOOs, PWSs and SOWs can be found on the GSA Website.

Decide how to Measure and Manage Performance Developing an approach to measuring and managing performance is a complex process that requires consideration of many factors: performance standards and measurement techniques, performance management approach, incentives and more. This component of performance-based contracting is as important as developing the SOW or the SOO, because this step establishes the strategy of managing the contract to achieve planned performance objectives. Review the success determinants. The integrated solutions team establishes a vision of what will constitute success for the project by answering two distinct questions: Where do I want to go, and how will I know when I get there? The task now is to build the overall performance measurement and management approach on those success determinants. Rely on commercial quality standards. Rather than inventing metrics or quality or performance standards, the integrated solutions team should use existing commercial quality standards (identiﬁed during market research), such as the International Standards Organization (ISO) 9000 or the Software Engineering Institute’s Capability Maturity Models. ISO has established quality standards (the ISO 9000 series) that are increasingly being used by U.S. ﬁrms to identify suppliers who meet the quality standards. The term “ISO 9001 2000” refers to a set of quality management standards which apply to all kinds of organizations in all kinds of areas. Some of these areas include manufacturing, processing, servicing, printing, electronics, computing, legal services, ﬁnancial services, accounting, banking, aerospace, construction, textiles, publishing, energy, telecommunications, research, health care, utilities, aviation, food processing, government, education, software development, transportation, design, instrumentation, communications, biotechnology, chemicals, engineering, farming, entertainment, horticulture, consulting, insurance, etc. The Carnegie Mellon Software Engineering Institute, a federally funded research and development center, has developed Capability Maturity Models (CMM) to “assist organizations in maturing their people, process and technology assets to improve long-term business performance.” SEI has

www.GTIBookstore.com

Contracting for Cloud Services

112

developed CMMs for software, peopl, and software acquisition, and assisted in the development of CMMs for Systems Engineering and Integrated Product Development: 

CMMIR Capability Maturity Model-Integration for Software



P-CMM People Capability Maturity Model



SA-CMM Software Acquisition Capability Maturity Model



SE-CMM Systems Engineering Capability Maturity Model



IPD-CMM Integrated Product Development Capability Maturity Model

The Capability Maturity Models express levels of maturation: the higher the number, the greater the level of maturity. There are ﬁve levels. Solicitations that require CMMs typically specify only level two or three. The integrated solutions team can incorporate such commercial quality standards in the evaluation and selection criteria.

Have the Contractor Propose the Metrics and the Quality Assurance Plan One approach is to require the contractor to propose performance metrics and the quality assurance plan (QAP), rather than have the government develop it. This is especially suitable when using a SOO because the solution is not known until proposed. With a SOO, oﬀerors are free to develop their own solutions, so it makes sense for them to develop and propose a QAP that is tailored to their solution and commercial practices. If the agency were to develop the QAP, it could very well limit what contractors can propose. After the contractor proposes it, you then review, comment and approve when it is reasonable and meets your requirements. As the integrated solutions team considers what is required in a QAP, it may be useful to consider how the necessity for quality control and assurance has changed over time, especially as driven by acquisition reform. In short, QAPs were quite necessary when federal acquisition was dominated by low-cost selections. Think about the incentives at work: To win award but still protect some degree of proﬁt margin, the contractor had to shave his costs, an action that could result in use of substandard materials or processes. With best-value selection and an emphasis on past-performance evaluation and reporting, entirely diﬀerent incentives are at work. The regulations have changed to some degree to reﬂect this reality. FAR 46.102 provides that contracts for commercial items “shall rely on a contractor’s existing quality assurance system as a substitute for compliance with government inspection and testing before tender for acceptance unless customary market practices for the commercial item being acquired permit in-process inspection.” Air Force Instruction 63-124 (August 1, 2005) addresses the concept of a performance plan and metrics: 1.4.4. A Performance Plan. The performance plan is an evolving document whose development begins with acquisition planning, and ﬁnalized as the acquisition progresses. The members of the multi-functional team sign the performance plan. Award Fee plans containing the following elements qualify as the performance plan. The plan identiﬁes:

Step 4. Potential Vehicles and Processes

113

1.4.4.1. Objective(s) in having the service provided, i.e., to provide quality housing maintenance to military members. 1.4.4.2. Results the multi-functional team is striving to achieve in managing the acquisition, e.g., cost savings, eﬃciencies and improved customer service. 1.4.4.3. A distribution of the roles and responsibilities among the multi-functional team members. 1.4.4.4. A strategy, methods and tools the multi-functional team will use to assess the contractor’s performance against the performance thresholds, measurements, metrics and incentives identiﬁed in the contract. Performance thresholds must be measurable in terms of quality and timeliness of performance. 1.4.4.5. A management approach, methods and tools the multi-functional team will routinely use to validate the objectives and goals identiﬁed as part of the Performance Plan, i.e., benchmarking, etc. 1.4.4.6. An incentive plan may be the management approach, methods and tools used to validate the objective and goals of the multi-functional team. 1.4.5. Performance metrics are to be used to track contractor progress towards meeting stated performance objectives. The multi-functional team in assessing contractor performance validates that the performance metrics align with the performance-based work statement and overall mission support objectives. Remember the following key aspects. Performance metrics are negotiable and, wherever possible, address quality concerns by exception not inspection. Also, when contractors propose the metrics and the QAP, these become true discriminators among the proposals in best-value evaluation and source selection. Select only a few meaningful measures on which to judge success. Whether the measures are developed by the proposing contractor or by the integrated solutions team, it is important to limit the measures to those that are truly important and directly tied to the program objectives. The measures should be selected with some consideration of cost. For example, the team will want to determine that the cost of measurement does not exceed the value of the information – and that more expensive means of measurement are used for only the most risky and mission-critical requirements. The American Productivity and Quality Center Website states that performance measures come in many types, including economic and ﬁnancial measures, such as return on investment, and other quantitative and qualitative measures. “Organizations are investing energy in developing measures that cover everything from capital adequacy and inventory turns to public image, innovation, customer value, learning, competency, error rate, cost of quality, customer contact, perfect orders, and training hours and re-engineering results.” Each measure should relate directly to the objectives of the acquisition. Include contractual language for negotiated changes to the metrics and measures. One important step the integrated solutions team can take is to reserve the right to change the metrics and measures. One www.GTIBookstore.com

Contracting for Cloud Services

114

eﬀective way to do this is for the agency and the contractor to meet regularly to review performance. The ﬁrst question at each meeting should be, “Are we measuring the right thing?” This requires that the contractual documents include such provisions as value engineering change provisions, share-insavings options or other provisions preserving the government’s right to review and revise. Apply the contract-type order of precedence carefully. Under law and regulation, there is an order of preference in contract types used for performance-based contracting, as follows: (i) A ﬁrm-ﬁxed-price performance-based contract or task order. (ii) A performance-based contract or task order that is not ﬁrm-ﬁxed price. (iii) A contract or task order that is not performance-based. Agencies must take care implementing this order of precedence. “Force ﬁtting” the contract type can actuRemember ally result in much higher prices as contractors seek to Be aware that a firm-fixed-price cover their risks. This view is upheld by FAR 16.103(b) contract is not the best solution which indicates, “A ﬁrm-ﬁxed-price contract, which for every requirement. best utilizes the basic proﬁt motive of business enterprise, shall be used when the risk involved is minimal or can be predicted with an acceptable degree of certainty. However, when a reasonable basis for ﬁrm pricing does not exist, other contract types should be considered, and negotiations should be directed toward selecting a contract type (or combination of types) that will appropriately tie proﬁt to contractor performance.” Clearly, the decision about the appropriate type of contract to use is closely tied to the agency’s need and can go a long way to motivating superior performance, or contributing to poor performance and results. Market research, informed business decision and negotiation will determine the best contract type. One ﬁnal point: The decision on contract type is not necessarily either-or. Hybrid contracts – those with both ﬁxed-price and cost-type tasks – are common. Use incentive-type contracts. Although determining the type of contract to use is often the ﬁrst type of incentive considered, it is important to understand that contract type is only part of the overall incentive approach and structure of a performance-based acquisition. Other aspects have become increasingly important as agencies and contractors have moved closer to partnering relationships. Contract types diﬀer in their allocation and balance of cost, schedule, and technical risks between government and contractor. As established by FAR Part 16 (Types of Contracts), contract types vary in terms of: 

The degree and timing of the risk and responsibility assumed by the contractor for the costs of performance; and



The amount and nature of the proﬁt incentive oﬀered to the contractor for achieving or exceeding speciﬁed standards or goals.

Step 4. Potential Vehicles and Processes

115

The government’s obligation is to assess its requirements and the uncertainties involved in contract performance, and select from the contractual spectrum a contract type and structure that places an appropriate degree of risk, responsibility and incentives on the contractor for performance. At one end of the contractual spectrum is the ﬁrm-ﬁxed-price contract, under which the contractor is fully responsible for performance costs and enjoys (or suﬀers) resulting proﬁts (or losses). At the other end of the spectrum is the cost-plus-ﬁxed-fee contract, in which allowable and allocable costs are reimbursed and the negotiated fee (proﬁt) is ﬁxed—consequently, the contractor has minimal responsibility for, or incentive to control, performance costs. In between these extremes are various incentive contracts, including: 

Fixed-price incentive contracts (in which ﬁnal contract price and proﬁt are calculated based on a formula that relates ﬁnal negotiated cost to target cost): these may be either ﬁrm target or successive targets.



Fixed-price contracts with award fees (used to “motivate a contractor” when contractor performance cannot be measured objectively, making other incentives inappropriate).



Cost-reimbursement incentive contracts (used when ﬁxed-price contracts are inappropriate, due to uncertainty about probable costs): these may be either cost-plus-incentive-fee or costplus award- fee.

Use of certain types of incentives may be limited by availability of funds. Fortunately, there are other types of incentives that can be tailored to the acquisition and performance goals, requirements and risks. For example, agencies can also incorporate delivery incentives and performance incentives – the latter related to contractor performance and/or speciﬁc products’ technical performance characteristics, such as speed or responsiveness. Incentives are based on meeting target performance standards, not minimum contractual requirements. These, too, are negotiable. Consider “award term.” “Award term” is a contract performance incentive feature that ties the length of a contract’s term to the performance of the contractor. The contract can be extended for “good” performance or reduced for “poor” performance. Award term is a contracting tool used to promote eﬃcient and quality contractor performance. In itself, it is not an acquisition strategy, nor is it a performance solution. As with any tool, its use requires careful planning, implementation and management/ measurement to ensure its success in incentivizing contractors and improving performance. The award term feature is similar to award fee (FAR 16.405-2) contracting where contract performance goals, plans, assessments and awards are made regularly during the life of a contract. Award term solicitations and contracts should include a base period (e.g., three years) and a maximum term (e.g., 10 years), similar to quantity estimates used in indeﬁnite quantity/indeﬁnite delivery contracts for supplies (FAR 16.504). When applying the award term feature, agencies need to identify and understand the following aspects of the project or task: 

Conditions, constraints, assumption, and complexities



Schedule, performance and cost-critical success factors



Schedule, performance and cost risks www.GTIBookstore.com

Contracting for Cloud Services

116

They also need to understand marketplace conditions and pricing realities. Only then can agencies establish meaningful and appropriate schedule, performance and cost measures/parameters for a speciﬁc contract. These measures must be meaningful, accurate and quantiﬁable to provide the right incentives and contract performance results. Speciﬁcs need to be incorporated and integrated in an award term plan. Award term is best applied when utilizing performance or solution-based requirements where a SOW or SOO describes the agency’s required outcomes or results (the “what” and “when” of the agency’s requirement) and where the contractor has the freedom to apply its own management and best performance practices (the “how” of the requirement) towards performing the contract. The award term plan must specify success measurement criteria, regarding how performance will be measured (i.e., deﬁnes what is “good” or “poor” performance) and the award term decision made. There should also be a clear indication of the consequences of various levels of performance in terms of the contract’s minimum, estimated and maximum terms – and the agency needs to be prepared to follow up with those consequences. If contractor performance is below the standard set, the contract ends at the completion of the base period. The agency must be prepared to re-procure in a timely fashion. The eﬀort applied in managing an award term contract after award is critical. Too often, agencies and contractors don’t invest the right people (numbers and skills) and management attention during the contract performance phase. Managing contracts with features, such as award term, is not a last-minute incidental or a ﬁll-out-a-survey job. As in the case of its “sister” award fee approach, communication needs to be constant and clear with contractors, and not include so many evaluation elements that it dilutes the critical success factors. Consider other incentive tools. Incentives can be monetary or non-monetary. They should be positive, but include remedies, as appropriate, when performance targets or objectives are missed. Creating an incentive strategy is much the same as crafting an acquisition strategy. There is no single, perfect, “one size ﬁts all” approach; instead, the incentive structure should be geared to the acquisition, the characteristics of the marketplace and the objectives the government seeks to achieve. While cost incentives are tied to a degree to contract-type decisions, there are other cost and noncost incentives for the integrated solutions team to consider, such as: 

Contract length considerations (options and award term)



Strategic supplier alliances



Performance-based payments



Performance-incentive bonus



Schedule incentives



Past-performance evaluation



Agency “supplier of the year” award programs



Competitive considerations



Nonperformance remedies

117

Step 4. Potential Vehicles and Processes 

Value engineering change provisions



Share-in-savings strategies



Letters of commendation

Recognize the power of proﬁt as motivator. One of the keys to eﬀective incentives involves recognizing, and then acting on, the private sector’s chief motivator: proﬁt. It is a simple fact that companies are motivated by generating return for their investors. One contractor was heard to say, “You give us the incentive, we will earn every available dollar.” The real opportunity is to make this work to the government’s advantage. For example, link the incentive program to the mutually agreed-to contract performance measures and metrics. Then, incorporate value engineering change provisions (VECP) or share-in-savings strategies that reward the contractor for suggesting innovations that improve performance and reduce total overall cost. Put more simply: Set up the acquisition so that a contractor and the government can beneﬁt from econoRemember mies, eﬃciencies and innovations delivered in contract Performance incentives are performance. negotiable. Developing an incentive strategy is a “study unto itself,” and there are some excellent guides on the subject.

If the incentives are right, and if the contractor and the agency share the same goals, risk is largely controlled and eﬀective performance is almost the inevitable outcome. This approach will help ensure that the contractor is just as concerned – generated by self-interest in winning all available award fees and award terms—about every element of contract performance, whether maximizing operational eﬃciency overall, reducing subcontract costs, or ensuring the adequacy of post-award subcontractor competition and reasonableness of prices, as is the agency. Most importantly, consider the relationship. With regard to overall approach to contract performance management, the integrated solutions team should plan to rely less on management by contract and more on management by relationship. At its most fundamental level, a contract is much like a marriage. It takes work by both parties throughout the life of the relationship to make it successful. Consider, for example, the public-private partnership that was the Apollo Program. Other, more recent examples exist, but they all share the same common characteristics: 

Trust and open communication



Strong leadership on both sides



Ongoing, honest self-assessment



Ongoing interaction



Creating and maintaining mutual beneﬁt or value throughout the relationship

There are several means to shift the focus from management by contract to management by relationship. For example, plan on meeting with the contractor to identify ways to improve eﬃciency and reduce the eﬀect of the “cost drivers.” Sometimes agencies require management reporting based www.GTIBookstore.com

118

Contracting for Cloud Services

on policy without considering what the cost of the requirement is. For example, in one contract, an agency required that certain reports be delivered regularly on Friday. When asked to recommend changes, the contractor suggested that report due date be shifted to Monday because weekend processing time cost less. An example is requiring earned-value reporting on every contractual process. For tasks of lesser risk, complexity and expense, a less costly approach to measuring cost, schedule and performance can be used. This type of collaborative action will set the stage for the contractor and government to work together to identify more eﬀective and eﬃcient ways to measure and manage the program. Another eﬀective means is to establish a Customer Process Improvement Working Group that includes contractor, program and contracting representatives. This works especially well when the integrated solutions team’s tasks migrate into contract performance, and they take part in the working group. These meetings should always start with the question, are we measuring the right thing? For major acquisitions, the team can consider the formation of a higher-level “Board of Directors,” comprising top oﬃcials from the government and its winning partner, with a formal charter that requires continual open communication, self-assessment, and ongoing interaction. The intent to “manage by relationship” should be documented in a contract administration plan that lays out the philosophies and approach to managing this eﬀort, placing special emphasis on techniques that enhance the ability to adapt and incorporate changes.

Select the Right Vendor Developing an acquisition strategy that will lead to selection of the “right contractor” is especially important in performance-based acquisition. The contractor must understand the performancebased approach, know or develop an understanding of the agency’s requirement, have a history of performing exceptionally in the ﬁeld, and have the processes and resources in place to support the mission. This goes a long way to successful mission accomplishment. In fact, selecting the right contractor and developing a partnership automatically solves many potential performance issues. Keep in mind that large businesses have not “cornered the market” on good ideas. Small ﬁrms can be nimble, quick thinking, and very dedicated to customer service. While there is a cost in proposing solutions, a small business with a good solution can win performance-based awards. Also, do not think you are limited to companies that specialize in the federal market. Information obtained from market research sessions has shown that often commercial companies—or commercial divisions of companies that do federal and commercial business – have signiﬁcantly more experience with performance-based service delivery methods and techniques. While there are many aspects to crafting an acquisition strategy, among the most important for performance-based acquisition are to “compete the solution,” use “downselection” and due diligence, evaluate heavily on past performance information and make a best-value source selection decision. Compete the solution. Too many government-issued statements of work try to “solve the problem.” In such cases, the agency issues a detailed SOW, often with the assumption that “the tighter the spec the better,” without realizing that this approach increases the government’s risk. The agency SOW establishes what to do, how to do it, what labor categories to provide, what minimum quali-

Step 4. Potential Vehicles and Processes

119

ﬁcations to meet and how many hours to work. The agency then asks vendors to respond with a “mirror image” of the speciﬁcations in the proposal. The result is that the “competing” vendors bid to the same government-directed plan, and the agency awards the contract to the company with the best proposal writers, not the best ideas. So the ﬁrst key to selecting the right contractor is to structure the acquisition so that the government describes the problem that needs to be solved and vendors compete by proposing solutions. The quality of the solution and the contractor-proposed performance measures and methodology then become true discriminators in best-value evaluation. Use downselection and due diligence. Responding to a performance-based solicitation – especially a SOO that seeks contractor-developed solutions – is substantial work for contractors. Likewise, evaluation of what may be signiﬁcantly diﬀerent approaches or solutions is much more substantial work for the integrated solutions team. The team will have to understand the contractor-proposed solutions, assess the associated risks and likelihood of success, identify the discriminators and do the best-value tradeoﬀ analysis. Because of this, the acquisition strategy should consider some means of “downselection” or limiting the competitive pool, so that only those contractors with a signiﬁcant likelihood of winning the award will go through the expense of developing proposals. As to the integrated solutions team, evaluating dozens of solution-type proposals would be overly burdensome. “Downselection” is a means of limiting the competitive pool to those contractors most likely to oﬀer a successful solution. There are two primary means of downselection in current acquisition methodology: (1) using the Federal Supply Schedules (FSS) Multiple Award Schedule (MAS) competitive process and (2) using the “fair opportunity” competitive process under an existing Governmentwide Agency Contract (GWAC) or multiple-award contract (MAC). Even in full and open competitions, there are means of limiting the competitive pool – providing competition, as well as eﬃciency and cost eﬀectiveness for the government and contractors. Many in the acquisition community are familiar with the establishment of a competitive range. But there is another technique: using the multistep advisory process in a negotiated procurement. All these methods provide a means to establish a small pool of the most qualiﬁed contractors, competing to provide the solution. In each case, the approach leverages competition previously conducted. Once the competing pool of contractors is established, those contractors enter a period called due diligence. Due diligence is used in acquisitions to describe the period and process during which competitors take the time and make the eﬀort to become knowledgeable about an agency’s needs in order to propose a competitive solution. It usually includes site visits, meetings with key agency people, and research and analysis necessary to develop a competitive solution tailored to agency requirements. During this time, the competing contractors must have access to the integrated solutions team and program staﬀ, so that the contractors can learn as much as possible about the requirement. It is a far more open period of communication than is typical in more traditional acquisitions. www.GTIBookstore.com

Contracting for Cloud Services

120

Use oral presentations and other opportunities to communicate. One streamlining tool that eases the job of evaluation is the use of oral presentations (characterized by “real-time interactive dialogue”). These presentations provide information about the contractor’s management and/or technical approach that the integrated solutions team will use in evaluation, selection and award. Agencies have said that oral presentations remove the “screen” that professional proposal writers can erect in front of the contractor’s key personnel. The integrated Oral presentations provide “face solutions team should take full advantage of “face time” time,” permitting the integrated by requiring that the project manager and key personsolutions team to assess nel (those who will do the work) make the presentaprospective contractors. tions. This gives agency evaluators an opportunity to see part of the vendor-proposed solution team, to ask speciﬁc questions, and to gauge how well the team works together and would be likely to work with the agency.

Tip

Oral presentations can lay out the proposed solution and the contractor’s capability and understanding of the requirement. Oral presentations may substitute for, or augment, written information. However, it’s important to remember that statements made in oral presentations are not binding unless written into the contract. Note that oral presentations should be recorded in some way. Communication with oﬀerors is an important element of selecting the right contractor. Despite this fact, it is “trendy” in negotiated procurements to announce the intent to award without discussions. Given the complexities associated with performance-based proposals (i.e., diﬀerent approaches and diﬀerent performance metrics), it is nearly impossible to award without conducting discussions. While it may reduce time, it is important to use discussions to fully understand the quality of the solution, the pricing approach, incentive structure and even the selection itself. Emphasize past performance in evaluation. A contractor’s past performance record is arguably the key indicator for predicting future performance. As such, it is to the agency’s advantage to use past performance in evaluating and selecting contractors for award. Evaluation of past performance is particularly important for service contracts. Properly conducted, the collection and use of such information provides signiﬁcant beneﬁts. It enhances the government’s ability to predict both the performance quality and customer satisfaction. It also provides a powerful incentive for current contractors to maximize performance and customer satisfaction. Past performance information can come from multiple sources. The most familiar methods include asking the oﬀerors to provide references, and seeking information from past performance information databases. The Past Performance Information Retrieval System, or PPIRS, is the government-wide repository for past performance information. It ties together a number of data bases formerly independent of one another. There are other means of obtaining past performance information for evaluation. One very important means is through market research. Call counterparts in other agencies with similar work and ask them for the names of the best contractors they’ve worked with. Are there industry awards in

121

Step 4. Potential Vehicles and Processes

the ﬁeld of work? Who has won them? In fact, ask oﬀerors to identify their awards and events of special recognition. Look for industry quality standards and certiﬁcations, such as ISO 9000 and SEI CMM® (discussed in step ﬁve). Ask oﬀerors what they do to track customer satisfaction and to resolve performance issues. Is there an established and institutionalized approach? In short, the integrated solutions team must take past performance more seriously than just calling a few references. Make the answers to these questions part of the request for proposals. Rather than have a separate past performance team, integrate this evaluation into the technical and management proposal evaluation eﬀort. When used in the source selection evaluation process, past performance evaluation criteria must provide information that allows the source selection oﬃcial to compare the “quality” of oﬀerors against the agency requirement, and assess the risk and likelihood of success of the proposed solution and success of contractor performance. This requires the information to be relevant, current and accurate. For example, the information requested of the contractor and evaluated by the integrated solutions team should be designed to determine how well, in contracts of similar size, scope and complexity, the contractor: 

Conformed to the contract requirements and standards of good workmanship.



Adhered to contract schedules.



Forecasted and controlled costs.



Managed risk.



Provided reasonable and cooperative behavior and commitment to customer satisfaction.



Demonstrated business-like concern for the interest of the customer.

The answers to this list provide the source selection authority with information to make a comparative assessment for the award decision. Use best-value evaluation and source selection. “Best value” is a process used to select the most advantageous oﬀer by evaluating and comparing factors in addition to cost or price. It allows ﬂexibility in selection through tradeoﬀs which the agency makes between the cost and non-cost evaluation factors with the intent of awarding to the contractor that will give the government the greatest or best value for its money. Note that “the rules” for the best-value and tradeoﬀ process (and the degree of documentation required) depend on two factors: the rules for the speciﬁc acquisition process being used and the rules the agency sets in the solicitation. For example, when conducting a negotiated procurement, the complex processes of FAR Subpart 15.1, “Source Selection Processes and Techniques,” and FAR Subpart 15.3, “Source Selection,” apply. When using Federal Supply Schedule contracts, the simpler provisions at FAR 8.404 apply. However, if the agency writes FAR 15-type rules into a Request for Quote under Federal Supply Schedule contracts, the rules in the RFQ control. www.GTIBookstore.com

Contracting for Cloud Services

122

The integrated solutions team should consider including factors, such as the following, in the evaluation model: 

Quality and beneﬁts of the solution



Quality of the performance metrics and measurement approach



Risks associated with the solution



Management approach and controls



Management team (limited number of key personnel)



Past performance (how well the contractor has performed)



Past experience (what the contractor has done)

The General Accounting Oﬃce acknowledges broad agency discretion in selection; therefore, the integrated solution team evaluators and the source selection authority should expect to exercise good judgment. Quite simply, best-value source selection involves subjective analysis. It cannot, and should not, be reduced to a mechanical, mathematical exercise. The following, derived from GAO protest decision B-284270, reﬂects just how broad agency discretion is: 

Source selection oﬃcials have broad discretion to determine the manner and extent to which they will make use of the technical and price evaluation results in negotiated procurements.



In deciding between competing proposals, price/technical tradeoﬀs may be made; the propriety of such tradeoﬀs turns not on the diﬀerence in technical scores or ratings per se, but on whether the source selection oﬃcial’s judgment concerning the signiﬁcance of that diﬀerence was reasonable and adequately justiﬁed in light of the RFP evaluation scheme.



The discretion to determine whether the technical advantages associated with a higher-priced proposal are worth the price premium exists notwithstanding the fact that price is equal to or more important than other factors in the evaluation scheme.



In best-value procurement, an agency’s selection of a higher-priced, higher-rated oﬀer should be supported by a determination that the technical superiority of the higher-priced oﬀer warrants the additional cost involved.

Assess solutions for issues of conﬂict of interest. An “organizational conﬂict of interest” exists when a contractor is or may be unable or unwilling to provide the government with impartial or objective assistance or advice. An organizational conﬂict of interest may result when factors create an actual or potential conﬂict of interest on a current contract or a potential future procurement. While concerns about organizational conﬂict of interest are important, they should be tempered by good business sense. For example, sometimes software development is done in stages. Organizational conﬂict of interest would suggest that the contractor that does the initial systems design work be precluded from the follow-on code development due to unfair competitive advantage. However, this would also mean that the agency is excluding from consideration the contractor with the best understanding of the requirement. In this case, perhaps the acquisition approach should be reconsidered to allow the deﬁner of the requirements to continue with the development.

Step 4. Potential Vehicles and Processes

123

Manage Performance The ﬁnal step of the seven phases of performance-based acquisition is the most important. Unlike legacy processes where the contract is awarded and the team disperses, there is a growing realization that “the real work” of acquisition is in contract management. This requires that agencies allocate suﬃcient resources, in both the contracting or program oﬃces, to do the job well. This is largely a problem of resource allocation and education. Again, legacy processes are much to blame. Many contracting staﬀ learned their job when the culture was to maintain an arm’s length distance (or more) from contractors, and, by all means, limit the amount of contact the contractor had with program people.

Must Do Effective contract management is a mission-critical agency function. This goes to the heart of the need to maintain sufficient core capability in the federal government to manage its programs.

That approach won’t work in today’s environment and especially not in performance-based acquisition. The contractor must be part of the acquisition team itself – a reality recognized by the guiding principles of the federal acquisition system. FAR 1.102(c) provides: The Acquisition Team consists of all participants in government acquisition including not only representatives of the technical, supply and procurement communities but also the customers they serve, and the contractors who provide the products and services. If the contractor is ﬂying blind in performance, then the agency will soon ﬂy blind and without landing gear when the contract is over.

Keep the team together. To be successful in performance-based acquisition, the agency must retain at least a core of the integrated solutions team on the project for contract management. Those on the team have the most knowledge, experience and insight into what needs to happen next and what is expected during contract performance. Contract award is not the ﬁnal measure of success. Eﬀective and eﬃcient contract performance that delivers a solution is the goal. The team should stay together to see that end reached. Acquisition team members are expected to collaborate with all requisite external organizations in order to provide the best possible service to the citizens. The most notable example, 20 years in the making, is the USDA’s food stamp program. The federal government collaborated with state and local governments, banks and supermarkets to move away from paper food stamps to debit cards. Not only has this helped to ease the “stigma” of food stamps, it has signiﬁcantly reduced fraud. Adjust roles and responsibilities. Often the members of the acquisition team take on new roles during the contract performance phase. Typically, these responsibilities are shared between the program oﬃce and contracting oﬃce. Given that the purpose of any acquisition (in part) is “to deliver on a timely basis the best value product or service to the customer” (as provided in FAR 1.102), meeting this objective requires the continued involvement of the program oﬃce in duties classiﬁed as contract administration, as well as those more accurately described as program (or project) management. www.GTIBookstore.com

124

Contracting for Cloud Services

Program management is concerned with maintaining the project’s strategic focus, and monitoring and measuring the contractor’s performance. The integrated solutions team is ultimately responsible for ensuring that the contractor performs on time and within budget. On smaller acquisitions, the contracting oﬃcer’s technical representative (COTR) may ﬁll this role. Contract administration involves the execution of the administrative processes and tasks necessary to see that the contractual requirements are met, by both contractor and agency. FAR Subpart 42.3 identiﬁes the numerous but speciﬁc contract administration functions that may be delegated by the contracting oﬃce to a contract administration oﬃce and, in turn, to a speciﬁc individual. Assign accountability for managing contract performance. Just as important as keeping the team together is assigning roles and responsibilities to the parties. Contracting oﬃcers have certain responsibilities that can’t be delegated or assumed by the other members of the team. These include, for example, making any commitment relating to an award of a task, modiﬁcation or contract; negotiating technical or pricing issues with the contractor; or modifying the stated terms and conditions of the contract. Some roles and responsibilities are decreed; for example, agencies are required to establish capability and training requirements for contracting oﬃcers’ technical representatives (COTRs). Make sure the people assigned the most direct roles for monitoring contract performance have read and understand the contract and have the knowledge, experience, skills and ability to perform their roles. In performance-based organizations, they are held accountable for the success or failure of the program they lead. They should know the program needs in depth, understand the contractor’s marketplace, be familiar with the tools the contractor is using to perform, and have good interpersonal skills and the capability to disagree constructively. Enhanced professionalism in contract performance management is on the horizon. In November 2003, the Services Acquisition Reform Act (SARA) was passed with a number of noteworthy provisions. As called for in SARA, a fund has been established (in FY2005) to ensure government program managers are properly trained and certiﬁed to manage large projects. The fund is managed under the direction of the Oﬃce of Federal Procurement Policy and the Federal Acquisition Institute’s Board. Certiﬁed project managers’ names will appear on OMB Form 300 submissions. Information on certiﬁcation programs can be found at www.pmi.org. These requirements are part of a larger eﬀort to link budget to performance, and to improve project management in order to reduce or eliminate wasteful spending. Add the contractor to the team at a formal “kick-oﬀ ” meeting. It is often advisable – and sometimes required by the contract – to conduct a “kick-oﬀ ” meeting or, more formally, a “post-award conference,” attended by those who will be involved in contract performance. Even though a postaward conference may not be required by the contract, it is an especially good idea for performancebased contracts. This meeting can help both agency and contractor personnel achieve a clear and mutual understanding of contract requirements, and further establish the foundation for good communications and a win-win relationship. It is very important that the contractor be part of the

Step 4. Potential Vehicles and Processes

125

integrated solutions team, and that agency and contractor personnel work closely together to fulﬁll the mission and program needs.

Apply the Six Disciplines of Performance-Based Management™ Performance-based acquisition requires “a uniquely disciplined approach to managing contract performance and to program management – one that is laser-focused on strategic mission outcomes and results.” In short, performance-based acquisition requires performance-based management, concludes an Acquisition Solutions® Advisory, and the application of certain disciplines to the process. You must align your organization strategically, prepare your people, ensure that everyone understands the “rules” and their roles, set up good communications processes, recognize that there will be risk to be managed, and put in place a framework for measuring performance that lets you understand where you’ve been, where you are, where you need to go—and why. The six disciplines are: 1. Cultural Transformation – Proactively manage the organizational and cultural changes integral to the success of the initiative; 2. Strategic Linkage – Provide a consistent vision throughout the organization, making sure the desired results reﬂect organizational strategic goals; 3. Governance – Establish roles, responsibilities and decision-making authorities for project implementation; 4. Communications – Identify the content, medium and frequency of information flow to all stakeholders; 5. Risk Management – Identify, assess, monitor and manage risks; and 6. Performance Monitoring – Analyze and report status (cost, schedule and performance) on a regularly scheduled basis during project execution. Applying these disciplines to contract management helps drive “performance and results throughout an agency’s culture and business operations” and enhances the achievement of mission results.

Must Do Measuring and managing a project to the attainment of performance goals and objectives requires the continued involvement of the acquisition team, especially the program manager.

Regularly review performance in a Contract Performance Improvement Working Group. Performance reviews should take place regularly, and that means much more than the annual “past performance” reviews required by regulation. These are contract management performance reviews, not for formal reporting and rebutting, but for keeping the project on course, measuring performance levels and making adjustments, as necessary. For most contracts, monthly or bi-monthly performance reviews would be appropriate. For contracts of extreme importance or contracts in perforwww.GTIBookstore.com

Contracting for Cloud Services

126

mance trouble, more frequent meetings may be required. It also requires considerable involvement by the acquisition team’s new members – contractor personnel. Ask the right questions. It is important to keep the focus of the meetings on improving performance, not evaluating people. Each meeting should start with the questions, “Are we measuring the right thing?” and “How are we doing?” It is important to continually revisit the success measures the team identiﬁed during step two. Other important questions are: 

Is the acquisition achieving its cost, schedule and performance goals?



Is the contractor meeting or exceeding the contract’s performance-based requirements?



How eﬀective is the contractor’s performance in meeting or contributing to the agency’s program performance goals?



Are there problems or issues that we can address to mitigate risk?

There should be time in each meeting where the agency asks, “Is there anything we are requiring that is aﬀecting the job you can do in terms of quality, cost, schedule or delivering the solution?” Actions discussed should be recorded for the convenience of all parties, with responsibilities and due dates assigned. Report on the contractor’s “past performance.” There are many types of performance reporting that may be required of the integrated solutions team. For example, agency procedures may establish special requirements for acquisition teams to report to the agency’s investment review board regarding the status of meeting a major acquisition’s cost, schedule and performance goals (as required by the Federal Acquisition Streamlining Act). The team may also be responsible for performance reporting under the Government Performance and Results Act, if the contractor’s performance directly supports a GPRA performance goal. Refer to internal agency guidance on these processes. However, one type of performance reporting requirement, evaluation of the contractor’s performance, is dictated by the contract terms and conditions and by FAR 42.15. This requirement is generally referred to as past-performance evaluation. The FAR now requires that agencies evaluate contractor performance for each contract in excess of $100,000. The performance evaluation and report is shared with the contractor, who has an opportunity to respond before the contracting oﬃcer ﬁnalizes the performance report. In well managed contracts, there has been continual feedback and adjustment, so there should be no surprises on either side.

Some Existing Federal Procurement Vehicles Currently, the government often purchases commodities in a fragmented non-aggregated fashion, operating more like a federation of small businesses than an $80-billion enterprise. To improve readiness for cloud computing, the federal government will facilitate an “approve once and use often” approach to streamline the approval process for cloud service providers. For instance, a government-wide risk and authorization program for IaaS solutions will allow agencies to rely on existing authorizations so only additional, agency-speciﬁc requirements will need to be authorized

127

Step 4. Potential Vehicles and Processes

separately. The GSA’s IaaS contract award is an example of this “approve once and use often” approach. It oﬀers 12 approved cloud vendors to provide agencies with cloud storage, virtual machines and Web hosting services. Approaches such as this will eliminate unnecessary cost and delivery delays associated with duplication of eﬀort. As the number of government cloud vendors increases, GSA will provide comparison tools to transparently compare cloud vendors side-by-side. These tools will allow agencies to quickly and effectively select the best oﬀering for their unique needs. Examples include Apps.gov, which provides a centralized storefront where agencies can easily browse and compare cloud SaaS and IaaS oﬀerings from previous Multiple Award Schedule (MAS) 70 contract holders. Tools such as these will reduce the burden on agencies to conduct their own RFP processes and will concentrate investments in the highest-performing cloud vendors. Furthermore, GSA will establish contract vehicles for government-wide commodity services (e.g., email). These contract vehicles will reduce the burden on agencies for the most common IT services. GSA will also create working groups to support commodity service migration. These working groups will develop technical requirements for shared services to reduce the analytical burden on individual government agencies. For example, the SaaS E-mail working group established in June 2010 is synthesizing requirements for government-wide email services. Working groups will also create business case templates for agencies that are considering transitioning to cloud technologies. Federal government contracts will also provide riders for state and local governments. These riders will allow all of these governments to realize the same procurement advantages of the federal government. Increasing membership in cloud services will further drive innovation and cost eﬃciency by increasing market size and creating larger eﬃciencies-of-scale.

GSA and Customer Focus Progress The GSA has launched an all-out eﬀort to encourage customers to use their acquisition services and contracts. Steve Kempf, commissioner of GSA’s Federal Acquisition Service, has been meeting with senior military and acquisition oﬃcers, and his staﬀ is conducting focus groups to get input from customers. “All of that is really about the customer and being a better partner with them,” Kempf said.

One of the major current priorities of GSA is promoting its cloud computing services.

GSA Schedule 70 IT Services, Software IT Schedule 70 is the largest, most widely used acquisition vehicle in the federal government. Industry partners oﬀer a comprehensive array of IT products, services and solutions. Schedule 70 is www.GTIBookstore.com

Contracting for Cloud Services

128

an indeﬁnite delivery indeﬁnite quantity (IDIQ) multiple award schedule providing direct access to IT products and services from over 5,000 industry partners. Why Consider IT Schedule 70? 

Wide variety of products and services



Contractor team arrangements allow industry partners to collaborate



Easy compliance with the Federal Acquisition Regulation (FAR)



Easy online ordering through GSA e-Tools



Responsive regional GSA representatives



Blanket Purchase Agreements allow customers to fulfill repetitive needs under GSA Schedule contracts

GSA Alliant Program (for IT Services) Alliant is a multiple award, indeﬁnite delivery, indeﬁnite quantity (IDIQ) GWAC with a $50-billion program ceiling and a ﬁve-year base period (with one ﬁve-year option). All contract types are allowed: ﬁxed price, cost reimbursement, labor hour, and time and materials. Alliant’s comprehensive IT services-based scope is directly aligned to the Federal Enterprise Architecture (FEA) and Department of Defense Enterprise Architecture (DoDEA), ensuring that emerging technologies will remain within scope over the life of the contract. The Alliant contract is ﬂexible and can be easily customized at the order level to construct a solution that manages risk through contract types and applicable CLIN structures suitable to your requirement. Government customers may also add agency-speciﬁc clauses at the order level when developing their order requirements. Alliant provides access to strategic solutions, such as: 

Cybersecurity



Information assurance



Virtualization



Sustainability



Health IT



Cloud computing



IPv6



Web 2.0

Why Alliant? 

Cost savings: Streamlined ordering procedures save time and money by reducing procurement lead time.

Step 4. Potential Vehicles and Processes

129



Innovation and eﬃciency: Alliant is aligned with the Federal Enterprise Architecture (FEA) and Department of Defense Enterprise Architecture (DoDEA), ensuring emerging technologies and all enterprise activities contributing to an overall IT mission are within the intended scope of the contract. Adopting FEA/DoDEA as the contract cornerstone allows agencies to eﬃciently translate modeled designs to actual ﬁeld solutions in new and innovative ways.



Industry partner pool: Alliant’s diverse industry partner pool provides access to a wide spectrum of qualiﬁed IT industry partners.



Solutions-driven: Facilitates integrated IT solutions by allowing ancillary support services and equipment when it is integral and necessary to the IT eﬀort.



Task order support: Scope compatibility reviews are oﬀered by the Alliant scope review team for Statements of Work, Performance Work Statements, and Statement of Objectives upon request and at no cost. Responses will be received in writing within one to two days.



Low contract access fee: 0.75% contract access fee; direct order fee capped at $150K annually.

GSA and IaaS Federal, state, local and tribal governments have access to cloud-based Infrastructure as a Service (IaaS) oﬀerings through the government’s cloud-based services storefront, Apps.gov. GSA’s IaaS contract award allows vendors to provide government entities with cloud storage, virtual machines and Web hosting services to support a continued expansion of governments’ IT capabilities into cloud computing environments. “Oﬀering IaaS on Apps.gov makes sense for the federal government and for the American people. Cloud computing services help to deliver on this Administration’s commitment to provide better value for the American taxpayer by making government more eﬃcient,” said former Federal Chief Information Oﬃcer Vivek Kundra. “Cloud solutions not only help to lower the cost of government operations, they also drive innovation across government.” Each year, the government spends tens of billions of dollars on IT products and services, with a heavy focus on maintaining current infrastructure needs and demands. A major element of every federal agency’s IT infrastructure includes storage, computing power and Website hosting. These Cloud Infrastructure oﬀerings can be a way for agencies to realize cost savings, eﬃciencies and modernization without having to expend capital resources expanding their existing infrastructure. On Apps.gov, IaaS oﬀerings include on-demand self-service that allows government entities to utilize and discontinue use of products when and as needed. Resource pooling for practically unlimited storage and automatic monitoring of resource utilization are also features. IaaS oﬀerings are also provided with rapid elasticity for real-time, customizable scaling of service and automatic provisioning of virtual machines, storage and bandwidth, and visibility into service usage and order management through measured services. Prior to making IaaS products available through Apps.gov, vendors had to complete the Certiﬁcation & Accreditation (C&A) process at the FISMA Moderate Impact Data security level as adminwww.GTIBookstore.com

Contracting for Cloud Services

130

istered by GSA. Having been granted authority to operate, services are available for purchase by government entities through the Apps.gov storefront. “Through oﬀerings such as IaaS, GSA is providing government entities with easy access to costsaving, high-value and more eﬃcient technology solutions by doing a major part of the procurement processes upfront,” said GSA Associate Administrator of Citizen Services and Innovative Technologies, Dave McClure. “By continuously working with industry, GSA’s cloud-based services available through Apps.gov are secure, compliant and save taxpayer dollars by reducing duplication of security processes across government.” Awarded vendors have assembled skilled teams that will support the development of quality services for government agencies. Awarded vendors and their associated teams include: 

Apptis Inc. partnered with Amazon Web Services



AT&T



Autonomic Resources partnered with Carpathia Hosting, Inc., Enomaly, and Dell



Carahsoft partnered with Carpathia Hosting, Inc.



CGI Federal, Inc.



Computer Literacy World partnered with XO Communications, Electrosoft and Secure Network Systems



Computer Technologies Consultants partnered with SoftLayer, Inc.



Eyak Tech LLC partnered with Horizon Data Center Solutions



General Dynamics Information Technology partnered with Carpathia Hosting, Inc.



Insight Public Sector partnered with Microsoft



Savvis Federal Systems



Verizon Federal, Inc.

In order to proceed with any IaaS implementation, the agency must do its internal review process (described later), the government must complete the Assessment and Authorization of the vendor and the agency needs to complete a work statement (SOO or SOR). The agency may still use competition among the approved vendors. NASA - SEWP IV Helps the Cloud-First Mandate When NASA oﬃcials created the Solutions for Enterprise-Wide Procurement (SEWP) IV government-wide acquisition contract (GWAC), they were not necessarily thinking about cloud computing, but they included in the contract’s scope of work technologies that today are essential to the cloud, such as virtual computing and virtual storage. “We didn’t have the words ‘cloud computing’ in the contract, but we had all of the pieces as part of the SEWP capability and scope,” said the SEWP IV program manager. The ability to provide the IT products and solutions required for cloud computing is extremely important to both the SEWP IV program and its agency customers, who are fulﬁlling federal man-

131

Step 4. Potential Vehicles and Processes

dates to put in place new cloud programs and services. Federal agencies have already begun using SEWP IV to help meet federal cloud computing goals. NASA’s private cloud solution, Nebula, was purchased through SEWP IV. Nebula, which is an open-source cloud computing platform, provides NASA scientists with infrastructure as a service for scalable computing and storage for science data and Web-based applications. The SEWP IV program is a user of cloud services. SEWP IV’s new Web-based customer service software is outsourced to a cloud provider, as is its FAQ page. The program manager said that using NASA’s cloud services for disaster recovery and other requirements is being considered. “The cloud works. Software as a service works,” said the SEWP IV progam manager. Authorized Users of the GSA Schedule The following entities are authorized to purchase from the GSA Federal Supply Schedules.  Federal Agencies  Establishments in the Legislative or Judicial Branch  Executive Agencies  Executive Departments  Wholly Owned Government Corporations  Independent Establishments in the Executive Branch  The Senate  The House of Representatives  Activities Under the Direction of the Architect of the Capitol  Mixed-Ownership Government Corporations  District of Columbia  Organizations Authorized Under the Authority of 40 U.S.C. 501-502  Cost-reimbursement contractors (and sub-contractors) as properly authorized  Cost-reimbursement or ﬁxed-price contractors’ use of GSA Fleet vehicles and related services  Fixed-price contractors (and sub-contractors) purchasing security equipment  Non-federal firefighting organizations cooperating with the Department of Agriculture, Forest Service  Tribes and Tribal Organizations  Qualiﬁed Nonproﬁt Agencies for the Blind or Other Severely Handicapped www.GTIBookstore.com

Contracting for Cloud Services

132

Qualiﬁed nonproﬁt agencies for the blind or other severely handicapped may make purchases under the GSA Federal Supply Schedule for use in making or providing an approved commodity or service to the government. Qualiﬁed nonproﬁt agencies are those that are organized under the laws of the United States or of any state, operated in the interest of blind individuals/other severely handicapped individuals, and the net income of which does not inure in whole or in part to the beneﬁt of any shareholder or other individual; that comply with any applicable occupational health and safety standard prescribed by the Secretary of Labor; and which in the production of commodities and in the provision of services (whether or not the commodities or services are procured under this Act) during the ﬁscal year employs blind individuals/other severely handicapped individuals for not less than 75 per centum of the man-hours of direct labor required for the production or provision of the commodities or services. Other Organizations 

Entities Authorized Under the Foreign Assistance Act (FAA) – for civilian use only



Military Commissaries & Non-Appropriated Fund Activities – for own use only, not for resale unless otherwise authorized by the individual federal agency and agreed upon by GSA



Certain Institutions:





Howard University



Gallaudet University



National Technical Institute for the Deaf



American Printing House for the Blind

Governments Authorized Under 48 U.S.C. 1469e which includes the governments of: 

American Samoa



Guam



Commonwealth of the Northern Mariana Islands



U.S. Virgin Islands

State and Local Government use of GSA Schedule State and local governments are authorized to make purchases under the GSA Schedules in certain circumstances. While state and local government may eventually be granted unrestricted use of the GSA Schedules, they must currently qualify under one of the following: Cooperative Purchasing Cooperative Purchasing allows state and local government to make purchases under the GSA Information Technology (IT) Schedule 70, the GSA Security Schedule 84, and from contracts under the Consolidated Schedule that contain IT special item numbers (SINs). Cooperative Purchasing is unique in that it does not place restrictions on the type of purchase – state and local government may make purchases under Schedule 70, Schedule 84, and IT SINs under the Consolidated Schedule at any time, for any reason.

Step 4. Potential Vehicles and Processes

133

Disaster Recovery Purchasing Disaster Recovery Purchasing allows state and local government to make purchases under any GSA Schedule to be used to facilitate recovery from nuclear, biological, chemical or radiological attacks; terrorism; or major disasters declared by the president under any GSA Schedule. 1122 Program 1122 Program allows state and local government to purchase speciﬁc equipment under select GSA Schedules for use in the performance of counter-drug activities. Public Health Emergencies Public Health Emergencies allows state and local government to make purchases under any GSA Schedule when expending federal grant funds in response to Public Health Emergencies declared by the Secretary of Health and Human Services. What entities qualify as state and local government? State and local governments are deﬁned by the General Services Administration Acquisition Manual (GSAM) and include the following: 

The 50 United States



Counties



Municipalities



Cities



Towns and townships



Tribal governments



Public authorities (including public or Indian housing agencies under the United States Housing Act of 1937)



School districts



Colleges and other institutions of higher education



Council of governments (incorporated or not)



Regional or interstate government entities



Any agency or “instrumentality” of preceding entities (including any local educational agency or institution of high education)



Legislative and Judicial departments

It is worth noting that unlike contractors and grantees of federal agencies, contractors and grantees of state and local governments are not eligible to make purchases under the GSA Schedules.

Apps.gov – What Type of Solution Do You Need? Apps.gov is a comprehensive Website hosted by the GSA which details the full range of cloud services

that are available – from business and productivity applications, to storage hosting and social media. www.GTIBookstore.com

134

Contracting for Cloud Services

In most cases these services are oﬀered as a monthly or even hourly use service. Billing for these services is typically monthly, based upon use, and may require close monitoring of your monthly purchase card spending limits. For Cloud FAQs go to www.apps.gov.

Some Government Solutions Federal Agencies Migrating to the Cloud In May 2011, the Oﬃce of Management and Budget identiﬁed 78 services at various government agencies that were being moved to the cloud. Former Federal CIO Vivek Kundra testiﬁed before the Senate Committee on Homeland Security in May 2011, that federal agencies had identiﬁed 100 collaborative services for migration to the cloud. In reality, every federal agency is looking at ways to cut costs and improve services by moving to the cloud. GSA and Email GSA was the ﬁrst federal agency to move email to a cloud-based system agency-wide. It will reduce ineﬃciencies and lower costs by 50 percent over the next ﬁve years. GSA awarded the $6.7 million, ﬁve-year task order to Unisys Corp. under the Alliant Government-wide Acquisition Contract. Unisys has partnered with Google, Tempus Nova and Acumen Solutions. “Cloud computing has a demonstrated track record of cost savings and eﬃciencies,” said Casey Coleman, GSA Chief Information Oﬃcer. “With this award, GSA employees will have a modern, robust email and collaboration platform that better supports our mission and our mobile work force, and costs half as much.” The contract provides for an easily accessible suite of services, including email and collaboration tools, to facilitate a more mobile work force. While agencies have moved sub-entities’ emails to the cloud, GSA is the ﬁrst to utilize a cloud-based system for email agency-wide. The migration will result in a 50 percent savings over the next ﬁve years when compared to current staﬀ, infrastructure and contract support costs, he said. “GSA’s cloud email award is in step with the Administration’s ‘Cloud First’ strategy and demonstrates that agile, secure, reliable and cost eﬀective cloud options exist to rapidly improve agency operations and services,” said Dave McClure, GSA Associate Administrator of the Oﬃce of Citizen Services and Innovative Technologies.

Cybersecurity Awards from GSA and DHS The Homeland Security Department and the General Services Administration has named 14 companies to a blanket purchase agreement to help agencies implement Risk Management Framework for cybersecurity. The companies will compete for task orders. Each BPA has a ceiling of $58 million, GSA said.

Step 4. Potential Vehicles and Processes

135

The winners are: 

Apptis, Inc.



Booz Allen Hamilton, Inc.



Deloitte Consulting, LLP.



DSD Laboratories, Inc.



Dynamics Research Corp.



G&B Solutions, Inc.



Global Network Systems.



Knowledge Consulting Group, Inc.



SecureInfo Corp.



Securicon, LLC.



Tantus Technologies, Inc.



Telos Corp.



Tetrad Digital Integrity.



Veris Group, LLC.

The BPAs will be used by agencies to implement the Risk Management Framework outlined by the National Institute for Standards and Technology SP 800-37. The NIST program provides a framework for improving information security and risk management processes. Services under the BPAs include security categorization, security control section and implementation, security control assessment, information system authorization, and security control monitoring. The BPAs can be used by state, local and tribal governments, as well as all defense and civilian agencies.

Other Agencies’ Cloud Implementations U.S. Army In 2008, the Army Experience Center (AEC) realized that it needed a new Customer Relationship Management (CRM) system to track personal and electronic engagements with prospects and help recruiting staﬀ manage the recruitment process. After considering several options including upgrading their 10-year-old legacy proprietary data system, the Army chose a customized version of a commercially available SaaS solution from Acumen Solutions. This solution met their unique security needs, fulﬁlled all of their functionality requirements, and was delivered at a fraction of the time and expense required to upgrade their legacy system. The Army followed many of the key factors when migrating toward their cloud solution. Selecting a Cloud Solution The Army placed a very high priority on security when considering its CRM solution. Before choosing a cloud solution, the AEC carefully weighed the sources of value and readiness of potential solutions. www.GTIBookstore.com

136

Contracting for Cloud Services

Eﬃciency: The AEC compared the cost of upgrading their existing system to conﬁguring a new SaaS solution. Initial bids to upgrade the existing system, ARISS, which relied on traditional infrastructure, ranged from $500,000 to over $1 million. Initial pilots of the SaaS solution cost as little as $54,000, just over 10 percent of the minimum cost of an ARISS system upgrade. Agility: The AEC also considered the time required to deploy the system. Despite regular upgrades over the years, it was infeasible to modify ARISS to meet the Army Experience Center’s requirements. The SaaS solution could be provisioned in a fraction of the time required to upgrade the ARISS system. The SaaS solution was also more scalable and would be far easier to upgrade over time. Innovation: The SaaS solution integrated directly with email and Facebook, allowing recruiters to connect with participants more dynamically after they left the AEC. Army recruiters could also access information from anywhere. These advancements would have been very costly and time-consuming to achieve with ARISS system upgrades. In eﬀect, the SaaS solution allowed the AEC to take advantage of the cloud vendor’s innovation engine without owning or managing heavy IT assets. Security: The AEC ensured the cloud solution would be suﬃciently secure. The SaaS solution was ﬂexible and could be conﬁgured to securely manage access, sovereignty and data retention requirements. Market availability: The SaaS solution was able to meet all of the AEC’s requirements including the ability to track AEC visitor and engagement data, compatibility with handheld devices, and real-time integration with marketing and recruitment data. Government readiness: The AEC ensured that it was both capable and ready to migrate their services to the cloud. The AEC had experience implementing new technologies, had a culture that supported experimentation and improvement, and possessed the skills and capacity to manage the transition well. Technology lifecycle: The AEC also evaluated the lifecycle of its legacy solution. The legacy ARISS system was more than 10 years old in 2008 and was not burdened by contract lock-down. Provisioning IT services: During provisioning, the AEC took an approach which was distinctly diﬀerent from the Army’s former approach with ARISS. This approach reﬂected the service-based rather than asset-based nature of the cloud service. Integrate services: As the Army transferred its recruitment system to the cloud; it carefully engineered its relationship with the vendor to ensure a successful migration. Realize value: With the cloud-based solution, the AEC has been able to handle the workload of ﬁve traditional recruitment centers. The system has also resulted in dramatically reduced hardware costs and IT staﬀ costs. The Army has decommissioned, or re-purposed for other systems, all hardware related to the legacy ARISS system. Its people have been spending more time on more rewarding and higher-value activities, shifting time from ﬁling reports to engaging with potential recruits.

Step 4. Potential Vehicles and Processes

137

Defense Information Systems Agency The Defense Information Systems Agency (DISA) provides global infrastructure services to support U.S. and coalition ﬁghting forces. To better meet the needs of defense-related computing needs domestically and in the ﬁeld, DISA decided to deploy its own Infrastructure-as-a-Service (IaaS) solution. DISA’s Rapid Access Computing Environment (RACE) has redeﬁned defense infrastructure from an asset management function to a service provisioning function. Since the inception of the cloud-based solution, hundreds of military applications including command and control systems, convoy control systems and satellite programs have been developed and tested on RACE. DISA followed many key factors when implementing their cloud solution. Selecting a Cloud Solution DISA determined that a private IaaS solution would realize the desired improvements in eﬃciency, agility and innovation while maintaining strict security controls. Eﬃciency: RACE has been able to reach higher utilization levels through cloud technologies than previously available via traditional infrastructure by aggregating demand and, thus, smoothing out peak loads. These improvements in utilization divide the costs of provisioning and operating infrastructure among a broader group of consumers. Agility: Using traditional infrastructure, provisioning a dedicated server environment required three to six weeks. With RACE, the time required to provision functional service space for users is now 24 hours. Security: RACE has built-in application separation controls so that all applications, databases and Web servers are separate from each other. DISA also has a strict cleansing process, to be used when an application needs to be removed from the RACE platform. As DoD organizations obtain infrastructure through RACE, they are able to shift focus toward software design while interfacing with RACE staﬀ through SLAs. Shift mindset: RACE has actively encouraged a service-based mindset from its users. DISA created a self-service portal through which users can provision services in 50GB increments through a government credit card. Project and software designers have increasingly used RACE to meet their infrastructure needs rather than relying on custom infrastructure conﬁgurations. Build new management skills: DISA built new capabilities to support their operations. On the supply side, a single operational manager is ultimately responsible for meeting cost and performance metrics. A new demand manager has also been added to solicit, prioritize and coordinate user needs for service improvements. Actively monitor: DISA monitors and continuously improves a number of SLAs focused on service quality. Performance dashboards include average and maximum wait times for provisioning services in the ﬁeld. www.GTIBookstore.com

138

Contracting for Cloud Services

Re-evaluate periodically: Less than one year after launching the IaaS service, DISA announced that it would provide private SaaS services, such as the RightNow installation for the Air Force.

A Cloud Dispute in the Federal Government Procurement Process Google sues U.S. over Cloud Contract Award Google and one of its cloud service resellers, Onix Networks, ﬁled a lawsuit against the U.S. government in November 2010 for contract requirements that make the companies unable to compete against Microsoft in a bid for government business. The U.S. Department of the Interior (DOI) was seeking a hosted email and collaboration solution to serve its 88,000 users. The contract is estimated to be worth $59 million over ﬁve years. Google wanted to compete for the government contract, but the Request for Quotations (RFQ) “speciﬁed that only the Microsoft Business Productivity Online Suite-Federal (BPOS-Federal) could be proposed.” Google claimed that a “Limited Source Justiﬁcation” directive issued by the agency’s director of the Oﬃce of Acquisition and Property Management on August 30, 2010, represented single-source procurement “that is arbitrary and capricious, an abuse of direction and otherwise contrary to law.” Google said that despite initial contact with the agency which led the company to believe that it could meet the DOI’s requirements, things changed following a meeting in April 2010. The agency’s CTO, William Corrington, allegedly told Google representatives that “a path forward had already been chosen for the DOI messaging solution and there would be no opportunity for Google to compete because its product was not compliant with DOI’s security requirements.” Google said that the DOI declined to provide those security requirements or meet with company representatives to discuss Google Apps security. In January 2011, Google won a temporary order preventing DOI from awarding the contract to Microsoft. Updates will be posted at GovernmentTrainingInc.com. Go to the Books section of the website, and click on Contracting for Cloud Services. Use the username and password provided at the end of the Table of Contents of this book to access the Reference Library.

139

STEP 5

Building and Finalizing a Contract

A cloud computing vendor’s standard contract is typically written to favor that vendor. Gartner recommends that an institution considering cloud computing “understand the detailed terms and conditions ... and the risks of signing the service provider’s standard contract” before moving to a cloud computing solution. We would take that a step further and suggest that you work with the service provider to negotiate any revisions necessary to ensure that the terms of the contract eﬀectively address your needs. Or, better yet, have your own agreement as part of the RFP process. This chapter describes key issues to consider addressing in the contact. Each issue will not be equally pertinent in every case, but will depend upon your speciﬁc use needs on a case-by-case basis.

Infrastructure/Security Identify Provider’s Current Infrastructure and Security Practices The virtual nature of cloud computing makes it easy to forget that the service you get is dependent upon a physical data center. It’s also important to remember that not all cloud vendors are created equal; there are both new and established providers in this market space. So before you decide to adopt a cloud computing solution, ensure that you select a cloud provider that has well-run, eﬃciently structured data centers by learning as much as possible about the cloud vendor’s data center infrastructure and security practices. A good way to do this is to ask questions. There are already some good templates that you can leverage to building your own cloud vendor infrastructure and security questionnaire. Two good examples are: 

The Cloud Security Alliance’s (CSA) Consensus Assessments Initiative Questionnaire



The Shared Assessments Standardized Information Gathering (SIG) Questionnaire www.GTIBookstore.com

Contracting for Cloud Services

140

CSA Consensus Assessments Questionnaire The Cloud Security Alliance (CSA) has produced the CSA Governance, Risk Management and Compliance (GRC) Stack, a suite of enabling tools for GRC in the cloud, available for free download at www.cloudsecurityalliance.org/grcstack. Achieving GRC goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute-as-a-service presents new challenges across the spectrum of GRC requirements. The CSA GRC Stack provides a toolkit for enterprises, cloud vendors, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. “When cloud computing is treated as a governance initiative, with broad stakeholder engagement and well-planned risk management activities, it can bring tremendous value to an enterprise,” said Emil D’Angelo, CISA, CISM, international president of ISACA, a founding member of the Cloud Security Alliance and a co-developer of the GRC stack. The Cloud Security Alliance GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire: 

CloudAudit: aims to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.



Cloud Controls Matrix (CCM): provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.



Consensus Assessments Initiative Questionnaire (CAIQ): The CSA Consensus Assessments Initiative (CAI) performs research, and creates tools and industry partnerships to enable cloud computing assessments. The CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS oﬀerings, providing security control transparency. The questionnaire (CAIQ) provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud vendor. See also the reference list at the end of this book for the CAIQ.

141

Step 5. Building and Finalizing A Contract Consensus Assessment Questionaire Control Area

Control ID

Consensus Assessment Questions (Cloud-Specific Control Assessment)

Compliance - Audit Planning

CO-01

CO-01a - Do you produce audit assertions using a structured, industry accepted format (ex. CloudAudit/A6 URI Ontology, CloudTrust, SCAP, ISACA’s Cloud Computing Management Audit/ Assurance Program, etc.?)

Compliance Independent Audits

CO-02

CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third-party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?

Compliance - Third Party Audits

CO-03

CO-03a - Do you permit tenants to perform independent vulnerability assessments? CO-03b - Do you have an external third-party conduct vulnerability scans and periodic penetration tests on your applications and networks?

Compliance Contact / Authority Maintenance

CO-04

CO-04a - Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations?

Compliance Information System Regulatory Mapping

CO-05

CO-05a - Do you have the ability to logically segment or encrypt customer data such that, in the event of subpoena, data may be produced for a single tenant only, without inadvertently accessing another tenant’s data? CO-05b - Do you have capability to logically segment and recover data for a specific customer in the case of a failure or data loss?

www.GTIBookstore.com

Contracting for Cloud Services

142

Control Area Compliance Intellectual Property

Control ID CO-06

Consensus Assessment Questions (Cloud-Specific Control Assessment) CO-06a - Do you have policies and procedures in place describing what controls you have in place to protect tenants intellectual property? CO-06b - If utilization of tenants services housed in the cloud is mined for cloud vendor benefit, are the tenants IP rights preserved? CO-06c - If utilization of tenants services housed in the cloud is mined for cloud vendor benefit, do you provide tenants the ability to “opt-out”?

Data Governance - Ownership / Stewardship

DG-01

DG-01a - Do you follow a structured data-labeling standard (ex. ISO 15489, Oasis XML Catalog Specification, CSA data type guidance?)

Data Governance Classification

DG-02

DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?

Data Governance Handling / Labeling / Security Policy

DG-03

Data Governance Retention Policy

DG-04

DG-04a - Do you have technical control capabilities to enforce tenant data retention policies? DG-04b - Do you have a documented procedure for responding to requests for tenant data from governments or third parties?

Data Governance Secure Disposal

DG-05

Data Governance Non-Production Data

DG-06

DG-05a - Do you support secure deletion (ex. degausing / cryptographic wiping) of archived data as determined by the tenant? DG-05b - Do you have the ability to sanitize all computing resources of tenant data once a customer has exited your environment?

143

Step 5. Building and Finalizing A Contract

Control Area Data Governance Information Leakage

Control ID

Consensus Assessment Questions (Cloud-Specific Control Assessment)

DG-07

DG-07a - Do you have controls in place to prevent data leakage or intentional/accidental compromise between tenants in a multitenant environment? DG-07b - Do you have a “Data Loss Prevention” (DLP) or “extrusion prevention” solution in place for all systems which interface with your cloud service offering?

Data Governance Risk Assessments

DG-08

DG-08a - Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status?)

Facility Security Policy

FS-01

Facility Security - User Access

FS-02

Facility Security Controlled Access Points

FS-03

Facility Security - Secure Area Authorization

FS-04

Facility Security - Unauthorized Persons Entry

FS-05

Facility Security - OffSite Authorization

FS-06

FS-06a - Do you provide tenants with documentation that describes scenarios where data may be moved from one physical location to another? (ex. Offsite backups, business continuity failovers, replication)

Facility Security - OffSite Equipment

FS-07

FS-07a - Do you provide tenants with documentation describing your policies and procedures governing asset management and repurposing of equipment?

Facility Security Asset Management

FS-08

FS-08a - Do you maintain a complete inventory of all of your critical assets which includes ownership of the asset?

FS-02a - Do you require strong (multifactor) authentication options (card keys+PIN, biometric readers, etc.) for access to your physical facilities?

FS-04a - Do you allow tenants to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed?)

FS-08b - Do you maintain a complete inventory of all of your critical supplier relationships? Human Resources Security - Background Screening

HR-01

www.GTIBookstore.com

Contracting for Cloud Services

144

Control Area

Control ID

Human Resources Security Employment Agreements

HR-02

Human Resources - Employment Termination

HR-03

Information Security - Management Program

IS-01

Information Security - Management Support / Involvement

IS-02

Information Security - Policy

IS-03

Consensus Assessment Questions (Cloud-Specific Control Assessment) HR-02a - Do you specifically train your employees regarding their role vs. the tenant’s role in providing information security controls? HR-02a - Do you document employee acknowledgment of training they have completed?

IS01 - Do you provide tenants with documentation describing your Information Security Management Program (ISMP?)

IS-03a - Do your information security and privacy policies align with particular industry standards (ISO-27001, ISO-22307, CoBIT, etc?) IS-03b - Do you have agreements which ensure your providers adhere to your information security and privacy policies?

Information Security - Baseline Requirements

IS-04

IS-04a - Do you have documented information security baselines for every component of your infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, etc.?) IS-04b - Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? IS-04c - Do you allow your clients to provide their own “trusted” virtual machine image to ensure conformance to their own internal standards?

Information Security Policy Reviews

IS-05

Information Security Policy Enforcement

IS-06

Information Security User Access Policy

IS-07

IS-05a - Do you notify your tenants when you make material changes to your information security and/or privacy policies?

IS-07a - Do you have controls in place ensuring timely removal of systems access which is no longer required for business purposes? IS-07b - Do you provide metrics which track the speed with which you are able to remove systems access which is no longer required for business purposes?

Information Security - User Access Restriction / Authorization

IS-08

IS-08a - Do you document how you grant and approve access to tenant data? IS-08b - Do you have a method of aligning provider and tenant data classification methodologies for access control purposes?

145

Step 5. Building and Finalizing A Contract

Control Area

Control ID

Information Security - User Access Revocation

IS-09

Information Security User Access Reviews

IS-10

Consensus Assessment Questions (Cloud-Specific Control Assessment)

IS-10a - Do you require at least annual certification of entitlements for all system users and administrators (exclusive of users maintained by your tenants?) IS-10b - If users are found to have inappropriate entitlements, are all remediation and certification actions recorded? IS-10c - Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?

Information Security Training / Awareness

IS-11

IS-11a - Do you provide or make available a formal security awareness training program for cloud-related access and data management issues (i.e., multi-tenancy, nationality, cloud delivery model segregation of duties implications, and conflicts of interest) for all persons with access to tenant data? IS-11b - Are administrators and data stewards properly educated on their legal responsibilities with regard to security and data integrity?

Information Security Industry Knowledge / Benchmarking

IS-12

Information Security - Roles / Responsibilities

IS-13

Information Security - Management Oversight

IS-14

Information Security Segregation of Duties

IS-15

Information Security User Responsibility

IS-16

Information Security Workspace

IS-17

IS-12a - Do you participate in industry groups and professional associations related to information security? IS-12b - Do you benchmark your security controls against industry standards? IS-13a - Do you provide tenants with a role definition document clarifying your administrative responsibilities vs. those of the tenant?

IS-15a - Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering?

IS-17a - Do your data management policies and procedures address tenant and service level conflicts of interests? IS-17b - Do your data management policies and procedures include a tamper audit or software integrity function for unauthorized access to tenant data? IS-17c - Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine?

www.GTIBookstore.com

Contracting for Cloud Services

146

Control Area Information Security Encryption

Control ID IS-18

Consensus Assessment Questions (Cloud-Specific Control Assessment) IS-18a - Do you have a capability to allow creation of unique encryption keys per tenant? IS-18b - Do you support tenant generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g. Identity-based encryption)?

Information Security - Encryption Key Management

IS-19

IS-19a - Do you encrypt tenant data at rest (on disk/storage) within your environment? IS-19b - Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? IS-19c - Do you have a capability to manage encryption keys on behalf of tenants? IS-19d - Do you maintain key management procedures?

Information Security - Vulnerability / Patch Management

IS-20

IS-20a - Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices? IS-20b - Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices? IS-20c - Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices? IS-20d - Will you make the results of vulnerability scans available to tenants at their request? IS-20e - Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems? IS-20f - Will you provide your risk-based systems patching timeframes to your tenants upon request?

Information Security Anti-Virus / Malicious Software

IS-21

Information Security - Incident Management

IS-22

IS-21a - Do you have anti-malware programs installed on all systems which support your cloud service offerings? IS-21b - Do you ensure that security threat detection systems which use signatures, lists, or behavioral patterns are updated across all infrastructure components within industry accepted timeframes? IS-22a - Do you have a documented security incident response plan? IS-22b - Do you integrate customized tenant requirements into your security incident response plans? IS-22c - Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents?

147

Step 5. Building and Finalizing A Contract

Control Area Information Security Incident Reporting

Control ID IS-23

Consensus Assessment Questions (Cloud-Specific Control Assessment) IS-23a - Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? IS-23b - Does your logging and monitoring framework allow isolation of an incident to specific tenants?

Information Security - Incident Response Legal Preparation

IS-24

IS-24a - Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes & controls? IS-24b - Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? IS-24c - Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? IS-24d - Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?

Information Security - Incident Response Metrics

IS-25

Information Security Acceptable Use

IS-26

IS-25a - Do you monitor and quantify the types, volumes, and impacts on all information security incidents? IS-25b - Will you share statistical information security incident data with your tenants upon request? IS-26a - Do you provide documentation regarding how you may utilize or access tenant data and/or metadata? IS-26b - Do you collect or create metadata about tenant data usage through the use of inspection technologies (search engines, etc.?) IS-26c - Do you allow tenants to opt-out of having their data/ metadata accessed via inspection technologies?

Information Security Asset Returns

IS-27

IS-27a - Are systems in place to monitor for privacy breaches and notify tenants expeditiously if a privacy event may have impacted their data?

Information Security - eCommerce Transactions

IS-28

IS-28a - Do you provide open encryption methodologies (3DES, AES, etc.) to tenants in order for them to protect their data if it is required to traverse public networks (ex. the Internet?)

IS-27b - Is your Privacy Policy aligned with industry standards?

IS-28b - Do you utilize open encryption methodologies any time your infrastructure components need to communicate to each other over public networks (ex. Internet-based replication of data from one environment to another?) Information Security Audit Tools Access

IS-29

IS-29a - Do you restrict, log, and monitor access to your information security management systems (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)

www.GTIBookstore.com

Contracting for Cloud Services

148

Control Area

Control ID

Consensus Assessment Questions (Cloud-Specific Control Assessment)

Information Security - Diagnostic / Configuration Ports Access

IS-30

IS-30a - Do you utilize dedicated secure networks to provide management access to your cloud service infrastructure?

Information Security - Network / Infrastructure Services

IS-31

IS-31a - Do you collect capacity and utilization data for all relevant components of your cloud service offering?

Information Security - Portable / Mobile Devices

IS-32

Information Security - Source Code Access Restriction

IS-33

IS-31b - Do you provide tenants with capacity planning and utilization reports?

IS-33a - Are controls in place to prevent unauthorized access to your application, program or object source code is restricted to authorized personnel only? IS-33b - Are controls in place to prevent unauthorized access to tenant application, program or object source code is restricted to authorized personnel only?

Information Security - Utility Programs Access

IS-34

IS-34a - Are utilities that can significantly manage virtualized partitions (ex. shutdown, clone, etc.) appropriately restricted and monitored? IS-34b - Do you have a capability to detect attacks which target the virtual infrastructure directly (ex. shimming, Blue Pill, Hyperjumping, etc.)? IS-34c - Are attacks which target the virtual infrastructure prevented with technical controls?

Legal - NonDisclosure Agreements

LG-01

Legal - Third Party Agreements

LG-02

LG-02a - Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed and stored and transmitted? LG-02a - Do you select and monitor outsourced providers in compliance with laws in the country where the data originates? LG-02a - Does legal counsel review all third-party agreements?

Operations Management - Policy

OP-01

Operations Management Documentation

OP-02

149

Step 5. Building and Finalizing A Contract

Control ID

Consensus Assessment Questions (Cloud-Specific Control Assessment)

Operations Management Capacity / Resource Planning

OP-03

OP-03a - Do you provide documentation regarding what levels of system (network, storage, memory, I/O, etc.) oversubscription you maintain and under what circumstances/scenarios?

Operations Management - Equipment Maintenance

OP-04

Control Area

OP-03b - Do you restrict use of the memory oversubscription capabilities present in the hypervisor? OP-04a - If using virtual infrastructure, does your cloud solution include hardware independent restore and recovery capabilities? OP-04b - If using virtual infrastructure, do you provide tenants with a capability to restore a Virtual Machine to a previous state in time? OP-04c - If using virtual infrastructure, do you allow virtual machine images to be downloaded and ported to a new cloud vendor? OP-04d - If using virtual infrastructure, are machine images made available to the customer in a way that would allow the customer to replicate those images in their own offsite storage location? OP-04e - Does your cloud solution include software / provider independent restore and recovery capabilities?

Risk Management Program

RI-01

Risk Management Assessments

RI-02

Risk Management - Mitigation / Acceptance

RI-03

Risk Management - Business / Policy Change Impacts

RI-04

RI-01a - Is your organization insured by a third party for losses? RI-01b - Do your organization’s service level agreements provide tenant remuneration for losses they may incur due to outages or losses experienced within your infrastructure?

www.GTIBookstore.com

Contracting for Cloud Services

150

Control Area Risk Management Third Party Access

Control ID

Consensus Assessment Questions (Cloud-Specific Control Assessment)

RI-05

RI-05a - Do you provide multi-failure disaster recovery capability? RI-05b - Do you monitor service continuity with upstream providers in the event of provider failure? RI-05c - Do you have more than one provider for each service you depend on? RI-05d - Do you provide access to operational redundancy and continuity summaries which include the services on which you depend? RI-05e - Do you provide the tenant the ability to declare a “disaster”? RI-05f - Do you provide a tenant triggered failover option? RI-05g - Do you share your business continuity and redundancy plans with your tenants?

Release Management - New Development / Acquisition

RM-01

Release Management - Production Changes

RM-02

RM-02a - Do you provide tenants with documentation which describes your production change management procedures and their roles/rights/responsibilities within it?

Release Management - Quality Testing

RM-03

RM-03a - Do you provide your tenants with documentation which describes your quality assurance process?

Release Management - Outsourced Development

RM-04

RM-04a - Do you have controls in place to ensure that standards of quality are being met for all software development?

Release Management - Unauthorized Software Installations

RM-05

Resiliency Management Program

RS-01

Resiliency - Impact Analysis

RS-02

RM-04b - Do you have controls in place to detect source code security defects for any outsourced software development activities? RM-05a - Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

RS-02a - Do you provide tenants with ongoing visibility and reporting into your operational Service Level Agreement (SLA) performance? RS-02b - Do you make standards-based information security metrics (CSA, CAM, etc.) available to your tenants? RS-02c - Do you provide customers with ongoing visibility and reporting into your SLA performance?

151

Step 5. Building and Finalizing A Contract

Control Area Resiliency - Business Continuity Planning

Control ID RS-03

Consensus Assessment Questions (Cloud-Specific Control Assessment) RS-03a - Do you provide tenants with geographically resilient hosting options? RS-03b - Do you provide tenants with infrastructure service failover capability to other providers?

Resiliency - Business Continuity Testing

RS-04

Resiliency Environmental Risks

RS-05

Resiliency Equipment Location

RS-06

Resiliency Equipment Power Failures

RS-07

Resiliency - Power / Telecommunications

RS-08

RS-06a - Are any of your datacenters located in places which have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?

RS-08a - Do you provide tenants with documentation showing the transport route of their data between your systems? RS-08b - Can Tenants define how their data is transported and through which legal jurisdiction?

Security Architecture - Customer Access Requirements

SA-01

Security Architecture - User ID Credentials

SA-02

SA-02a - Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service? SA-02b - Do you use open standards to delegate authentication capabilities to your tenants? SA-02c - Do you support identity federation standards (SAML, SPML, WS-Federation, etc) as a means of authenticating/ authorizing users? SA-02d - Do you have a Policy Enforcement Point capability (ex. XACML) to enforce regional legal and policy constraints on user access? SA-02e - Do you have an identity management system in place which enables both role-based and context-based entitlement to data (enables classification of data for a tenant?) SA-02f - Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometric, etc.) for user access? SA-02g - Do you allow tenants to use third-party identity assurance services?

www.GTIBookstore.com

Contracting for Cloud Services

152

Control Area

Control ID

Consensus Assessment Questions (Cloud-Specific Control Assessment)

Security Architecture - Data Security / Integrity

SA-03

SA-03a - Is your Data Security Architecture designed using an industry standard (ex. CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP CAESARS?)

Security Architecture - Application Security

SA-04

SA-04a - Do you utilize industry standards (Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to “build-in” security for your Systems/Software Development Lifecycle (SDLC)? SA-04b - Do you utilize an automated source-code analysis tool to detect code security defects prior to production? SA-04c - Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Security Architecture - Data Integrity

SA-05

Security Architecture - Production / Non-Production Environments

SA-06

Security Architecture - Remote User MultiFactor Authentication

SA-07

Security Architecture - Network Security

SA-08

Security Architecture - Segmentation

SA-09

Security Architecture - Wireless Security

SA-10

Security Architecture - Shared Networks

SA-11

Security Architecture - Clock Synchronization

SA-12

Security Architecture - Equipment Identification

SA-13

Security Architecture - Audit Logging / Intrusion Detection

SA-14

Security Architecture - Mobile Code

SA-15

SA-06a - For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes? SA-06b - For your IaaS offering, do you provide tenants with guidance on how to create suitable production and test environments?

Copyright© 2010, Cloud Security Alliance

SA-08a - For your IaaS offering, do you provide customers with guidance on how to create a layered security architecture equivalence using your virtualized solution?

SA-12a - Do you utilize a synchronized time-service protocol (ex. NTP) to ensure all systems have a common time reference?

Step 5. Building and Finalizing A Contract

153

Shared Assessments SIG and AUP Shared Assessments eliminate redundancies and creates eﬃciencies, giving all parties a faster, more eﬃcient and less costly means of conducting rigorous and comprehensive security, privacy and business continuity assessments. ControlCase licenses the BITS content and provides certiﬁcation services for compliance with the Agreed Upon Procedures. The services can be provided independently or in conjunction with a SaaS solution. The Shared Assessments Program operates in two parts. The ﬁrst part is a questionnaire called the Standardized Information Gathering questionnaire (SIG). This tool provides ﬁnancial institutions with a “snapshot” of the security controls at the service provider’s location. The service provider may then provide that snapshot to a virtually unlimited number of clients. The second component, the Agreed Upon Procedures (AUP), provides a more detailed report on service provider controls. Using the AUP, an assessment ﬁrm or qualiﬁed CPA creates a detailed report. This report can be shared with other clients, in many cases eliminating the need for an onsite visit. More information can be found at www.bitsinfo.org/FISAP/index.php.

Information Security There have been a number of prominent data security breaches recently, all of which serve to demonstrate one of the risks common to any cloud service adoption: The cloud vendor may not handle your data security as you would like. When you use any cloud computing service, you must trust it with information, whether that be personal, regulated, proprietary or otherwise sensitive information. In doing so, you lose some of the control, or at least perceived control, that you had when you did the same things yourself. The ﬁrst step to take in mitigating this risk is reading and understanding the cloud vendor’s standard terms and conditions. The next step is to obtain as much knowledge as possible about the mechanisms and process that the cloud vendor has in place to keep your information secure. Some key information security issues to consider investigating in this process include: 

Secure gateway environment



Audit/penetration tests and reports



Security monitoring systems



Multi-tenancy data segregation



Encryption

Secure Gateway Environment What technologies does the cloud vendor use to create a secure gateway (SEGAT) environment (for example, ﬁrewalls, traﬃc ﬂow ﬁlters and anti-malware tools)? Access controls and authentication mechanisms can add another level of security to help ensure sensitive information can’t be accessed or compromised. www.GTIBookstore.com

Contracting for Cloud Services

154

Audits/Penetration Tests and Reports What network-, application- and operating system-level audits or penetration tests does the cloud vendor conduct on its own infrastructure, or have conducted by a third party? A penetration test, sometimes called apentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black HatHacker, or Cracker. The process involves an active analysis of the system to identify any potential vulnerabilities that could result from poor or improper system conﬁguration, known and unknown hardware or software ﬂaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. The process should culminate in a report identifying any security issues that were found, together with an assessment of their potential impact and a solution plan for removing those vulnerabilities. It is important to ensure that this resulting report be provided to you, the customer.

Security Monitoring Systems Monitoring systems for security breaches is essential if sensitive data is involved.

The monitoring should be able to generate instant alerts and reports of problems so that speedy and appropriate action can be taken. The level of security monitoring will depend on the results of your risk assessment and can range from basic to ultra-sophisticated. Monitoring can alert you to who logs on and where from, length of time using the service to attempts to break into the system, using incorrect passwords and people accessing data to which they are not allowed access. Multi-Tenancy Data Segregation A major concern of users is that their data is often stored on servers which are shared by other users or co-tenants. Vendors must be able to demonstrate that your data is “ring-fenced” so that only those permitted to access it are able to. In the same way, the data of each other tenant of the server must be similarly protected so there can be no cross-feeding of information. Vendors should be able to provide clients with user reports detailing exactly who is accessing the service. Some users might also require that only certain people can have access to certain information. The vendor can provide ﬁlters that will allow those with access authorization to get the data while blocking those who do not have permission. Passwords can provide another layer of security. Real-Life Example FBI raids related to speciﬁc companies using services of a third-party data center resulted in the FBI seizing equipment and data belonging to hundreds of unrelated businesses.

Step 5. Building and Finalizing A Contract

155

Encryption Encryption provides a basic solution to securing sensitive data in the cloud. It not only protects sensitive data if there is a security breach but it allows agencies to control who can access the data, i.e., only senior managers are allowed to access agency ﬁnancial information. There are several ways to encrypt data in the cloud, such as volume-based technologies, application-focused technologies and ﬁle-based technologies. The most important element of encryption, however, is how it is managed. Keys are used to decrypt data, and policies must be in place to determine who receives them and what security is in place to prevent unauthorized use. If the vendor is providing the keys as a third party, the SLA must detail the security safeguards in place to protect them. Identity and Access Management The adoption of a cloud computing solution can present some speciﬁc challenges in relation to identity and access management (IAM). Oftentimes, the customer already has an existing IAM in place. The cloud solution typically also includes an IAM mechanism. Employing two diﬀerent IAM systems is a complication that can become unworkable. An example contract clause: Customer utilizes processes and protocols of [IAM SYSTEM NAME] to identify and authenticate its employees to Web-based applications and contracted service providers. Vendor will take all necessary steps to ensure that the Services provided under this Agreement integrate with and utilize these processes and protocols to obtain end-user identity information. The Personal Identity Veriﬁcation Interoperability (PIV-I) is intended to facilitate the issuance of identity credentials by organizations that are interoperable with federal PIV-conformant systems and can be trusted by federal organizations. In order to achieve this level of trust, PIV-I credentials must include digital credentials from a certiﬁcation authority cross-certiﬁed with the Federal Bridge Certiﬁcation Authority (FBCA) at the Medium Hardware Level of Assurance or above, whose cross-certiﬁcate relationship includes the PIV-I policy object identiﬁers (OID). The federal government has established a PIV-I cross certiﬁcation list for entities that have demonstrated the ability to provide digital credentials that meet the expectations of the PIV-I guidance by demonstrating comparability with the appropriate FBCA policies. Cloud Vendors Competing on Data Security and Privacy Terms The good news for users is that cloud vendors are butting heads to provide the best data security and privacy terms. Google was happy to go public with the terms of its Google Apps contract with the city of Los Angeles which set new industry standards. In return, Kevin Crawford, the city’s assistant director of IT, has become an inﬂuential reference for his vendor. The terms of the contract are worth noting. They include data security and privacy controls, unlimited damages for a data breach, audits, encryption, guarantees that all data remains in the contiguous 48 states and penalties if Google’s services are unavailable for more than ﬁve minutes a month. The contract, which took months to www.GTIBookstore.com

Contracting for Cloud Services

156

ﬁnalize, shows what can be achieved in today’s tough negotiating environment. Other vendors have taken notice and are now more willing to move in meeting users’ demands and requirements.

Physical Security Your data will be in one or more physical data centers run by the cloud vendor. How do you know that they’re taking appropriate steps in implementing best practices level facility security to ensure that unauthorized individuals can’t access their data center? And how do you know that they’re taking appropriate steps to prevent and protect against insider security threats, either malicious or unintentional? You need: 

Security Policy/Incident Response Plan



Access Controls/Restrictions



Background Checks/Training for Staﬀ



Segregation of Duties



Third-Party Adherence to Security Policies

Security Policy/Incident Response Plan While every security eﬀort must be made to ensure the integrity of data, breaches can occur for many reasons – from hacking, theft of laptops containing sensitive information to human error and so on. For this reason it is essential that you identify and review your cloud vendor’s Security Policy and Incident Response Plan documents. The Security Policy will typically detail the mechanisms and processes that the cloud vendor has in place to prevent security breaches. The Incident Response Plan typically details steps the cloud vendor will take should a security breach occur in order to identify the extent of the breach, what data was accessed, how the breach occurred, and steps the provider will take to cure the breach and ensure that it does not recur. The plan should deﬁne who needs to be told and detail everyone’s areas of responsibility. The purpose of the plan is to conﬁrm that an incident has occurred, do what is necessary to mitigate it, maintain continuity of operations and keep all relevant stakeholders informed. Then you can start the forensic work of determining how the incident happened and what needs to be done to prevent it occurring again. The ﬁnal phase is to review the incident response plan to see how eﬀective it was and what changes can be made to improve it. Incidents range from data theft and data manipulation (unauthorized modiﬁcations), to attempts at unauthorized access. The plan should have protocols in place to handle diﬀerent incident scenarios, determine the severity of the incident, and decide whether the incident is over or the threat remains. Document everything. Access Controls/Restrictions Does the cloud vendor have appropriate physical access controls and restrictions in place suﬃcient to ensure that only authorized personnel are able to access the IT infrastructure on which your data is stored and processed? Examples include:

Step 5. Building and Finalizing A Contract 

Data center in non-descript location



Security guards



Video surveillance



Intrusion detection systems



Multi-factor authentication

157

Background Checks/Training for Staff Threat #3 on the Cloud Security Alliance’s (CSA) “Top Threats to Cloud Computing” document is “Malicious Insiders” at cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf. For this reason it is important to understand your cloud vendor’s processes associated with conducting background checks on their staﬀ and any third parties that may have access to their infrastructure and/or your data. Additionally, it is important that the cloud vendor ensures that all staﬀ members receive eﬀective training regarding security policies and procedures. Segregation of Duties (SoD) The principle is that no individual should have excessive system access that enables him/her to unilaterally execute conﬂicting end-to-end transactions and go undetected. Segregation of duties allocates key tasks and responsibilities among several players, rather than investing everything with one person. By segregating tasks among a team, there is a better chance of spotting something going wrong or if a key action has been forgotten. Multiple players also reduce the chances of fraud or data theft.

Tip A common SoD check is to ensure that the maintenance program is not run by the same people that do the research and development for products.

Proper SoD is a long-established method of preventing fraud and maintaining checks and balances within a company. However, the recent regulatory focus on public companies has driven businesses to truly understand what access their employees have within their application portfolio. Sarbanes-Oxley not only imposed an unprecedented rigor around controls, it also underscored the importance of an integrated IT and ﬁnancial controls approach to managing risk within a company The discipline and the process for development and the documentation diﬀer from maintenance and support.

Third-Party Adherence to Security Policies Does the cloud vendor have in place contracts and policies to require any third-party suppliers to understand and abide by the same security policies and procedures that apply to the cloud vendor’s employees? Additionally, the cloud vendor should have in place processes to monitor and manage the activities of third-party suppliers to ensure compliance. www.GTIBookstore.com

158

Contracting for Cloud Services

A security clause that requires compliance with standards (such as ISO 27001 and 27002) and requires vendors to implement best security practices will accomplish this. In addition, you may have a security exhibit that addresses this and more. Using pre-contract due diligence techniques you would have your cloud vendor submit its security policies and procedures, you would audit those and perhaps do an onsite visit, and then list deﬁciencies into the agreement with a timetable for solution and a remedy for failure to meet that timetable. An example contract clause: “[VENDOR] datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staﬀ utilizing video surveillance, intrusion detection systems and other electronic means. Authorized staﬀ must pass two-factor authentication a minimum of two times to access datacenter ﬂoors. All visitors and contractors are required to present identiﬁcation and are signed in and continually escorted by authorized staﬀ. [VENDOR] only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of [VENDOR]. All physical access to datacenters by [VENDOR] employees is logged and audited routinely.”

DOD Proposed Changes to Handling Unclassified Information In June 2011, the Department of Defense proposed a new rule requiring federal contractors whose information systems contain unclassiﬁed DoD information to take measures to safeguard that information from unauthorized access and notify DoD of any breaches. The rule change would amend the defense Federal Acquisition Regulation Supplement to add new clauses dealing with unclassiﬁed information. The proposed rule stipulates basic requirements for security that apply to information that is designated as critical program information, subject to export controls, exempt from mandatory public disclosure, bearing a designation of controlled access and dissemination, or personally identiﬁable. DOD oﬃcials believe the proposed rule could impact more than 48,000 small businesses. The rule would require contractors and subcontractors to provide adequate information security for unclassiﬁed DOD information held on their systems or moving through their systems. Contractors must also report cyber incidents that aﬀect the unclassiﬁed information, but those reports will not be taken as proof of failure to provide adequate security.

Operations Management Operations management covers everything from infrastructure and systems to applications and services. How do you know that the cloud vendor is eﬀectively managing their data center with current and eﬀectively conﬁgured systems? Their failure to do so could diminish your access to their

Step 5. Building and Finalizing A Contract

159

services and potentially subject your data to damage, corruption or loss. The primary aim is to ensure ongoing continuity of service at the desired level using a dynamic tools monitor and verify this. It is important that you can prove that you are getting all the services contracted for and according to the terms of the contract. The infrastructure behind the scenes of a public cloud computing service is a lot more complicated than a traditional data center. In addition to general computing components, such as virtual machine monitors, data storage and associated middleware, a public cloud infrastructure has to deal with things, such as workload management, data replication and recovery, and resource metering. And to make things even more challenging, all of these have to interact eﬀectively, while they change over time, as feature improvements and bug ﬁxes are continuously rolled out. To ensure that you select a cloud vendor that has well-run, eﬃciently structured data centers, it’s important that you check the provider’s speciﬁc infrastructure processes and practices before ﬁnalizing your selection. Some key areas that you’ll want to learn about include: 

Asset/patch management



Change management



Software development quality assurance (QA)



Application/program access

Asset/Patch Management Does the cloud vendor have eﬀective asset inventory and management policies and processes in place to ensure that all devices, applications and systems eﬀectively and rapidly patch vulnerabilities? Asset management involves compliance issues, such as keeping a full – and accurate – record of inventory, while the right asset management data can help improve eﬃciency and control and lower costs. Knowing what you have and where it is located facilitates rapid corrections, patching, upgrades and replacements. Patch management is an integral part of maintaining a stable, secure computing environment. With the threat and magnitude of cyber-attacks growing on a daily basis it is vital to be able to “patch” system vulnerabilities as quickly as possible. Patches, however, take time to create, validate, test and install. The longer the time between the discovery of the vulnerability and the deployment of the patch, the greater the likelihood is that a serious breach has taken place.

Change Management Eﬀective change management allows the seamless transition of people, services and applications from a current state to a desired future state. It ensures only authorized and required changes are made. With the cloud, changes may be necessary to ﬁx a problem, install a patch or major upgrade, improve stability and availability or respond to a sudden emergency – in which a quick ﬁx is literally www.GTIBookstore.com

Contracting for Cloud Services

160

required. To ensure that changes can be made promptly it is important that all provisioning activities follow an established and approved workﬂow. If the cloud vendor doesn’t employ eﬀective change management mechanisms, this increases the odds that their service could go down. This can have signiﬁcant negative impacts for a customer that’s dependent upon those services to get your work done. So be sure to investigate your potential cloud vendor’s existing change management policies and procedures, ensure that they align with best practices and meet your needs, and, if they do, codify them in the contract as minimum requirements.

Software Development Quality Assurance (SQA) Software development quality assurance (SQA) consists of a means of monitoring the software engineering processes and methods used to ensure quality. The methods by which this is accomplished are many and varied, and may include ensuring conformance to one or more standards, such as ISO 9000 or a model such as CMMI. It encompasses the entire software development process, which includes processes, such as requirements deﬁnition, software design, coding, source code control, code reviews, change management, conﬁguration management, testing, release management and product integration. If the cloud vendor doesn’t employ eﬀective best practice SQA policies and procedures, this increases the likelihood that the code that their service is built upon could be ﬂawed, and cause their system to crash. If you adopt and become dependent upon access to this service, such an outage could negatively impact your ability to get your work done. To mitigate the likelihood of this occurring, investigate the cloud vendor’s existing SQA mechanisms to ensure that they align with best practices and meet your needs, and, if they do, require them in the contract as minimum requirements.

Application/Program Code Access Does the cloud vendor have processes in place to eﬀectively manage and limit access to the systems and prevent unauthorized access to the vendor’s applications, programs and/or source code. Without such controls in place, if the wrong person were to gain access to the cloud vendor’s core applications or source code, that could jeopardize your data and/or access to the service due to either inadvertent changes or malicious intent.

Third-Party Certifications Once you’ve done your research and identiﬁed all of the infrastructure and security policies, practices, procedures and mechanisms that your cloud vendor claims to have in place, how do you independently verify these things? One way is via third-party certiﬁcations or audit standards. Currently there is no one formal standard for cloud certiﬁcations or audit standards, but some useful options include: 

FIPS 200/SP 800-53



ISO 27001/27002



SSAE 16, SOC 2/3 (replaced SAS 70, Type II eﬀective 6/15/11)

Step 5. Building and Finalizing A Contract

161

Each certiﬁcation and audit will result in a report. You should ensure that the cloud vendor is required to provide you with a copy. You must carefully review those reports to ensure that all necessary infrastructure and security controls are in place, and that the scope of the evaluations fully addressed all relevant aspects of the service. To ensure ongoing level of service, and that there are no material changes to the cloud vendor’s infrastructure and security, the cloud vendor should be required to recertify or re-audit at least annually, and after any reasonably suspected data security breach.

FIPS 200/NIST 800-53 The Federal Information Security Management Act (FISMA) is a law stating the measures to implement in order to secure United States federal property and information. The FISMA assigned the National Institute of Standards and Technology (NIST) the responsibility of deﬁning standards and security procedures to be respected by American governmental agencies and to reinforce the information systems security level. These standards have been published in the Federal Information Processing Standards 200 (FIPS 200), Minimum Security Requirements for Federal Information and Information Systems. This standard will promote the development, implementation and operation of more secure information systems within the federal government by establishing minimum levels of due diligence for information security and facilitating a more consistent, comparable and repeatable approach for selecting and specifying security controls for information systems that meet minimum security requirements. The security requirements deﬁned in FIPS 200 cover 17 domains:                 

Access control Awareness and training Audit and accountability Certiﬁcation, accreditation and security assessments Conﬁguration management Contingency planning Identiﬁcation and authentication Incident response Maintenance Media protection Physical and environmental protection Planning Personal security Risk assessment System and services acquisition System and communications protection System and information integrity www.GTIBookstore.com

162

Contracting for Cloud Services

FIPS 200 mandates the use of the security controls detailed in the NIST Special Publication (SP) 800-53 Recommended Security Controls for Federal Information Systems and Organizations document. SP 800-53 provides guidelines for selecting and specifying security controls for information systems to meet the requirements of FIPS 200. These guidelines apply to all components of information systems that process, store or transmit federal information. FIPS 200 and SP 800-53, in combination, help ensure that appropriate security requirements and security controls are applied to all federal information and information systems.

ISO 27001/27002 ISO/IEC 27001 and 27002 are developed and published by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). It is important to ensure that both are used in the certiﬁcation process because 27001 is a security certiﬁcation standard, and it is best used to evaluate eﬃcacy against 27002’s deﬁned security control framework. ISO/IEC 27001 speciﬁes a number of ﬁrm requirements for establishing, implementing, maintaining and improving an Information System Management System (ISMS), and lays out a suite of 133 information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls are derived from and aligned with ISO/IEC 27002. ISO/IEC 27001 requires that management systematically examines the organization’s information security risks, taking account of the threats, vulnerabilities and impacts; designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis. Originally published in 2005, both ISO/IEC 27001 and ISO/IEC 27002 are currently being revised by ISO/IEC JTC1/SC27. The revised standards are expected to be published by 2012, if everything goes to plan.

SSAE 16, SOC2 and SOC3 SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 replaced SAS 70 eﬀective 6/15/11 and goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating eﬀectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402. SSAE 16 is intended to be used in concert with either Service Organization (SOC) 2, “Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Conﬁdentiality and Privacy” or SOC 3 “Trust Services Report or Service Organizations.” SOC 2 and SOC 3 provide stringent audit requirements with a stronger set of controls and requirements speciﬁcally designed around data center service organizations. SOC 2 and SOC 3 provide a standard

Step 5. Building and Finalizing A Contract

163

benchmark by which two data center audits can be compared against the same set of criteria. A SOC 2 Report provides a detailed description of the service auditor’s tests of controls and results of those tests, as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 Report provides only the auditor’s report on whether the system achieved the trust services criteria, with no description of tests and results or opinion on the description of the system, but permits the service organization to use the SOC 3 seal on its Website. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certiﬁed Public Accountants (AICPA) that was previously widely applied to cloud computing, even though it was not developed for that purpose. A service auditor’s examination performed in accordance with SAS No. 70 (also commonly referred to as a “SAS 70 Audit”) is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today’s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the eﬀectiveness of internal control over ﬁnancial reporting. The challenge with these AICPA audit reports is that the cloud vendor is the one that establishes which aspects of their business are to be audited, and the auditor solely checks these aspects and no others. So no judgment is rendered as to whether the cloud vendor’s controls are any good.

Customer Data Center Inspection Rights Third-party certiﬁcation may not always be suﬃcient by itself. In the ideal scenario, the cloud contract would include the customer’s rights to conﬁrm and/or assess the cloud vendor’s infrastructure and security practices directly via an onsite inspection. To do so, the customer would need some in-house expertise in this area. The client should always inspect the vendor’s data center if practical. If the center is overseas and budgetary constraints prevent travel, commission a local expert to conduct the inspection on your behalf. There are a number of things you should check out when inspecting a data center. Make sure there is Must Do at least one source of backup power (more is better) Do your homework carefully – and that the entire electrical system is fully duplicated. know your needs and research Ensure that the data center is carefully climate conprospective vendors to ensure trolled and that temperature and humidity levels are they have the skills, reliability and infrastructure to meet them. acceptable. Check out the center’s security. Is access controlled, is there 24-hour security and video camera surveillance? If this facility is going to house your data you want to be certain that your data is going to be safe. www.GTIBookstore.com

Contracting for Cloud Services

164

An example contract clause: [Vendor] agrees to have an independent third party (e.g., Cap Gemini, Ernst & Young, Deloitte & Touche, or other industry-recognized ﬁrms) security audit performed at least once a year. The audit results and [Vendor]’s plan for addressing or resolving of the audit results shall be shared with the Institution within XX (X) days of the [Vendor]’s receipt of the audit results. The audit should minimally check for buﬀer overﬂows, open ports, unnecessary services, lack of user input ﬁltering, cross site scripting vulnerabilities, SQL injection vulnerabilities and any other well-known well (published on bugtraq or similar mailing list) vulnerabilities. Based on the results of these audits, certiﬁcations, scans and tests, Vendor will, within thirty (30) days or receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement, and provide Customer with written evidence of remediation.

Performance Reporting One of the deliverables the vendor must supply is accurate and regular performance reporting. This should include user and usage information, uptime and downtime and any incidents. You can negotiate with the vendor what other information you require. For instance, if you are handling highly sensitive data, you may need to know which users accessed it and any changes or attempted changes to access codes and permissions. The customer should retain the right to audit the underlying records from which the reports are drawn.

Disaster Recovery/Business Continuity (DR/BC) When negotiating with vendors you must be completely satisﬁed that there is an adequate DR/BC process in place. Don’t just take their word for it – ask to see it demonstrated, ﬁnd out its capabilities and any inherent weaknesses. You must validate that the process meets your requirements. It doesn’t matter how fast the data recovery software is, if it can’t meet your particular business needs. Before signing the contract discuss with the vendor how long it would take to recover from a natural or man-made disaster and insert contract language to cover this. You need: 

Minimum DR/BC Mechanisms



Ongoing Level of Uninterrupted Service



Include Regular Oﬄine Backups



Regular Tests of DR/BC Processes



DR/BC for Third-Party Failures

A key is to address Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) as part of any disaster recovery SLA.

Step 5. Building and Finalizing A Contract

165

Minimum DR/BC Mechanisms You need to know what mechanisms are in place to protect your data and how long it would take to recover it – not a “guestimate” but a ﬁrm commitment that is monitored and managed. Any downtime has a signiﬁcant impact on your organization’s ability to perform and communicate, so mechanisms must be in place to get you back in business as quickly as possible. Ongoing Level of Uninterrupted Service In the event that a disaster should occur to the degree that it forces one of the cloud vendor’s data centers to go oﬀ-line, you want to know and contractually codify the vendor’s obligations regarding the availability of the service. Ideally your access would be uninterrupted as the service switches over to another data center outside the disaster zone, and the whole process would be invisible to you and your end users. But that may not always be the case, so it’s important to address issues such as: how quickly this switch needs to occur, the level of service and functionality provided by the backup site, and when the primary data center will be restored Include Regular Offline Backups An integral part of DR/BC is regular backups of data. No matter how reliable vendors claim their infrastructure is, you cannot rely on that. Backups are essential in order to protect your data. How often the data is backed up, and how it is backed up, is a matter of negotiation between you and the vendor, This should then be written into the contract and a backup report should be included as part of the vendor’s performance reporting. Regular Tests of DR/BC Processes The cloud vendor should be required to conduct regular testing of its DR/BC processes, on at least an annual basis, to ensure that they are current, leverage latest best practices and remain in good working order. The cloud vendor should produce a report regarding the results of such tests. The cloud vendor should be required to provide a copy of these reports to the customer. The customer should thoroughly review each report. DR/BC for Third-Party Failures It is not uncommon for a SaaS provider to run on a third-party IaaS provider. For this reason, it can also be important to identify and evaluate the processes that the cloud vendor has in place to ensure business continuity in the event that one of their third-party providers fails. Do they have a backup IaaS provider in place should their primary provider fail? DR/BC Failure To prepare for such disasters or other disruptions in service, the contract should specify the cloud vendor’s obligations to continue provision of service, as well as those pertaining should any of the organization’s data become lost or damaged due to such a disaster, or other vendor errors or omissions. Issues to consider include: www.GTIBookstore.com

Contracting for Cloud Services

166



Notiﬁcation process



Failover processing



Problem correction



Reimbursement

Notification Process The cloud vendor should be required to provide the customer with notice of any disaster or other event that either disrupts the customer’s access to the service or results in the loss of, or damage to, the customer’s data. This notice should be provided within a pre-speciﬁed timeframe, and provide detailed information regarding what occurred. Failover Processing Failover is the process of shifting input and output (I/O) processes from a primary location to a secondary DR location. This normally involves using a vendor’s tool or a third-party tool that can temporarily halt I/O and restart it from a remote location. This will suspend data copying and mirroring activity that may be going on from the primary location to the secondary location. This will then bring applications and I/O up from that remote location. During activity at the remote site, changes are usually tracked so that their original location can be re-synchronized and restored to service by just replicating the data between the start and end of the DR event back to the primary location when it comes back up. Failback is the process of re-synchronizing that data back to the primary location, halting I/O and application activity once again and cutting back over to the original location. Be sure to identify the timeframe within which the cloud vendor must switch you back to the primary data center or equivalent. Problem Correction If the right backup programs are in place, the Vendor should be able to recover the data and you should be up and running again without too much downtime. The vendor should then produce a report detailing what happened, what steps were taken to correct issue and what other processes will be implemented to ensure the problem does not arise again. Reimbursement Unless it is written into the contract, it is unlikely you will get any reimbursement from the vendor. For this reason, it’s important to think through what expenses you may incur as the result of such an outage and, ideally, contractually codify the vendor’s obligation to reimburse you for any such expenses should they occur. The vendor may be no more willing to assume the risk of covering the costs than you are, so it may be necessary to strike a balance. Some insurance companies have begun oﬀering solutions to help distribute such risks (see the following).

Step 5. Building and Finalizing A Contract

167

An example contract clause: All facilities used to store and process Customer Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level suﬃcient to secure such Data from unauthorized access, destruction, use, modiﬁcation or disclosure. Vendor shall maintain the administrative, physical, technical and procedural infrastructure associated with the provision of the Services at all times during the term of this Agreement in a manner that is at a level equal to or more stringent than those speciﬁed in Exhibit XXX, which is incorporated herein by reference. Vendor shall at all times use industry standard and up-to-date security tools, technologies and procedures including, but not limited to [List speciﬁcally required security mechanisms here] in providing Services under this Agreement. Prior to execution of this Agreement, at least once per year thereafter, and immediately after any actual or reasonably suspected Data Compromise, Vendor will at its expense conduct or have conducted the following: [SAS70/SOC audit, FIPSor ISO certiﬁcation, vulnerability scan, penetration test, etc.] Vendor will provide the results of the above audits, certiﬁcations, scans and tests within seven (7) business days of Vendor’s receipt of such results.

Data Protection, Access, Location Ownership of Data Since the customer’s data will reside on a cloud vendor’s infrastructure, there’s the risk that your ownership rights to that data could become diluted or usurped. For this reason, it is important to contractually codify that data ownership is retained by the customer even though it may be residing on the vendor’s servers. The good news is that more vendors are including this in standard contracts. It hasn’t always been this way, so improvements in this area are an indication that vendors are willing to listen to customer’s needs as the cloud continues to evolve. It may also be necessary to take this a step further and ensure that the contract also aﬃrms the customer’s ownership of the results of any processing of the customer’s data that occurs on the cloud vendor’s system. The cloud vendor’s rights to use your data should be limited only to purposes necessary to provide the service to you. This includes restricting any provider data mining. An example contract clause: “The parties agree that as between them, all rights, including all Intellectual Property Rights, in and to Customer Data shall remain the exclusive property of Customer, and Vendor has a limited, nonexclusive license to access and use these Data as provided in this Agreement solely for the purpose of performing its obligations hereunder.

www.GTIBookstore.com

Contracting for Cloud Services

168

All Customer Data created and/or processed by the Services is and shall remain the property of Customer and shall in no way become attached to the Services, nor shall Supplier have any rights in or to the Data of Customer.” Data Access/Disposition

To avoid vendor lock-in, plan in advance how you will switch to a different solution.

Once you’ve moved your data and systems to a particular cloud vendor, you become more dependent upon them. For this reason, it’s important to consider how you’ll ensure that you don’t become locked-in to using their service without the ability to move to a diﬀerent service or move the process back in-house? If you don’t have that ability, the cloud vendor gains increased leverage over you in negotiating pricing and other key terms of service. One related issue to consider is how you will get your data back either mid-term or once you’ve terminated your agreement with the cloud vendor. Speciﬁc points to consider include: 

Process - the detailed, step-by-step process by which you can retrieve your data.



Timeframe – what is the speciﬁc timeline for retrieving your data (i.e., how long does it take for you to get your data back). In thinking through the timeframe, it’s important to consider both planned needs and emergency situations.



Format – it’s important to specify the format in which your data is to be returned. Data provided in a proprietary or otherwise inaccessible format would be of little or no use when moving to an alternative solution.



Destruction – if the vendor is contracted to destroy the data, how this will be done, and your rights to audit that this has been done securely and according to the terms of the contract.

An example contract clause: “Upon request by Customer made before or within sixty (60) days after the eﬀective date of termination, [Vendor] will make available to Customer for a complete and secure (i.e., encrypted and appropriately authenticated) download ﬁle of Customer Data in XML format including all schema and transformation deﬁnitions and/or delimited text ﬁles with documented, detailed schema deﬁnitions along with attachments in their native format. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.”

169

Step 5. Building and Finalizing A Contract E-Discovery

A data owner who becomes the subject of a lawsuit is obligated to preserve any relevant data, and to collect and produce it for legal discovery in a timely manner. This becomes more diﬃcult when your data is in the cloud, because you do not have direct control, but you are still responsible. Failure to produce in a timely manner can result in signiﬁcant ﬁnes. It can be important to mitigate this risk by contractually requiring the cloud vendor to have processes and mechanisms to retrieve and provide your data, and for meeting deadlines for producing data within a speciﬁed timeframe. Data Breaches There’s always the risk that your data stored on the cloud vendor’s infrastructure could be inappropriately or maliciously accessed. Risks associated with such a data breach include who (you or the provider) will be responsible for what follow-up actions and/or resulting related expenses? The average total cost of a data breach has been estimated at about $204 per individual – and could be very much higher. You shouldn’t be bearing this cost if you have met your obligations. The contract should unequivocally state that the cloud vendor will not share your data with anybody else, as well as the cloud vendor’s speciﬁc responsibilities in the event that your organization’s data is accessed inappropriately through no fault of yours. The repercussions of such a data breach will vary depending upon the type of data, so it’s important that you know in advance what type of data you’ll be storing in the cloud. This knowledge will inform your decisions about the importance of this clause. For example, HIPAA or PCI data will have diﬀerent issues from non-sensitive data. Classifying Data It can help to review the type of data that you will put into the cloud and classify along these lines: 

High = Breach notiﬁcation data (SSN, health, etc.); other highly sensitive data



Medium = Other personal, but not highly sensitive data



Low = Unidentiﬁable or largely public data

In the event of a data breach you need to address: 

Notiﬁcation - Timeframe



Notiﬁcation - Details



Corrective Action



Indemniﬁcation

Notification - Timeframe You need to know as quickly as possible – for both legal and operational reasons – when a breach has occurred. Contractually obligate the cloud vendor to notify you within a speciﬁed timeframe.

www.GTIBookstore.com

Contracting for Cloud Services

170

Notification - Details The notiﬁcation from the vendor should include as many details as possible about the level of intrusion, the circumstances surrounding the breach, the type of data accessed, who caused the breach, when the breach occurred and other details. Negotiate the speciﬁc details the vendor must provide in the contract. Corrective Action In the event of a data breach, the contract should include language detailing the vendor’s obligations to promptly remedy the situation causing the breach to include: 

Conduct a thorough investigation of the circumstances surrounding the breach to determine how the breach occurred, who perpetrated the breach, and what data was inappropriately accessed;



Take action to ensure that the hacker’s access to the data is shut oﬀ;



Apply best practices forensics to identify how the breach occurred; and



Initiate thorough corrective actions to ensure that such a breach does not recur.

Indemniﬁcation Due to the high ﬁnancial and reputational costs resulting from a breach, it is important to codify in the contract the cloud vendor’s responsibilities to indemnify you should such a breach occur. If vendors are OK with their own security arrangements they are more likely to agree to this. If they refuse to do so, there could be a problem with their security which should be investigated, and, if necessary, a move made to another vendor. An example contract clause: “Vendor shall report any conﬁrmed or suspected Breach to Client immediately upon discovery,both orally and in writing, but in no event more than two (2) business days after Vendor reasonably believes a Breach has or may have occurred. Vendor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure, (ii) the Protected Information accessed, used or disclosed, (iii) the person(s) who accessed, used and disclosed and/or received Protected Information (if known), (iv) what Vendor has done or will do to mitigate any deleterious eﬀect of the unauthorized access, use or disclosure, and (v) what corrective action Vendor has taken or will take to prevent future unauthorized access, use or disclosure. Vendor shall provide information in a written report. The report should contain as much information as reasonably requested by Client.”

Cyber-Risk Insurance (CRI) Cyber-risk Insurance is a newer development. Cyber-risk Insurance is an “errors and omissions” policy that covers various types of Internet-based risks, including cloud-based risks. Both the customer and the vendor can beneﬁt from cyber-risk insurance, as it more evenly apportions the risk so that it’s not all on one party.

171

Step 5. Building and Finalizing A Contract What Does CRI Cover? CRI can be structured to cover costs associated with the following: 

Security and Privacy Liability



Computer Security



Data and Information



Business Interruption



Cyber-Extortion



Crisis Management



Cyber Forensics

What Does CRI Not Cover? CRI typically doesn’t cover intangible costs, such as: 

Service Migration



Loss of a Potential Business Gain



Employee Productivity Loss

What Does CRI Cost? Typically a $10M comprehensive CRI policy with several modules will cost somewhere between $100K and $350K. Who Offers CRI? Some representative examples include: 

The Hartford’s CyberChoice 2.0



Chartis’ (formerly AIG) netAdvantage



Beazley’s technology, media and business services



ACE USA’s Privacy Protection and DigiTech errors and omissions policies



Marsh E-commerce E-business

An Additional Benefit of CRI An insurance company’s willingness to insure can serve as a third-party certiﬁcation of the cloud vendor’s infrastructure and security practices because the insurer is unlikely to insure a cloud vendor who represents a high risk of loss.

www.GTIBookstore.com

Contracting for Cloud Services

172

Location of Data With a cloud computing solution, your data may be in, or processed by, data centers in multiple locations around the world. Some important issues to consider in relation to this include: 

Diﬀerent Laws Pertaining to Data



Data at Rest and in Transit



Which Law Applies to My Data?



Physical Location vs. Contractual Jurisdiction



Identify Data Center Location(s)



Encryption of the data (covered earlier in this book)

From 2009 City of L.A. Google Agreement: 1.7 Data Transfer. Google agrees to store and process Customer’s email and Google Message Discovery (GMD) data only in the continental United States.

Different Laws Pertaining to Data A variety of legal issues can arise when an organization’s data resides in a cloud vendor’s data center in another country. Diﬀerent countries and, in some cases, even diﬀerent subdivisions (such as states, provinces, counties) have diﬀerent laws pertaining to data.

Data at Rest and in Transit “Data at Rest” is data recorded on storage media, such as when your data is solely residing within the cloud vendor’s data center. As soon as that data is accessed and transferred between two points in a network it becomes “Data in Transit.” Your data may transit through other countries on its way between your location and the cloud vendor’s data centers, and potentially between diﬀerent cloud vendor data centers. For this reason, it’s important to consider the question of how the laws of those countries may apply to your data as it passes over their borders. Data at Rest is considered secure if it is protected by strong security programs and/or encryption. Data in Transit is considered secure if both the accessing node and the data-out node have strong and compatible security programs.

Which Law Applies to My Data? One of the key questions with cloud computing is which law applies to my organization’s data, the law where I’m located, or the law where my data’s located? This is one of those areas of cloud computing where the technology has advanced more quickly than the laws’ ability to eﬀectively address it. Consensus on this issue has not yet been eﬀectively achieved. If you are a U.S. agency with representatives in European countries and you use the cloud to communicate between all employees as well as transfer data, you may be governed by both U.S. and E.U. laws. If your vendor is using servers overseas to hold your data, you you may be governed by any laws that the host country has in addition to your obligations under U.S. law. For example, if you have data coming under the Patriot Act

173

Step 5. Building and Finalizing A Contract

and that data is stored outside of the United States, t.he laws of the storing country may preclude access to data by other than the government in the country of storage. You now have conﬂicting laws that can preclude compliance. For more information see the section of laws governing data and privacy later in this section.

Physical Location vs. Contract Jurisdiction In commercial agreements the contract will specify the governing law by which any legal disputes will be settled and the place (jurisdiction) where the dispute will be decided (example: The laws of the State of Florida govern this agreement. Any legal action must be brought before courts in the county of Pasco, Florida). The physical location is the actual location of the vendor’s infrastructure and as previously discussed this could be in several diﬀerent locations or countries. The applicable laws governing your data can be inﬂuenced by where your data is stored, where you as an organization operate, the location of the cloud vendor’s headquarters, and the location of any data subjects. If your data is stored on several servers in several countries, you may have to address the data and privacy laws of all those countries since it is possible for actions to be brought in those countries for violations of their laws despite the contract jurisdiction. Jurisdiction diﬀers in Federal Government contracts. The below description of the dispute process highlights the Contracting Oﬃcer’s role, the Board of Contract Appeals and the US Court of Federal Claims. The Federal Government Contract Disputes Process The Contract Disputes Act of 1978 (CDA), 41 U.S.C. §§ 601, et seq. This process applies to all disputes arising under or relating to a government contract. As a waiver of sovereign immunity, courts and administrative boards of contract appeals construe the CDA narrowly. Accordingly, a contractor that has a dispute with the Government must be careful to follow the CDA’s mandated procedures, or it risks waiving or otherwise losing its right to proceed against the agency. Administratively, the FAR implements the CDA through the standard “Disputes” clause, which deﬁnes the rights and duties of a contractor in dispute with the Government. Notably, a contractor must continue performance pending resolution of a dispute with the Government. A. Presentation of a “Claim” A contractor initiates the disputes process by presenting a “claim” to the CO. The “Disputes” clause deﬁnes a claim as “a written demand or written assertion by one of the contracting parties seeking, as a matter of right, the payment of money in a sum certain, the adjustment or interpretation of contract terms, or other relief arising under or relating to [the] contract.” FAR 52.233-1 (c). According to the clause’s deﬁnition, a claim must (1) be in writing; (2) request a “sum certain”; and (3) demand a ﬁnal decision. A signiﬁcant, and relatively confusing body of case law has attempted to deﬁne these elements. www.GTIBookstore.com

174

Contracting for Cloud Services

If the claim is over $100,000, it must also be certiﬁed by the contractor. FAR 52.233-1(d)(2). The contractor must attest that (a) the claim is made in good faith, (b) the supporting data are accurate and complete to the best of his or her knowledge and belief, (c) the amount requested accurately reﬂects the contract adjustment for which the contractor believes the government is liable, and (d) the individual certifying is duly authorized to do so on behalf of the contractor. B. Contracting Oﬃcer’s Decision If the contractor and Government are unable to negotiate a resolution to the dispute, the CO must issue a “ﬁnal decision.” This is a written articulation of the agency’s position with respect to the claim. A contractor may not commence litigation until the CO issues such a decision. However, if, after the passage of time, the CO fails to provide the contractor a ﬁnal decision, the contractor may attempt to appeal the CO’s so-called “deemed denial” of the claim to an administrative board of contract appeals or the U.S. Court of Federal Claims (COFC). C. Appeal to a Board of Contract Appeals There are eleven agency boards of contract appeals (BCAs). The largest of these BCAs is the Armed Services Board of Contract Appeals (ASBCA), located in Falls Church, Virginia. About thirty fulltime judges hear administrative disputes at the ASBCA. A contractor initiates an appeal to the appropriate BCA by ﬁling a “Notice of Appeal”. The Notice must be ﬁled with the BCA within ninety days of receipt of the CO’s ﬁnal decision. Failure to ﬁle the notice within this time defeats the board’s jurisdiction to hear the case. The Notice of Appeal is usually a simple letter stating that the contractor is appealing the CO’s ﬁnal decision. The date of the ﬁnal decision and the contract number should be included in the notice. The recorder (i.e., the clerk) of the applicable BCA will then inform the Government and the contractor that the case has been “docketed”. Under the standard BCA rules, the contractor (now, “appellant”) must ﬁle a complaint within thirty days of the docketing notice. The Government then has thirty days to ﬁle its answer. Agency counsel typically represent the Government before the various BCAs. Litigation at the BCAs is somewhat less formal than in most courts. Although the BCA’s administrative judge generally follows the Federal Rules of Civil Procedure and the Federal Rules of Evidence in making procedural and evidentiary decisions, the judge need not abide by those Rules. Discovery is available in much the same fashion as before federal district courts or the COFC. BCA judges will travel to accommodate the interests of the parties. In other words, if the circumstances of the case make it more reasonable to hold hearings away from the BCA’s oﬃces in the Washington, D.C. metropolitan area, the parties can request the judge to hold the hearings at a diﬀerent locale. After the complaint and answer have been ﬁled, and the discovery has occurred, a hearing will be held. Thereafter, post-hearing briefs are ﬁled. Decisions of the BCA are rendered by a three-judge panel (although usually only one judge will preside at the hearing). The BCA’s decision may be appealed to the U.S. Court of Appeals for the Federal Circuit.

Step 5. Building and Finalizing A Contract

175

D. Appeal to the U.S. Court of Federal Claims A contractor initiates a proceeding at the COFC by ﬁling a complaint within one year after the contractor receives the CO’s ﬁnal decision. Failure to ﬁle the complaint within this twelve-month period will result in dismissal, since this failure defeats the COFC’s jurisdiction to hear the case. The Government has sixty days in which to ﬁle an answer to the contractor’s complaint. The agency will be represented by an attorney from the Civil Division of the U.S. Department of Justice. Thereafter, discovery may be conducted by both parties. The COFC, like the BCAs, will also hold a trial away from its courthouse. Unlike the BCAs, the COFC has promulgated procedural rules patterned after the Federal Rules of Civil Procedure. Parties before the COFC will generally encounter a more formal and judicialized procedure than would be found before a BCA. A decision of the COFC is rendered by a single judge. That judge’s decision may be appealed to the U.S. Court of Appeals for the Federal Circuit.

Identify Data Center Location(s) For the reasons already given, it is important to identify where your data is stored so that you can understand all relevant laws that could potentially apply, including the laws of the U.S., a state, the European Union, and other countries and political subdivisions of the foregoing.

Legal Requests for Access to Data For systems you run in-house, should any of your data become the subject of a subpoena or other legal or governmental request for access, you have more direct control in managing the release of that data. A data owner has less control when their data is in the cloud. The party requesting access can do so directly from the cloud vendor. Should your data in the cloud become subject to such a request for access, your data could be released without your knowledge. To mitigate the risks associated with this decreased control, it is important for you to understand your cloud vendor’s policies regarding such legal requests, and to contractually specify the cloud vendor’s obligations to your organization should any of your data become the subject of a subpoena, or other legal or governmental request for access. Point to consider: 

Notiﬁcation of Requests – The cloud vendor should be responsible for notifying you as soon as they receive any such request, before they provide access to any of your organization’s data.



Cooperation in Managing Release – The cloud vendor should be responsible for cooperating with your eﬀorts to appropriately manage the release of such data.



Codify Policy in Contract – If the cloud vendor already has a policy in place, and that policy aligns with your needs, it should be codiﬁed in the contract. www.GTIBookstore.com

176

Contracting for Cloud Services

An example contract clause: “Where a Receiving Party is required to disclose the Conﬁdential Information of the Disclosing Party pursuant to the order of a court or administrative body of competent jurisdiction or a government agency, the Receiving Party shall: (i) if practicable and permitted by law, notify the Disclosing Party prior to such disclosure, and as soon as possible after receipt of such order; (ii) cooperate with the Disclosing Party (at the Disclosing Party’s costs and expense) in the event that the Disclosing Party elects to legally contest, request conﬁdential treatment, or otherwise attempt to avoid or limit such disclosure; and (iii) limit disclosure to the extent legally permissible.”

Data Protection, Access, Location – Questions 1. Does the cloud vendor have a secure environment to at least the standards of conﬁdentiality and integrity from the Moderate FIPS-199 level to store records containing PII? The cloud vendor must secure data pursuant to NIST 800-53 R3 requirements. 2. Does the cloud vendor have the ability to alter Terms of Service or contracts without the express written consent of the customer agency? 3. Will the ownership of data remain under the sole ownership of the federal government at all times? How will backup information be returned to the federal government in the event the contract is ended or the cloud vendor ﬁles for bankruptcy? 4. Is there a documented process to address the removal or control of PII upon the termination of the contract between the agency and the cloud vendor? Explain. 5. Can the cloud vendor utilize any data stored on their systems for any purpose outside agency use? Explain. 6. Does the contract contain language to restrict the sharing of privacy data with any entity not explicitly authorized in the contract? Give details. 7. Are there controls in place to prevent the misuse of data by those having access? Give details. 8. Does the cloud vendor allow for access to data as permitted under current federal law to both authorized federal agencies and individuals wishing to verify their own PII? Provide example. 9. While the data is with the cloud vendor, what are the requirements for determining if the data is suﬃciently accurate, relevant, timely and complete to ensure fairness in making determinations? 10. Describe what privacy training is provided and who is responsible for protecting the privacy rights of the users of the cloud? 11. How does the cloud vendor facilitate response to FOIA requests? 12. Is there a documented process to report and handle breaches? Show process.

Step 5. Building and Finalizing A Contract

177

13. Will the cloud vendor report within two hours any privacy and/or security breaches to the agency and FedRAMP regardless of whether the breach was intentional or inadvertent? Explain process. 14. What are the speciﬁc redress actions that the agency can take against the cloud vendor in the event of a breach?

Fees/Payments Remember: You have more negotiation leverage before signing a commitment and/or paying for products and services than after the event. And the cost of change to a diﬀerent solution may be signiﬁcant. So it’s important to contractually codify in advance all terms associated with your rights to continue using the service, including the costs. Pricing is often a matter of negotiation. Whatever is decided must be included in the contract. Pricing depends on the level of service, number of users and so on. For SaaS you can negotiate a subscription rate or a per usage rate. For IaaS you will pay for the infrastructure, services and other facilities provided. The contract must state what pricing arrangement you have agreed to and what, if any, events trigger payment and what events permit price changes (increases in particular). Points to consider: 

Cost to Continue Using



Volume Commitment



Expanded/Reduced Usage

Costs to Continue Using Vendors typically attempt to get an organization to focus on the initial buy-in costs with a minimum volume commitment, then apply “list price” to continue using the service after the initial purchase period and volume. Suddenly what seemed like a cost-saving measure of moving to the cloud could result in an unexpected increase in costs. For this reason, it is essential that you contractually codify in advance your costs to renew the services, and potentially expand your volume of usage. Endeavor to include Renewal Price Caps as the lesser of: 

Consumer Price Index (CPI) – There is more than one, so it is important to specify which applies.



A set percentage (3%, 5%, etc.)



What others pay, including their most favored customer



The cloud vendor’s list price

Whichever you decide to adopt, negotiate to have negotiated pricing apply for as a long a period going forward as possible.

www.GTIBookstore.com

Contracting for Cloud Services

178

Volume Commitment Vendors will frequently press for usage volume commitments. Minimum commitments – either annually or over the life of the contract – may appear attractive and be a good deal if your usage is very high and are likely to stay that way. However, there is no obligation on you to sign such a commitment and several reasons why you should not. Endeavor to ensure that you don’t buy more than you need, and don’t pay for any services earlier than you will need them. Additionally, many agencies have discovered that they need more than one cloud vendor to obtain all the particular services they require. If you are locked in to a minimum commitment with one provider it may prevent you seeking additional services elsewhere, or if you do add another provider, you may incur penalties from the ﬁrst for failing to meet your commitment. One solution is to negotiate a tiered discount structure – the vendor getting a higher rate when usage is lower but the customer beneﬁting when usage increases. Expanded/Reduced Usage The contract must have provisions for increasing or reducing usage which is another reason not to get locked into a volume commitment. With budget cuts and agency downsizing, it is not possible to know now whether workloads and usage will increase or as services are cut, usage will decrease. As with renewal pricing, it is important to pre-negotiate your costs to expand usage prior to signing when your negotiation leverage is strongest. Cost to expand should be equal to or less than the initial purchase price per unit. Pricing should not increase if your volume subsequently decreases. One of the much touted beneﬁts of cloud computing is scalability — “only use what you need” — so endeavor to ensure that the contract doesn’t tie you to minimum purchase volume or multi-year commitments.

Termination The cost of changing to a new vendor may be signiﬁcant, so it is important to specify in advance the terms under which your use of the service can be terminated or changed. If not appropriately reviewed and negotiated in advance, the cloud vendor could have the right to terminate your access to their service with insuﬃcient notice for you to be able to eﬀectively switch to an alternative solution. The risk here is that you won’t be able to switch in time, or do so in an eﬀective and wellplanned manner. To mitigate this risk, contractually restrict the terms under which the vendor can discontinue your service. Key points to consider include: 

How much notice will you need? – Determine how far in advance you’d need a vendor to notify you of termination relative to your usage of the service, and how long it would take you to switch to an alternative. Ideally at least six months’ notice should be required.



Codify in the contract – The timeframe identified in the previous bullet should be codified in the contract as the required minimum advance termination notice that the vendor must provide.



Restrict termination to triggering events – Such as your company’s actions that pose a signiﬁcant threat to the security or integrity of the vendor’s infrastructure.

179

Step 5. Building and Finalizing A Contract 

Include customer opportunity to cure or correct prior to termination – The cure period should be at least 30 days (if not cured within 30 days from receipt of notice, the contract can be terminated).



Exclude legitimate payment disputes – Any payments subject to a legitimate dispute should not be cause for the vendor to terminate service.



Maintain your right to terminate for cause – Both for repeated SLA violations and for single incidents of a scope that would reasonably cause you to doubt the vendor’s continued ability to deliver successfully on the contract.

Functionality The constantly evolving nature of cloud computing means that a vendor could update their underlying infrastructure at any time. For this reason, it’s important to not just state the name of the products that you’re acquiring, but the functionality that those products provide in order to mitigate the risk of product re-branding, potentially resulting in lost functionality. Without such clauses, a vendor could eﬀectively force you to shift to a replacement service at a potentially higher cost than under your original contract. Key points to consider include: 

Functionality Can Be Added Or Deleted



Include Description of Functionality



Advance Notiﬁcation of Deletion/Change



Notiﬁcation Period = Time To Switch

Mergers and Acquisitions Cloud computing is still an evolving market space made up of both new and well-established companies. The weaker among the newer companies might not have long-term viability potential, while the stronger ones might ultimately become targets for acquisition. In either case, your data and ongoing access to the service could be put at risk. None of us can predict the future, so consider the following to help mitigate this risk: 

As noted previously, be sure to do your due diligence regarding vendor viability.



Contractually state that the Terms Binding on Successors/Assigns



And that neither party may assign, delegate or otherwise transfer its obligations or rights under the agreement to a third party without the prior written consent of the other party.

Cloud Escrow SaaS escrow services from vendors, such as Iron Mountain and NCC Group, have begun to address the concern that a cloud computing vendor may go out of business or fail to support the services. It may be prudent to consider negotiating to include escrow language in your contract.

www.GTIBookstore.com

Contracting for Cloud Services

180

Points to consider: 

Deposit of source code and documentation



Veriﬁcation of deposits



Demonstrated conversion of source to operational binary code



Updates deposited regularly



Trigger events (bankruptcy, violation of contract including support)



Quick or demand release (get code immediately when trigger event occurs)



Have your own escrow template



Use of non-traditional escrow processes (such as under seal to a law ﬁrm).

Supplier Outsourcing It’s not uncommon for one cloud vendor to use the services of a diﬀerent cloud computing company to provide their service to you. For example, a SaaS vendor, such as Dropbox, could be running their service in the data center of a third-party IaaS vendor, such as Amazon. This can increase the complexity of a cloud computing contract, especially in determining which vendor is responsible for which action. To mitigate this risk, the contract should obligate the vendor you’re doing business with to identify any functionality that they’ve outsourced, and to whom. No matter who your cloud vendor outsources to, your vendor should remain directly responsible for all aspects of complying with the terms of their contract with you.

Warranties The challenge with warranties tends to be that there aren’t many, if any, in a cloud vendor’s standard contract. In fact, there tends to be substantial vendor language dedicated to disclaiming any warranties..Review your needs, and negotiate to include any pertinent warranties in your contract. Examples of warranties to consider negotiating into your contract are listed next. The importance and priority for each will vary depending upon speciﬁc business needs in each case. 

Services Warranty



Compliance with Laws Warranty



Intellectual Property Warranty



Disabling Code Warranty



Warranty of Authority



Third-Party Warranties and Indemnities



Date/Time Change Warranty



Most-Favored Customer Warranty



Performance and/or Compliance with Speciﬁcations or Requirements Warranty

Step 5. Building and Finalizing A Contract

181

Legal Compliance The cloud vendor may have speciﬁc obligations that come into play relative to their compliance with various laws and regulations. As noted in the Warranties section, it is important for the vendor to be contractually obligated for complying with pertinent laws. Current examples of pertinent laws include without limitation some of the following: Gramm-Leach-Bliley The Gramm-Leach-Bliley Act (GLB), also known as the Financial Services Modernization Act of 1999, was enacted November 12, 1999, and repealed part of the Glass-Steagall Act of 1933, which prohibited any one institution from acting as any combination of an investment bank, a commercial bank and an insurance company. GLB requires ﬁnancial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third party handles that information securely. Executives of those ﬁnancial organizations can be held personally liable for failure to do so. The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities ﬁrms and insurance companies to consolidate. For example, Citicorp (a commercial bank holding company) merged with Travelers Group (an insurance company) in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities and insurance services under a house of brands that included Citibank, Smith Barney, Primerica and Travelers. The law was passed to legalize these mergers on a permanent basis. GLB also repealed Glass-Steagall’s conﬂict of interest prohibitions “against simultaneous service by any oﬃcer, director, or employee of a securities ﬁrm as an oﬃcer, director or employee of any member bank.” Sarbannes-Oxley The Sarbannes-Oxley Act of 2002 (SOX), also known as the Public Company Accounting Reform and Investor Protection Act (in the Senate) and Corporate and Auditing Accountability and Responsibility Act (in the House), was commonly enacted on July 30, 2002. SOX includes a security standard that deﬁnes speciﬁc mandates and requirements for ﬁnancial reporting, and is designed to protect shareholders and the public from account errors and fraudulent practices. Administered by the SEC, SOX dictates what records are to be stored and for how long (all business records, including emails and other electronic records, are to be saved for no less than ﬁve years), and requires data owner to know location of data in the cloud and maintain control of it. Failure to comply can result in ﬁnes and/or imprisonment. These records and storage requirements can come into play when data is in the cloud. It set new or enhanced standards for all U.S. public company boards, management and public accounting ﬁrms and was enacted as a reaction to a number of major corporate and accounting scandals, including those aﬀecting Enron, Tyco International and WorldCom. It does not apply to privately held companies. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission www.GTIBookstore.com

182

Contracting for Cloud Services

(SEC) to implement rulings on requirements to comply with the new law. It created a new, quasipublic agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting ﬁrms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment and enhanced ﬁnancial disclosure. HIPAA The Health Insurance Portability and Accountability Act (HIPAA), signed by President Bill Clinton in 1996, seeks to standardize the handling, security and conﬁdentiality of health-care-related data. It mandates standard practices for patient health, administrative and ﬁnancial data to ensure security, conﬁdentiality and data integrity for patient information. HIPAA looks at use of a cloud service as disclosing information to a third party. So it requires that cloud vendor enter into a Business Associates Agreement (BAA) with client. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simpliﬁcation (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identiﬁers for providers, health insurance plans and employers. The Administration Simpliﬁcation provisions also address the security and privacy of health data. The standards are meant to improve the eﬃciency and eﬀectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. PCI Data Security Standards These standards were introduced by the PCI Security Standards Council to give the payment card industry increased controls around data, and to ensure it is not exposed. It is also designed to ensure that consumers are not exposed to potential ﬁnancial or identity fraud and theft when using a credit card. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process – including prevention, detection and appropriate reaction to security incidents. PCI DSS applies to all organizations that hold, process or exchange credit card or credit card holder information. It is important to conﬁrm a cloud vendor’s level of compliance as some meet PCI standards for clients that do not store cardholder data, but cannot meet the standards for customers that directly process credit cards. Some cloud vendors have obtained PCI certiﬁcations where the audit speciﬁcally excludes certain clauses of PCI DSS – most importantly, the clause that does not permit multi-tenancy of servers. Tools to assist organizations validate their PCI DSS compliance include Self-Assessment Questionnaires. To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications. For more information, go to www.pcisecuritystandards.org/security_standards/. The government controls the export and re-export of hardware, software and technical data whether exported physically or via Internet, email or overseas access to host computers and other electronic means of transferring data or software. The Department of Commerce and Department of State

Step 5. Building and Finalizing A Contract

183

both have export control regulations which must be taken fully into account. The U.S. Export Administration Act of 1979 is the principal legislation in this area. U.S. Export Administration Act of 1979 The Export Administration Act of 1979, as amended, authorizes the Department of Commerce, in consultation with other appropriate agencies, to regulate the export or re-export of U.S.-origin dual-use goods, software and technology. The Department of Commerce implements this authority through the Export Administration Regulations (EAR). In addition to export controls agreed in the multilateral regimes, the Department of Commerce also imposes certain export and re-export controls for national security, foreign policy and other reasons, most notably against countries designated by the U.S. Secretary of State as state sponsors of international terrorism, as well as certain countries, entities and individuals subject to domestic unilateral or UN sanctions. Additionally, the Department of Commerce administers and enforces regulations that prohibit certain trade and transactions with certain countries, entities and individuals by U.S. persons or from the United States under the Trading with the Enemy Act and the International Emergency Economic Powers Act. Organizations must determine whether export-controlled data may be contained on their systems and work with their legal department to formulate a plan for handling such data inside or outside of the cloud. In part, controlled technical data is data controlled under the International Traﬃc in Arms RegulaRemember tions (ITAR) or the Export Administration RegulaCompanies in the defense industry tions (EAR). Typically, this information is in the form should also be aware that, under of blueprints, drawings, models, formulae, speciﬁcaITAR, merely giving foreign tions, photographs, plans, instructions or documentanationals access to defense technical data, whether or not the tion regarding an export-controlled item or service. foreign national actually views it, is considered an export that requires authorization.

U.S. companies are prohibited from exporting controlled technical data to certain foreign countries without an export license. For example, sending an email with export-controlled technical data to a customer in India would be an export of the data to India and could require export authorization. The rules also restrict the release of export-controlled technical data to certain foreign nationals, inside or outside the U.S., without an export authorization. (To do so would be considered an export to that person’s country of citizenship.) For example, if an American engineer in the U.S. walks blueprints for the manufacture of an export-controlled item down the hall to his colleague who happens to be an Indian citizen, or emails them to him, this would be considered an export to India and could require export authorization.

www.GTIBookstore.com

184

Contracting for Cloud Services

Other Relevant Requirements Assistance Data from 2000 to 2006: Assistance data from 2000 to 2006 is from FAADS system operated by census.gov and may contain more types of assistance than FFATA data submitted directly to USASpending.gov from 2007 onwards. Assistance Data from 2007 to YTD: Assistance data from 2007 onwards is from data submitted by agencies directly to USASpending.gov per FFATA legislation. American Recovery and Reinvestment Act (ARRA) Data: From 2009 onwards data submitted by agencies may include awards related to ARRA, as well. Federal Legislation, Requirements and Guidance for IT Initiative Management Clinger-Cohen Act (CCA) of 1996. The CCA was formerly known as the Information Technology Management Reform Act or ITMRA. It requires each agency to undertake capital planning and investment control by establishing a process for maximizing the value, and assessing and managing risks of IT acquisitions of the executive agency. Federal Acquisition Streamlining Act (FASA) of 1994. FASA requires agencies to deﬁne the cost, schedule and performance goals for major acquisition programs and to monitor and report annually on the degree to which those goals are being met. Agencies must assess whether acquisition programs are achieving 90 percent of their cost, schedule and performance goals. Government Performance and Results Act (GPRA) of 1993. GPRA requires agencies to prepare updateable strategic plans and to prepare annual performance plans covering each program activity displayed in the budget. The performance plans are to establish performance goals in objective, quantiﬁable and measurable form and performance indicators to be used in measuring relevant outputs, service levels and outcomes. Paperwork Reduction Act (PRA) of 1995. PRA intends to: minimize the paperwork burden resulting from collection of information by or for the federal government; coordinate, integrate and make uniform federal information resources management policies and practices; improve the quality and use of federal information to minimize the cost to the government of the creation, collection, maintenance, use, dissemination and disposition of information; and ensure that information technology is acquired, used, and managed to improve eﬃciency and eﬀectiveness of agency missions. Chief Financial Oﬃcers’ Act (CFOA) of 1990. CFOA establishes the foundation for eﬀective ﬁnancial management, including requiring agencies to develop and eﬀectively operate and maintain ﬁnancial management systems. The CFOA focuses on the need to signiﬁcantly improve the ﬁnancial management and reporting practices of the federal government. Having accurate ﬁnancial data is critical to understanding the costs and assessing the returns on IT investments. Under the CFOA, CFOs are responsible for developing and maintaining integrated accounting and ﬁnancial management systems that include systematic measurement information on agency performance.

Step 5. Building and Finalizing A Contract

185

OMB Circular A-11, Part 2: Preparation and Submission of Strategic Plans. A-11, Part 2, provides guidance for preparing and submitting overall agency strategic and performance plans required by GPRA. OMB Circular A-11, Part 3: Planning, Budgeting and Acquisition of Fixed Assets. A-11, Part 3 provides guidance on the planning, budgeting and acquisition of ﬁxed assets, which include IT capital assets, and requires agencies to provide information on these assets in budget submissions, and provides guidance for planning. It also provides guidance for coordinating collection of agency information for OMB reports to Congress for FASA and the CCA. Under FASA, OMB is required to report on the cost, schedule and performance goals for asset acquisitions and how well agencies are meeting their goals. CCA requires that OMB report on program performance in information systems and how beneﬁts relate to accomplishing the goals of the agency. OMB Circular A-130: Management of Federal Information Resources. A-130 provides information resource management policies on Federal Information Management/Information Technology (IM/IT) resources required by the PRA of 1980 as amended. OMB Memorandum M-97-02, Funding Information System Investments. This memorandum contains eight decision criteria commonly referred to as Raines Rules, which OMB will use to evaluate major information system investments. Executive Order 13011, Federal Information Technology. The executive order highlights the need for agencies to signiﬁcantly improve the management of their information systems, including the acquisition of information technology, by implementing the relevant provisions of PRA, CCA and GPRA. Agencies are to refocus their information technology management to directly support their strategic missions, implement an investment review process that drives budget formulation and execution for information systems, and rethink and restructure the way they perform their functions before investing in information technology to support that work. Agency heads are to strengthen the quality and decisions of employing information resources to meet mission needs through integrated analysis, planning, budgeting and evaluation processes. The USA Patriot Act was enacted by Congress on October 26, 2001, in response to the terrorist attacks of 9/ll. The oﬃcial title of the USA PATRIOT Act is “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001.” The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes, some of which include: 

To strengthen U.S. measures to prevent, detect and prosecute international money laundering and ﬁnancing of terrorism;



To subject to special scrutiny foreign jurisdictions, foreign ﬁnancial institutions, and classes of international transactions or types of accounts that are susceptible to criminal abuse; www.GTIBookstore.com

Contracting for Cloud Services

186



To require all appropriate elements of the ﬁnancial services industry to report potential money laundering;



To strengthen measures to prevent use of the U.S. ﬁnancial system for personal gain by corrupt foreign oﬃcials and facilitate repatriation of stolen assets to the citizens of countries to whom such assets belong.

While the aim is to catch terrorists, its net is so large that most organizations can be aﬀected by its legal and regulatory implications. One of the provisions of the act relates to National Security Letters (also known as Federal Letters) which allows carriers to turn over data and records if asked to do so by the federal government. If large amounts of data are stored in the cloud, the government can access it without a court order if it feels national security is at risk. For organizations operating abroad this poses additional issues. If the U.S. government demands information under the Patriot Act, this might violate the privacy laws of the country in which the organization is operating. A Canadian View of the USA Patriot Act as it Pertains to Cloud Services To understand the impact of the Patriot Act on cloud computing, we must ﬁrst understand what it is. According to the Treasury Board of Canada, it permits U.S. law enforcement oﬃcials, for the purpose of an anti-terrorism investigation, to seek a court order allowing access to the personal records of anyone without that person’s knowledge. “Under the act, U.S. oﬃcials could access information about citizens of other countries, including Canada, if that information is physically within the United States,” reads a report on the Website of Canada’s Treasury Board Secretariat. “Therefore, the potential exists for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a U.S.-based company.” Another critical aspect of the Patriot Act that can impact a corporation, regardless of physical location, and one that’s highly cloud-speciﬁc, falls under one of the main principles of cloud computing: multi-tenancy. Multi-tenancy makes cloud computing work ﬁnancially for the cloud provider, and is what makes it possible for the cost savings often seen by “moving to the cloud.” But the downside to multi-tenancy is your cloud processes could be aﬀected by actions taken by agencies under the Patriot Act on another system, corporation or person with whom you share a common infrastructure. Canada Encryption response to Patriot Act. Concerns about Canadian privacy under the U.S. Patriot Act prompted the New Democratic Party, which earlier this year began using cloud-based Salesforce.com as its platform for voter tracking, email and call-centre contact, to look for a strong encryption approach that it alone would control. Salesforce is now a main warehouse for the party’s donation and voter data, helping facilitate the ﬂow of e-mail marketing and data use by call agents. Salesforce.com itself does oﬀer an encryption service under which both Salesforce and the customer hold the encryption keys, Williamson says. But he decided he wanted an approach in which only the NDP itself would control the encryption keys to unlock scrambled data. If the U.S. government ever felt compelled to ask Saleforce.com for

187

Step 5. Building and Finalizing A Contract

any data, the New Democratic Party would at least know about any request of this type, Williamson says. “You’d be aware of it.” The political party selected start-up CipherCloud with its Uniﬁed Cloud Encryption Gateway to keep voter data stored at Saleforce.com private.

Laws and Standards of Other Countries The Commission on the Leadership Opportunity in U.S. Deployment of the Cloud, published in August 2011, (www.techamericafoundation.org/cloud2) recommends that industry and the U.S. government promote privacy frameworks, that the U.S. government identify and implement mechanisms to clarify processes and mechanisms around lawful government access to data, and that the U.S. continue international discussions in these areas. They also recommend that the U.S. government lead by example by demonstrating its willingness to trust cloud computing environments in other countries for appropriate government workloads. More than 50 countries have now enacted data privacy laws. U.S. government entities may be entering into agreements where the data is stored outside of the United States. The recent GSA email RFP did consider this factor in an amendment to their RFP requiring bidders to supply information to evaluate this risk. The relative location part of the GSA amendment to the RFP is below.

As more information about Software as a Service has emerged since we issued our Request for Proposal, we have gained a better understanding of the level of maturity of this new and exciting environment. Our primary concern was and continues to be for the security of our data. And, while GSA prefers a location within the United States, we recognize we may have equated location with security and excluded other factors that could also ensure the security of our data, which unduly restricted offerors. Therefore, GSA is revising the requirement. Under SOO.5.6, Confidentiality, Security, and Privacy, paragraph f states that all data at rest will reside with the contiguous United States, the District of Columbia, and Alaska (CONUS) with a minimum of two data center facilities at two different and distant geographic locations. The requirement for the minimum two data centers is still applicable; however, offerors are provided the opportunity to review their proposals in relation to the revised CONUS requirement. GSA is asking that you clarify how you intend to meet our security requirement, regardless of location. If an offeror decides to modify their proposal and the data at rest will not reside in CONUS, please describe your compensating controls to mitigate risk.

www.GTIBookstore.com

188

Contracting for Cloud Services

The following information is valuable if you know your cloud vendor is operating in other countries, just as non-U.S. entities need to understand some of the laws in operation when their data is stored in the United States. European Union Data Retention Law 2006 called on the 27 member states to each set their own length of time for the retention of data, between six and 24 months. With a court order, authorities can request access to details such as IP addresses and time of use of every email, phone call and text message sent or received. European Union Data Protection Directive (Directive 95/46/EC), regulates the processing of personal data within the EU. It is an important component of EU privacy and human rights law. The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller (the agency or organization which determines the purposes and means of the processing of personal data) uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e., the customer’s computer). As a consequence, the Website operator would have to comply with the European data protection rules. The EU has laws that strictly dictate the movement of data and access to databases. A company based in the EU can’t assume it is all right to have all its cloud data stored “across the pond” with a U.S. vendor (and vice versa). The U.S./EU “safe harbor” process may help if you cannot keep U.S. data on U.S. servers accessed only in the U.S. and EU data on EU servers accessed only in the EU. The European Commission’s Directive on Data Protection went into eﬀect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. In order to bridge these diﬀerent privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” framework to provide the information an organization should need to evaluate – and then join – the U.S.-EU Safe Harbor program. The international nature of business today results in data that may be stored anywhere. As a result, events in other countries – conﬂict, tsunamis and other force majeure, as well as certain laws – can impact you. Latency is also an issue – the amount of time it takes a message to traverse a system – especially where real-time response is required. High latency – or lag – can lead to confusion if messages or data packages cross in transmission. The further distance from the server with the data results in greater latency as a rule.

189

Step 5. Building and Finalizing A Contract

The EU Data Protection Directive 

This limits the export of personal data outside European Economic Area (EU, Israel, Norway, Lithuania).



Some countries have security the equivalent of the EU’s. They can receive personal data without further steps (Ireland, Switzerland, Canada, Argentina, the Isle of Man, and Guernsey and Jersey in the Channel Islands).



The U.S.-EU has a safe harbor scheme. Participating U.S. companies can receive EU data if they promise (self-certify) to abide by safe harbor rules (located on the Department of Commerce Website).

Special note: Google, Inc., has settled FTC allegations of deceptive privacy practices by its Buzz social network, including actions that violated its own privacy policy. Google has agreed to create a comprehensive privacy program, to be independently audited for the next 20 years. This is the ﬁrst time the FTC has ordered a company to implement a program to protect the privacy of consumers’ information. It is also the ﬁrst time the FTC has accused a company of violating the Safe Harbor certiﬁcation.

A German legal view is that when viewed as digital protection of constitutional and human rights, data privacy is neither discrimination against cloud vendors in specific countries, nor a source of market distortion, nor an obstacle to technology, but rather a cloud enabler. In fact, professional use of these systems is irresponsible without the necessary level of privacy protection. For many customers that view holds true regardless of their location. That view is shared by others. In particular financial institutions (in the USA under FFIEC guidelines) have strict security requirements, including personal identifiable information, in order to comply with federal requirements (GLB and others).

The European Telecommunications Standards Institute (ETSI) The goal of ETSI TC CLOUD (previously TC GRID) is to address issues associated with the convergence between IT (Information Technology) and Telecommunications. The focus is on scenarios where connectivity goes beyond the local network. This includes not only grid computing but also the emerging commercial trend towards cloud computing which places particular emphasis on ubiquitous network access to scalable computing and storage resources. Since TC CLOUD has particular interest in interoperable solutions in situations which involve contributions from both the IT and Telecom industries, the emphasis is on the Infrastructure as a

www.GTIBookstore.com

190

Contracting for Cloud Services

Service (IaaS) delivery model. TC GRID focuses on interoperable applications and services based on global standards and the validation tools to support these standards. Evolution towards a coherent and consistent general purpose infrastructure is envisaged. This will support networked IT applications in business, public sector, academic and consumer environments. European Union Patriot Act Encryption Response Members of the European Parliament demanded to know what lawmakers intend to do about the conﬂict between the European Union’s Data Protection Directive and the Patriot Act. Microsoft stated that it may be forced to hand over European customers’ data on its Cloud service to US authorities and may also be compelled by the Patriot Act to keep details of any such data transfer secret. The same is applicable to other US based cloud providers such as Amazon Web Services (AWS), Salesforce.com et al. What’s a CIO to do? The answer, according to AWS chief technology oﬃcer, Werner Vogels, is to encrypt private data for transit to the Cloud — and to employ best practice when it comes to classifying data. “We take privacy very seriously,” “For any subpoena we receive, we notify customers, eﬀectively giving them the ability to seek an injunction.” Amazon uses the US Safe Harbor provisions to notify customers. The risk for CIOs, however, occurs when Cloud providers are bound to keep details of data transfers secret. By encrypting data where privacy is an issue, Vogels said, CIOs can regain a measure of control. “The whole thing is moot if the data is encrypted,” he said. “Then they [the CIO] can interact with the enforcement agency. “We need to obey the laws in the countries we operate in but at the same time we value the privacy of our customers.” Mexico In April 2010, Mexico passed the Federal Law for the Protection of Personal Data with milliondollar ﬁnes for violations whether in the private or public sector. The law covers data transfer both within and outside Mexico, so has a signiﬁcant impact on many U.S.-based companies that operate in Mexico. Canada The Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA) governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. PIPEDA incorporates and makes mandatory provisions of the Canadian Standards Association’s Model Code for the Protection of Personal Information, developed in 1995. The law gives individuals the right to:

191

Step 5. Building and Finalizing A Contract 

Know why an organization collects, uses or discloses their personal information;



Expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;



Know who in the organization is responsible for protecting their personal information; expect an organization to protect their personal information by taking appropriate security measures;



Expect the personal information an organization holds about them to be accurate, complete and up-to-date;



Obtain access to their personal information and ask for corrections, if necessary; and



Complain about how an organization handles their personal information if they feel their privacy rights have not been respected.

The law requires organizations to: 

Obtain consent when they collect, use or disclose their personal information;



Supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;



Collect information by fair and lawful means; and



Have personal information policies that are clear, understandable and readily available.

Terms and Conditions Online A practice that is prevalent, but not unique to cloud contracts is the inclusion contract language that essentially says that the contract incorporates other terms and conditions as stated at a speciﬁc URL belonging to the vendor. As we all know, information at any URL is subject to change without notice at any time. So by agreeing to standard vendor language along these lines you are, in essence, agreeing that the vendor can unilaterally change the language of the contract at any time without notice. Hopefully, it goes without saying that this is not a good idea. At a minimum, if you ﬁnd the terms and conditions currently posted at that URL acceptable, you should print and incorporate them as an Exhibit to the contract. This way, they will at least be ﬁxed in time in the contract.

Storage Limits/Fees Some vendors place a cap on how much data you can store in their cloud, and they charge additional fees for any overage. Negotiate to have the necessary amount of storage included, as well as pre-established pricing for additional storage should it become necessary. Due to typically ongoing price decreases for storage, it may be best to go with a cost-plus model for additional storage fees. Note: A recent Coughlin Associates survey estimated that by 2014, the average American home will have 12 TB of digital content. Imagine how much storage capacity a major federal agency requires! www.GTIBookstore.com

Contracting for Cloud Services

192

Technical Support It is not uncommon for standard cloud contracts to include little in the way of technical support. Depending upon your needs, you may want to negotiate for the contract to cover aspects of technical support provision, such as these: 

Description of Support Provided



Who Can Access Support



Days/Hours Support is Available



How Customer Accesses Support



Escalation Process

Technical Access Requirements Think through how your users will access the cloud computing services, such as what Web browsers and/or mobile devices are typically used. Contractually obligate the vendor to ensure that these access channels will work, and require the vendor to provide advance notice of any changes.

SaaS, Security, the Cloud and the Contract It cannot be stressed enough that your cloud service is only as good as the contract negotiated to provide it. If it isn’t in the contract, the vendor is not going to supply it, and, if that omission happens to be a contingency plan in the event of a disruption, you are in trouble. That is why it is so critical to plan carefully before sending out your RFP, doing your risk assessments, reviewing other similar contractors and gathering as much information as possible from as many sources as possible to ensure that all your bases are covered. As SaaS is often the poor relative of cloud services and commands lower fees, the contracts have to be negotiated even more carefully to ensure your security goals are met. Vendors naturally will try to commit to as little as possible in order to enhance their proﬁts. There are few common operating security standards among vendors, and this can also lead to major problems especially if the user is dealing with more than one SaaS provider. What could happen if a vendor decides to switch to a new platform without informing the user? Are all the SaaS providers using compatible security programs? All of these issues have to be discussed and covered in the contract.

Service Level Agreements and Key Performance Indicators The contract between a client organization and a cloud vendor is the place to codify service-level agreements (SLA), including speciﬁc parameters and deﬁnitions for each element of the service provided, and remedies for when SLAs aren’t met.

193

Step 5. Building and Finalizing A Contract Basics 

Keep SLAs short – The longer the SLA, the more complex it will be. Be brief but complete.



Focus on the outcomes –Try not to focus on details, such as the operating environment. Focus on the outcomes, such as application availability, recovery time, recovery point and number of completed transactions per hour.



Always have a root-cause analysis for any failure to achieve a service level.



Maintain ability to audit performance data. Have access to performance data to perform your own auditing or “outsourcing governance” using a service level management solution.

Factors to be considered: 

Availability



Performance/Workload



Accuracy/Quality



Recoverability



Security



Satisfaction



Cost

Monitoring 

Root cause reports and analysis



Regular review meetings



Payment linked to key performance



Regular reports



Management escalation audits



Bonus/malus



Non-ﬁnancial remedies

SLA Content 

Introduction



Service hours



Performance



Support



Penalties and credits



Service reporting and reviewing



Audit www.GTIBookstore.com

Contracting for Cloud Services

194

SERVICE LEVEL AGREEMENT (sample) 1. SERVICE AVAILABILITY 1.1 Service Level Deﬁnitions The Provider components are generally available 24 hours a day, seven days a week. However, Provider has a maintenance process that may limit the amount of availability during the hours of 12:01 am – 4:00 am Eastern Time on Fridays. Provider only ensures Provider availability and the associated service levels during the Standard Hours of Operation, deﬁned as follows: Standard Hours of Operation means 8:00 am – 8:00 pm Eastern Time. Monday – Friday less holidays observed by CUSTOMER. Provider Website address that is to be accessed_______(ENTER URL HERE)__) 1.2 SLA Operability Requirements a.

Provider guarantees 100% availability of Customer’s network environment during the Standard Hours of Operation, 8:00 am to 8:00 pm Monday through Friday each week.

b. In the event of a failure to meet the SLA, the duration of such period will be considered downtime, and Customer will accrue Service Credits. SERVICE CREDITS a.

The Service Credit percentage will apply to the monthly fee in which the downtime occurred and will not exceed the monthly fee. Provider will issue Customer a credit (or check if credit occurs in the ﬁnal service month), which will be applied to the invoice in the month following the applicable event. If a timely credit is not received, the Customer may deduct the downtime credit from the applicable invoice.

b. Service Credits are to be provided within 30 days of the determination of downtime. Monthly Cumulative Downtime (listed in minutes) Service Credits (percentage of monthly fee)

a.

More than Zero to 30 minutes

5%

More than 30, up to 60

10%

61 - 120

15%

121 - 240

20%

241 - 300

30%

301 - 360

55%

Greater than 360

100%

Service credits are accumulated monthly with Monthly Cumulative Downtime being reset at the beginning of each calendar month.

195

Step 5. Building and Finalizing A Contract

b. Provider monitoring/ticketing systems shall be the information source of record for the accumulation of Monthly Cumulative Downtime as may be veriﬁed by Customer at its option. (Note the above is a sample only to consider in developing an SLA for availability and the credits for failure to meet the availability.)

Problem Management Key Performance Indicators PQR is a “problem question, request” from Customer to the Provider service center. Call ticket priority levels are noted in the following table. Customer will review Provider performance using the following metrics and Provider’s monthly report on key performance indicators (“KPI”). Service Level Table Priority 1 PQR acknowledgement

Within 15 minutes from receipt of a call from Customer

Priority 1 PQR resolution or workaround

Resolve within two clock hours from receipt of PQR call

Priority 1 PQR Root-Cause Analysis

Root-cause analysis (RCA) provided within five Business Days after Level C PQR Resolution

Priority 2 PQR Acknowledgement Within 30 minutes Priority 2 PQR Resolution or workaround

Resolve within six clock hours

Priority 2 PQR Root-Cause Analysis

Root-cause analysis provided within five Business Days after Category 1 PQR Resolution

Priority 3 PQR Acknowledgement Within one hour Priority 3 PQR Resolution or workaround

Resolve within one business day

Priority 4 PQR Acknowledgement

Within eight hours

Level 4 PQR resolution or workaround

Resolve within five business days, root cause noted in next monthly report if applicable.

Outside Standard Support Hours Priority 1 PQR acknowledgement

Within 15 minutes from receipt of Licensee call

Priority 1 PQR resolution or workaround

Resolve within two clock hours from receipt of PQR call

Priority 1 PQR Root-Cause Analysis

Root-cause analysis provided within five business days after level C PQR resolution

Priority 2 PQR Acknowledgement

Within 30 minutes

Priority 2 PQR Resolution

Resolve within six clock hours

Priority 2 PQR Root-Cause Analysis

Root-cause analysis provided within five business days after Category 1 PQR Resolution

Priority 3 PQR 24x7 Acknowledgement

Within 8 clock hours

www.GTIBookstore.com

Contracting for Cloud Services

196

Priority 3 PQR Resolution

Resolve within one business day

Priority 4 PQR Acknowledgement

Next business day

Level 4 PQR resolution

Resolve within five business days, root cause noted in next monthly report if applicable.

Service Reports

Service Reports will be delivered to Customer by the 10th Business Day of each month +/- 2 Business Days; electronic delivery to the appropriate person(s) and standing monthly meeting presentation by the Service Manager to the appropriate person(s) shall be considered an acceptable delivery vehicle

Provider will provide a monthly status in its written report to Customer for the KPIs. Failure of Provider to substantially meet the KPIs for problem resolution entitles Customer to exercise rights of termination pursuant to the termination provisions in the Agreement. The Provider service manager shall meet with Customer project manager in any event that KPIs are not met, and provide a plan to meet the KPIs for the future. SLA Definitions The speciﬁc deﬁnitions of pertinent SLA terms in a contract are important, as well. Such deﬁnitions in standard cloud vendor contracts often provide a very narrow way of measuring SLA parameters. For example, these contracts may deﬁne “downtime” so as to exclude any time that service is unavailable due to maintenance that was scheduled or announced in advance. Calculation of downtime might be restricted to a minimum number of consecutive minutes or a minimum percentage error rate. Downtime could be measured by spreading it over a speciﬁed time period, such as a week or a month. Such clauses can collectively result in a fairly narrow deﬁnition of total downtime. Recovery Time Objective and Recovery Point Objective To evaluate the quality of your system and data protection is to evaluate the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These metrics deﬁne how long you think it will take you to get back online and how current the data has to be. If an organization determines it has a four-hour RTO and RPO, then the business can tolerate four hours of downtime between failure and recovery – and that they will only have to recreate (or do without) the last four hours of data. Together, this is about eight hours of lost productivity. Performance/Response Time It is important to set user operating parameters, and this includes the speed at which data is transmitted. This performance measure depends on a number of variables, the most important of which is usage. If too many people access the server at the same time, can it continue to function or will it crash? So performance and capacity are linked. Capacity planning is predicting how much capacity you will need in the future. Response time measures actual performance – the time it takes data to travel from A to B. As a user, you will need this information from the vendor on a regular basis to ensure agreed performance is being met.

Step 5. Building and Finalizing A Contract

197

Performing as Represented When you enter into the agreement with the vendor, you agree a number of parameters and deﬁnitions, such as performance as previously discussed. The vendor contracts to meet agreed performance levels, and you can tell from data reports supplied by the vendor whether performance was delivered “as represented.” If not, you have to ﬁnd out and why, and the vendor has to take steps to ensure he is in compliance. Quality of Service (QoS) There has been a lot of discussion in recent months about QoS, or the lack of it, when it comes to cloud services. Quality of service is the ability to provide diﬀerent priority to diﬀerent applications, users or data ﬂows, or to guarantee a certain level of performance to a data ﬂow. As with performance, QoS depends a lot on capacity. If a system is overloaded, QoS will inevitably suﬀer. Quality of service can also refer to the level of quality of service, i.e., the guaranteed service quality. High QoS is often confused with a high level of performance or achieved service quality, for example high bit rate, low latency and low bit error probability. QoS parameters should be included in the contract. Error Detection and Correction Time Errors often occur when data in transmission or storage is corrupted for whatever reason. Normally error checking is able to detect the problem during transmission and correct it instantly. As data rates increase more errors are likely, so it is important to incorporate error detection and correction programs into data storage and transmission hardware. What procedures does your vendor have in place both to detect and correct errors? Latency Latency is the time lag between executing a command on your PC and getting a response back from the cloud. Even though data moves pretty fast through the ether, it obviously takes a little longer to get a response from a server in India than a server in the next town. Delays can also creep in if the routing has to go through several servers or there is restricted bandwidth. As the cloud environment expands with more clouds in more locations, latency will become less of an issue. Currently, however, you need to know where your vendor’s servers are situated to determine whether latency could be an issue for you. Focus on Results Having taken the decision to move to the cloud, determined what your needs are and selected a vendor that can meet them, you must ensure that you get what you are paying for. That requires vendor reports (as already discussed) to conﬁrm satisfactory provision of services, as well as an excellent relationship between you and the vendor so that you are both working towards the same goals.

www.GTIBookstore.com

Contracting for Cloud Services

198

Bonus/Malus Literally meaning good/bad, bonus/malus clauses reward the vendor for good services and penalize him for bad. Triggers are usually service levels (SLAs) that are written into the contract. Root-Cause Analysis Root-cause analysis (RCA) is a class of problem solving methods aimed at identifying the root causes of problems. The practice of RCA is predicated on the belief that problems are best solved by attempting to address, correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms. By directing corrective measures at root causes, it is more probable that problem recurrence will be prevented. Vendor Exceptions to Uptime (examples) The following items or situations are exempt from guarantee of 100 percent availability: 

Scheduled maintenance windows or any other agreed-to scheduled downtime activity. Deﬁne when these are to occur in the agreement.



Modiﬁcations to hardware, system or application code conﬁguration, or code and content migrations impacting cloud services not authorized by Vendor.



Unavailability due to Customer programming.



Modiﬁcations to OS, content, development, staging and/or testing period(s) or acts or omissions of Customer.



Events of force majeure, including acts of war, god, earthquake, ﬂood, embargo, riot, sabotage, labor dispute, government act or failure of the worldwide Internet.

Remedies Non-ﬁnancial Remedies 

Consider non-ﬁnancial remedies, such as executive to present issues and resolutions to management



Direct access to technicians



Release of problem to press and/or others

Assessing and Applying Credits Provision must be made for how assessments for credits are made, and how they will be applied. Credits should be applied timely, usually within 30 days of determination that a credit is due.

199

Step 5. Building and Finalizing A Contract SLAs/KPIs Unique to your Business Needs

Every agency has very speciﬁc requirements, and both the SLA and KPIs should reﬂect this. The more tailor-made your solution, the better you are able to meet your goals and objectives. Sample SLA Worksheet 1. Project Name:

Activity:

CWBS: CLIN:

SLA #:

Objective(s): 2. Task Title: 3. Service Description: 4. Applicable Service Category: 5. Levels of Service Category: 6. Performance Category: 7. Responsible Party: 8. Performance Measure Description: 9. Frequency: 10. Where Measured: 11. How Measured: 12. Performance Standard Applicable to Each Level of Service: 13. Level of Service:

Where each numbered block in the table shall contain the following information: 1. Identify the speciﬁc project objectives and activities related to the service to be measured and the proposed CWBS, CLIN and SLA Number. 2. Provide a brief name for the service to be measured. 3. Brieﬂy and concisely describe the service to be performed. 4. Identify how many levels of service apply and what they are (e.g., (1) routine, (2) critical). 5. Identify the category of performance (e.g., help desk resolution). 6. Describe what will be measured and the scope of measurement (e.g., measured from where to where and what the measurement includes). 7. Identify the organizational element responsible for measuring the service. 8. Identify how often the service is measured, summarized and reported. 9. Identify where the service is measured (e.g., TCO). 10. Identify the measurement methodology (e.g., how calculated, how monitored/audited). www.GTIBookstore.com

Contracting for Cloud Services

200

Continuous Monitoring Takes Compliance to Next Level NIST SP 800-137 (DRAFT) states: “A continuous monitoring program is established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls. Tools, technologies and methodologies including sampling, common protocols and reference architectures make organization-wide manual and automated data collection, aggregation, analysis and reporting practical. Organizational oﬃcials collect and analyze the data regularly and as often as needed to manage risk as appropriate for each organizational tier. This involves the entire organization, from senior leaders providing governance and strategic vision to individuals developing, implementing and operating individual systems in support of the organization’s core missions and business processes. Subsequently, determinations are made from an organizational perspective on whether to conduct mitigation activities, or reject, transfer or accept risk.” The following elements are essential to a successful organization-wide continuous monitoring program: 

Conﬁguration management and change control – develop processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes;



Security impact analyses – develop security impact analysis and conduct analyses to monitor for changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions with said systems support;



(Ongoing) assessment of system security controls – assessment frequencies based on an organization-wide continuous monitoring strategy and individual system authorization strategies;



Security status monitoring and reporting – communicate accurate and up-to-date securityrelated information to support ongoing management of information security risks and to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies; and



Active involvement of organizational oﬃcials.

Step 5. Building and Finalizing A Contract

201

Cloud Security SLAs – What you should ask for Vendors generally oﬀer a standard list of services which may or may not be suitable for your requirements. Research your needs thoroughly and discuss with the vendor tailor-made solutions. Major agencies should always seek tailor-made security controls, and these need to be embedded in the SLA. Other provisions that need to be discusses and included are what controls are in place to detect errors, intrusions and breaches. What are the frequency of alerts and the level of monitoring? What provisions are there for regular audits? What are the provisions for data protection and for compensation in case of data loss?

Amazon Outage Lessons Even the largest companies can run into problems. In April 2011, Amazon had four days of downtime as a result of human error when traﬃc was shifted from the primary network onto a lower bandwidth network used for backup. The problem was compounded when a misconﬁguration resulted in a “remirroring storm” and there was no automatic shift to other availability zones. Amazon apologized saying, “We know how critical our services are to customers’ businesses, and we will do everything we can to learn from this event and use it to drive improvement ...” Aﬀected customers were given a 10-day credit for their usage in aﬀected systems.

www.GTIBookstore.com

Contracting for Cloud Services

202

Cloud Computing Contract Checklist (C4) Category Data - Ownership

Category ID DO-01

Description DO-01a - Customer ownership of Customer data. DO-01b - Customer ownership of the results of any processing of Customer data. DO-01c - Supplier’s rights to use Customer data limited to provision of the services.

Data - Access/ Disposition

DA-01

DA-01a - Which of the Supplier’s employees may access Customer data; access is limited to that which is necessary to fulfill Supplier’s obligations under the contract. DA-01b - Process by which Customer data is returned to Customer. DA-01c - Timeframe within which Customer data is returned to Customer, both as a result of termination, and mid-term. DA-01d - Format in which the Customer data is to be returned to Customer. DA-01e - Supplier’s obligations to destroy remaining copies of Customer information after termination and Customer data is returned to Customer. DA-01f - Customer’s rights to audit that Customer data has been appropriately destroyed. DA-01g - Supplier’s responsibilities to support fulfillment of Customer’s eDiscovery obligations, including mechanisms in place to easily retrieve and provide data, and the timeframe within which such data provision is to occur. DA-01h - Supplier’s policy, process and obligations to provide Customer data in case of legal request for access; Supplier’s obligations to notify Customer upon receipt of such requests and prior to any disclosure, to cooperate with Customer’s efforts to appropriately manage the release of such data, to limit the disclosure to extent possible, and provide Customer with a copy of Supplier’s response.

203

Step 5. Building and Finalizing A Contract

Category Data Security Breaches

Category ID DB-01

Description DB-01a - Supplier’s obligations to NOT share Customer data with others. DB-01b - Type of Customer data that will be stored (sensitive or public, PHI, PII, etc.). DB-01c - Supplier’s obligations to notify Customer of any actual or reasonably suspected security breach; timeframe within which notice must be provided. DB-01d - Details (circumstances, type of data, etc.) to be included in the breach notification. DB-01e - Supplier’s obligations to fully investigate the circumstances, extent and causes of the breach. DB-01f - Supplier’s obligations to take corrective actions to ensure that the breach is terminated, and to prevent future recurrences, including the timeframe for completion. DB-01g - Supplier’s obligations to reimburse Customer for any expenses incurred as a result of the breach. DB-01h - Insurance (cyber-risk or other) to be obtained to address security breach and associated expenses, including amounts, who will acquire, etc.

Data - Location

DL-01

DL-01a - Limitations on the geographical area within which Customer data may be processed or stored. DL-01b - Geographical limitations for both the Supplier’s headquarters and data center(s). DL-01c - Geographical limitations for data in transit, and data at rest.

www.GTIBookstore.com

Contracting for Cloud Services

204

Category Infrastructure/ Security Information Security

Category ID IS-01

Description This section is intended to codify responsibilities and obligations related to ensuring that Customer information is secure. Specific examples include the following: IS-01a - Supplier’s responsibilities to provide a secure gateway environment, including: firewalls, anti-malware solutions, traffic flow filters, content filters, etc. IS-01b - Supplier’s responsibilities to conduct, or have conducted, audits and/or penetration tests at the network, application or operating system level. Include the process and timeframe in which the results of such audits/tests are made available for Customer review. IS-01c - Supplier’s obligations to install and maintain pro-active security monitoring systems. IS-01d - Supplier’s obligations to install and maintain mechanisms to ensure effective data segregation between tenants in multitenant environment. IS-01e - Supplier’s obligations to encrypt Customer data in transit and at rest, including level of encryption (128 bit, 256 bit, etc.). IS-01f - Supplier’s obligations to provide Identity and Access Management mechanisms, including standard to be used, alignment with Customer IAM systems, etc.

Infrastructure/ Security - Physical Security

IS-02

This section is intended to codify responsibilities and obligations related to provisions of physical security mechanisms. Specific examples include the following: IS-02a - Supplier Security Policy/Incident Response Plan as a minimum requirement. IS-02b - Supplier responsibility to implement and maintain effective access controls and restrictions, including: non-descript location, guards, video surveillance, intrusion detection systems, multi-factor authentication, etc. IS-02c - Supplier’s obligation to conduct effective background checks on staff with access to sensitive data. IS-02d - Supplier’s obligation to ensure that staff are effectively trained and aware of Supplier’s infrastructure/security policies and associated best practices. IS-02e - Supplier’s responsibility to ensure effective segregation of staff duties so that no single staff member can breach security and go undetected. IS-02f - Supplier’s obligations to have processes in place to establish and monitor third-party adherence to Supplier’s security policies.

205

Step 5. Building and Finalizing A Contract

Category Infrastructure/ Security Operations Management

Category ID IS-03

Description This section is intended to codify responsibilities and obligations related to ensuring effective of data center operations management. Specific examples include the following: IS-03a - The asset management processes the Supplier must have in place to ensure that all applications, devices and systems effectively and rapidly patch vulnerabilities. IS-03b - Supplier’s change management processes/procedures to ensure that all system changes are effectively deployed with minimum disruption of service and/or risk of data loss or damage. IS-03c - Supplier’s obligation to implement and maintain effective software development quality assurance processes to mitigate risks of disruption of service and/or risk of data loss or damage. IS-03d - Supplier’s obligations to implement and maintain processes to effectively manage and limit access to systems and prevent unauthorized access to Supplier’s applications, programs and/or object source code. IS-03e - Supplier’s obligations to implement and maintain effective capacity and resource planning processes and mechanisms. IS-03f - Supplier’s obligations to implement and maintain processes to ensure effective data replication, storage, distribution and recovery. IS-03g - Supplier’s obligations to implement and maintain processes to ensure effective virtual server provisioning and management.

www.GTIBookstore.com

Contracting for Cloud Services

206

Category Infrastructure/ Security -Audits/ Certifications

Category ID IS-04

Description This section is intended to codify Supplier responsibilities and obligations related to certifying that their infrastructure/ security practices effectively meet contractual requirements and best practices. Specific common certification examples include the following: IS-04a - Statement on Standards for Attestation Engagements (SSAE) 16, and Service Organization Controls (SOC) 2&3. (Replaced SAS 70, Type II as of 6/15/11.) IS-04b - International Standards Organization (ISO) 27001 and 27002. IS-04c - Federal Information Processing Standard (FIPS) 200 and Special Publication (SP) 800-53. IS-04d - Customer’s rights to inspect, or to retain a third party to inspect, Supplier data center, including: timing, frequency, parameters, costs, etc. IS-04e - Customer’s rights to conduct a vulnerability scan and/or penetration test of Supplier’s systems and facilities used to provide the services to Customer. IS-04f - Supplier’s obligations to conduct third-party data integrity audits to protect Customer data against deterioration or degradation of data quality and authenticity. IS-04g - Frequency within which Supplier must re-certify under the initially designated standard(s), and what happens if they don’t pass in a subsequent round. IS-04h - Supplier obligations to re-certify in the event of an actual or reasonably suspected breach. IS-04i - Provision of reports generated as a result of any required certification process to Customer, including the timeframe within which reports are to be provided. IS-04j - Supplier’s obligations to modify its infrastructure to meet its obligations under the agreement should any of the audits/ certifications identify a shortcoming.

207

Step 5. Building and Finalizing A Contract

Category

Category ID

Infrastructure/ IS-05 Security - Disaster Recovery/ Business Continuity

Description This section is intended to codify Supplier responsibilities and obligations related to implementing and maintaining effective disaster recovery/business continuity (DR/BC) processes. Specific examples include the following: IS-05a - Minimum DR/BC mechanisms Supplier must have. IS-05b - Ongoing level of uninterrupted services Supplier must provide in the event of a disaster, including failover processing. IS-05c - Frequency, location and type of offline backups Supplier must make. IS-05d - Type and frequency of tests of DR/BC processes Supplier must conduct. IS-05e - Supplier’s plans in the event that one of its third-party providers fails. IS-05f - Responsibility for declaring a disaster, the circumstances that may warrant such a declaration, and the repercussions of making such a declaration. IS-05g - Supplier’s obligations to provide Customer with notification regarding loss of service due to disasters or other disruptions. IS-05h - Supplier’s obligations to correct the underlying problem resulting from the disaster, including the timeframe within which the service will be back up and running at pre-disaster service levels. IS-05i - Supplier’s obligations to Customer if Customer data is lost or damaged.

Service Level Agreements Parameters

SL-01

This section is intended to describe the various parameters of the Supplier’s service that can be measured, and the level at which they are to be provided. Some common examples include: SL-01a - Availability - The percent time that the service will be functional and available to the Customer. SL-01b - Performance/Response Time - This can be applied to a number of aspects of the service, but one of the most common is the speed of the system (i.e., the time between an action is taken by an end user and the time when the result is received). SL-01c - Error Correction Time - The amount of time that elapses between when a system error is reported to the Supplier and the time when the Supplier has corrected. SL-01d - Quality of Service - This can be applied to a number of aspects of the service, but one of the most common is the quality of Customer service and support. SL-01e - Other Unique SLA Parameters - It is important to consider and codify any additional aspects of service that may be uniquely critical to the Customer’s specific use needs.

www.GTIBookstore.com

Contracting for Cloud Services

208

Category Service Level Agreements Definitions

Category ID SL-02

Description SLA definitions provide additional limitations regarding how a service is measured or calculated, including what can be included or excluded. Common definitions include: SL-02a - Uptime/Downtime - May be limited to a minimum number of consecutive minutes or a minimum percentage error rate, and spread over a specific time period. SL-02b - Scheduled Maintenance - Typically the days and hours when the system may be unavailable for maintenance are stated, and excluded as Downtime for calculation of Availability SLAs. Ensure these do NOT conflict with Customer periods of peak demand. SL-02c - Calculations - Specific formulas potentially including examples of how any given SLA is to be calculated so as to determine whether or not an SLA has been met. SL-02d - Recovery Time Objective - The duration of time and a service level within which service must be restored after a disruption. SL-02e - Recovery Point Objective - The point in time to which data must be recovered subsequent to a disaster or other disruption in service. For example, if the RPO is two hours, then when a system is brought back online after a disaster, all data must be restored to a point within two hours before the disaster.

Service Level Agreements Monitoring

SL-03

SL-03a - Performance Reporting - Codifies the process by which service levels are measured (who measures, how they measure and how often), and how those results are provided to Customer. SL-03b - Performance Auditing - Codifies the Customer’s rights to review the Supplier’s records related to the service level measurements.

209

Step 5. Building and Finalizing A Contract

Category Service Level Agreements Remedies

Category ID SL-04

Description This section is intended to describe the various actions a Supplier must take in the event that SLAs are not met. Some common examples include: SL-04a - Root Cause Analysis (RCA) - Supplier’s obligations to identify the root cause(s) of a problem in order to identify effective corrective actions that will prevent that problem from recurring. SL-04b - Corrections - Supplier’s obligation to apply corrective actions identified as a result of the RCA. SL-04c - Penalties - Describe punitive results accruing to a Supplier in the event of a missed SLA. SL-04d - Assessing/Applying Financial Penalties - How such penalties are calculated, how they will be provided to the Customer (credit, refund, etc.), and any limits on the total amounts of penalties provided. SL-04e - Bonus/Malus - Bonus for Supplier meeting an SLA, penalty (malus) for Supplier missing an SLA. SL-05f - Other Remedies - Consider penalties of a non-financial nature such as: Requiring an executive of the Supplier to personally present explanations of missed SLAs to Customer’s management; or requiring the Supplier to run a full-page ad in the N.Y. Times announcing their missed SLAs.

Other - Fees/ Payment

FP-01

This section is intended to codify costs related to continuing use of the service at current levels, and at either increased or decreased volumes. FP-01a - Costs for Customer to continue using the service in subsequent renewal years. It is to the Customer’s benefit to cap such cost at the lesser of: a specific CPI, a set percentage or what the Supplier charges others, for as long a period going forward as possible. FP-01b - Cost per unit to expand current usage volume. FP-01c - Cost per unit changes resulting from a decrease in Customer volume. FP-01d - Minimum purchase volume commitments, if any. FP-01e - Minimum contract periods, if any. FP-01f - Costs for special services (eDiscovery, additional storage, transition services, etc).

www.GTIBookstore.com

Contracting for Cloud Services

210

Category Other Termination

Category ID OT-01

Description OT-01a - Circumstances under which the Supplier may terminate the contract, including minimum advance notice timeframe. OT-01b - Customer’s opportunity to cure prior to termination, including timeframe. OT-01c - Whether payments subject to legitimate dispute are excluded from reasons why Supplier may initiate termination. OT-01d - Circumstances under which the Customer may terminate the contract, including minimum advance notice timeframe.

Other Functionality

OF-01

OF-01a - Description of functionality being acquired, as opposed to merely a product name. OF-01b - Minimum advance timeframe within which Supplier must notify Customer of changes to, or deletions of, existing functionality. OF-01c - Customer’s rights to replacement products providing similar functionality under a new name, if any.

Other - Mergers & Acquisitions

MA-01

MA-01a - Assignment rights of Customer. MA-01b - Assignment rights of Supplier. MA-01c - Whether or not the terms of the contract are binding on successors and assigns. MA-01d - Supplier’s obligations to plan and implement a smooth transition of services with minimal interruption to Customer.

Other - Supplier Outsourcing

SO-01

SO-01a - Identify any contracted functionality that Supplier outsources to a third party. SO-01b - Identify third parties to which Supplier has outsourced each functionality. SO-01c - Obligations of Supplier in relation to outsourced functionality. SO-01d - Obligations of third parties in relation to outsourced functionality.

Other Compliance With Laws and Standards

CL-01

This section should state any laws with which the Supplier is obligated to comply. Potentially pertinent specific examples include: CL-01a - U.S. Laws (ex. Gramm-Leach-Bliley, Sarbannes-Oxley, HIPAA, FERPA, etc.) CL-01b - State Laws CL-01c - Laws of other countries where Customer may conduct business (EU, Mexico, etc.) CL-01d - Standards (ex. Payment Card Industry Data Security Standard, etc.)

211

Step 5. Building and Finalizing A Contract

Category

Category ID

Description

Other - Terms & Conditions Online

TC-01

A practice that is prevalent, but not unique, in cloud computing contracts is the inclusion of language that essentially says that the contract incorporates other terms and conditions as stated at a specific URL belonging to the Supplier. Since these Ts&Cs can be unilaterally changed by the Supplier at any time without notice, it can be to Customer’s benefit to fix these Ts&Cs in time by printing and incorporating as an Exhibit.

Other - Storage Limits/Fees

SF-01

SF-01a - How much storage is included with the purchase of the cloud services? SF-01b - Any caps on how much data Customer may store in Supplier’s cloud. SF-01c - Obligations of Supplier in relation to outsourced functionality. SF-01d - Customer’s cost per unit to purchase increased storage beyond standard.

www.GTIBookstore.com

Contracting for Cloud Services

212

Category Other - Technical Support

Category ID TS-01

Description TS-01a - Level/type of support to be provided by Supplier, including geographic location and/or primary language of personnel providing support. TS-01b - Which Customer users can access support? TS-01c - Days/hours that support is available. TS-01d - Process by which Customer accesses support (phone, email, etc.). TS-01e - Error notification and correction process, including timeframes. TS-01f - Support issue escalation process, including timeframes.

Other Technical Access Requirements

TA-01

TA-01a - How Customer users may access the Supplier’s services (ex. specific Web browsers, specific mobile devices, etc.).

Other - Cloud Escrow

CE-01

Cloud Escrow obligations of Supplier, if any, including escrow triggering events and timeframes within which Customer can access escrow.

Other Warranties

OW-01

This section is intended to codify the warranties, if any, that Supplier makes to Customer. Potentially pertinent specific examples include:

TA-01b - Minimum advance timeframe within which Supplier must notify Customer of changes to existing technical access requirements.

OW-01a - Services warranty OW-01b - Compliance with laws warranty OW-01c - Intellectual property warranty OW-01d - Disabling code warranty OW-01e - Warranty of authority OW-01f - Third-party warranties and indemnities OW-01g - Date/time change warranty OW-01h - Most-favored customer warranty

213

STEP 6

Managing The Contract and The Vendor Relationship

“Continual assessment of performance is needed to ensure all contract obligations are met. It allows the organization to take immediate corrective or punitive action for noted deﬁciencies ...” NIST Guidelines on Security and Privacy in Public Cloud Computing. Once you’ve established a cloud computing contract, you will need to dedicate resources to monitor and manage your relationship with the service provider to ensure continued adherence to the contract terms. This chapter describes key aspects of the contract and your relationship with the vendor that both need to be managed on an ongoing basis after completion of the contract and implementation of the service.

Contract Administration Contract Administration involves those activities performed by government oﬃcials after a contract has been awarded to determine how well the government and the contractor performed to meet the requirements of the contract. It encompasses all dealings between the government and the contractor from the time the contract is awarded until the work has been completed and accepted, or the contract terminated, payment has been made and disputes have been resolved. As such, contract administration constitutes that primary part of the procurement process that ensures the government gets what it paid for. In contract administration, the focus is on obtaining supplies and services, of requisite quality, on time and within budget. While the legal requirements of the contract are determinative of the proper course of action of government oﬃcials in administering a contract, the exercise of skill and judgment is often required in order to protect eﬀectively the public interest. www.GTIBookstore.com

Contracting for Cloud Services

214

The speciﬁc nature and extent of contract administration varies from contract to contract. It can range from the minimum acceptance of a delivery and payment to the contractor, to extensive involvement by program, audit and procurement oﬃcials throughout the contract term. Factors inﬂuencing the degree of contract administration include the nature of the work, the type of contract, and the experience and commitment of the personnel involved. Contract administration starts with developing clear, concise performance-based statements of work to the extent possible and preparing a contract administration plan that cost-eﬀectively measures the contractor’s performance and provides documentation to pay accordingly.

Remember Post-award orientation, either by conference, letter or some other form of communication, should be the beginning of the actual process of good contract administration.

This communication process can be a useful tool that helps government and contractor achieve a clear and mutual understanding of the contract requirements, helps the contractor understand the roles and responsibilities of the government oﬃcials who will administer the contract, and reduces future problems.

It is helpful to have a pre-meeting with applicable program and contracting oﬃcials prior to the post-award orientation conference, so that there is a clear understanding of their speciﬁc responsibilities and restrictions in administering the contract. Items that should be discussed at the pre-meeting include such things as the authority of government personnel who will administer the contract, quality control and testing, the speciﬁc contract deliverable requirements, special contract provisions, the government’s procedures for monitoring and measuring performance, contractor billing, voucher approval and payment procedures. Where appropriate, an alternative dispute resolution (ADR) technique known as “partnering” should be discussed with the contractor to help avoid future contract administration problems. Partnering is a technique to prevent disputes from occurring. It involves government and contractor management staﬀ mutually developing a “plan for success,” usually with the assistance of a neutral facilitator. The facilitator helps the parties establish a non-adversarial relationship, deﬁne mutual goals and identify the major obstacles to success for the project. Potential sources of conﬂict are identiﬁed, and the parties seek cooperative ways to resolve any disputes that may arise during contract performance. The process results in the parties developing a partnership charter, which serves as a roadmap for contract success. Many agencies have successfully used partnering on construction projects and are now beginning to apply these principles in the automated data processing/information resources management area. Good contract administration ensures that the end users are satisﬁed with the product or service being obtained under the contract. One way to accomplish customer satisfaction is to obtain input directly from the customers through the use of customer satisfaction surveys. These surveys help to improve contractor performance because the feedback can be used to notify the contractor when speciﬁed aspects of the contract are not being met. In addition, the contracting and program of-

Step 6. Managing Contract & Vendor Relationship

215

ﬁcials can use the information as a source of past performance information on subsequent contract awards. Customer satisfaction surveys also help to improve communications between the procurement, program and contractor personnel.

Overcoming Weaknesses Several weaknesses have been identiﬁed in contract administration practices used by civilian agencies. The principal problem is that contracting oﬃcials often allocate more time to awarding contracts rather than administering existing contracts. This often leads to problems in contractor performance, cost overruns, and delays in receiving goods and services. Several other deﬁciencies have been noted, such as unclear roles and responsibilities of the contracting oﬃcer’s technical representatives (COTR), excessive backlog in contract closeout and incurred costs audits, improperly trained oﬃcials performing contract oversight, unclear statements of work that hinder contractor performance, and inadequate guidance on voucher processing and contract closeout. These weaknesses were identiﬁed in reports issued by the Oﬃce of Management and Budget, namely, the “Report on Civilian Agencies Contracting Practices” (1992), the “Report on Service Contracting Practices” (1993) and the “Interagency Report on Civilian Agency Contract Administration” (1993). The primary objective of the contract administration project is to establish best practices that agencies can use to improve contract administration to ensure responsiveness to customers and best value to taxpayers. Improving contract administration practices will help to achieve excellence in contractor performance so that the government receives goods and services on time and within budget. A Contract Administration Team has been established to plan and carry out this project. The team conducted interviews with contracting oﬃcials in the major departments and agencies and the private sector to gather best practices or tricks-of-the-trade that could be applicable on a government-wide basis. Also, guidance documents that have been developed by the agencies and the private sector were reviewed to help develop the best practices included in this guidebook. Best Practices are deﬁned as techniques that agencies may use to help detect and avoid problems in the acquisition, management and administration of contracts. Best practices are practical techniques gained from practical experience that may be used to improve the procurement process. Although several weaknesses have been identiﬁed as already mentioned, this guidebook provides best practices in three areas of contract administration: clarifying the COTR’s roles and responsibilities, improving methods of processing contract vouchers and invoices, and improving procedures for closing contracts. Matrixes have been developed that state the concerns surrounding these three areas, with suggested best practices that can be used to help address them.

www.GTIBookstore.com

Contracting for Cloud Services

216

Contracting Officer’s Technical Representative (COTR) The government is becoming increasingly aware of the importance of proper contract administration in ensuring the maximum return on our contract dollars. The COTR plays a critical role in aﬀecting the outcome of the contract administration process. The technical administration of government contracts is an essential activity. It is absolutely essential that those entrusted with the duty to ensure that the government gets all that it has bargained for must be competent in the practices of contract administration and aware of and faithful to the contents and limits of their delegation of authority from the contracting oﬃcer. The COTR functions as the “eyes and ears” of the contracting oﬃcer, monitoring technical performance and reporting any potential or actual problems to the contracting oﬃcer. It is imperative that the COTR stay in close communication with the contracting oﬃcer, relaying any information that may aﬀect contractual commitments and requirements. The COTR’s contract administration duties can be simple or complex and time-consuming, depending on the type of contract, contractor performance and the nature of the work. Minimizing the use of cost-reimbursement contracts and relying more on ﬁxed-price performance-based contracts should reduce the amount of resources and time devoted to contract administration. For example, a ﬁxed-price contract requires less surveillance by the COTR than a cost-reimbursement contract requires with its technical surveillance and auditing of cost-requirements.

Contract Closeout Contract closeout begins when the contract has been physically complete, i.e., all services have been performed and products delivered. Closeout is completed when all administrative actions have been completed, all disputes settled and ﬁnal payment has been made. The process can be simple or complex depending on the contract type for cost-reimbursement contracts. This process requires close coordination between the contracting oﬃce, the ﬁnance oﬃce, the program oﬃce and the contractor.

Contract closeout is an important aspect of contract administration.

The contract audit process also aﬀects contract closeout on cost-reimbursement contracts. Contract audits are required to determine the reasonableness, allowability and allocability of costs incurred under cost-reimbursement contracts. Although there is a pre-award audit of the contractor’s proposal, there is a cost-incurred audit of the contractor’s claim of incurred costs and a closeout audit to reconcile the contractor’s ﬁnal claim under the contract to incurred costs previously audited. When there is a delay in completing the cost-incurred and closeout audits, contracting oﬃcials often cannot complete the closeout process for many cost-reimbursement contracts. Although the FAR does allows agencies to use quick closeout procedures (desk reviews) to close some cost-reimbursement contracts without a closeout audit, inconsistencies have been noted in the use of the procedures.

217

Step 6. Managing Contract & Vendor Relationship

It is important that contracting oﬃcials have a good working relationship with the agency’s auditors and the cognizant audit agency to accomplish contract closeout under cost-reimbursement contracts.

Concerns Lack of training on COTR duties Establishing a COTR training and certiﬁcation program is a well-balanced approach that prepares the COTR to perform the job and also strengthens contract administration. Many agencies have a mandatory COTR training program. Although some may not, their COTRs still attend a basic COTR course; procurement ethics training; refresher COTR training; and Procurement Integrity training. COTRs are encouraged to keep pace with changes in procurement by completing a minimum of eight additional hours of contract administration training every three years, preferably through a refresher COTR training course. Courses in service contracting and preparing statements of work are very helpful for COTRs who handle complex contracts and service contracts; it helps them in the preparation of the contract administration plan. In addition to the general training on COTR duties, many agencies have their contracting oﬃcers and the COTR review the contract in detail and concur on the speciﬁc oversight approach for the contract. To emphasize the importance of the COTR role, some agencies conduct Executive Seminars to train the COTRs’ supervisors. An example of a unique COTR certiﬁcation program is one that correlates the amount of training to the dollar value and complexity of contracts: 

The ﬁrst level is a minimum of 16 hours of training for those COTRs who handle contracts of relatively low complexity and low contract management risk. The contracts are for dollar values of $1,000,000 or less and are ﬁxed-price type or straightforward cost-type contracts.



The second level is a minimum of 40 hours of training for those COTRs who handle contracts of moderate to high complexity and contract management risk. The contracts are for dollar values greater than $1,000,000 and cost-type contracts, speciﬁcally those that have award fee, incentive fee or other complex contracts.



The third level is a minimum of 40 hours in addition to project management training for those COTRs who handle major systems contracts.

After the COTR certiﬁcation process is completed, some agencies conduct a formal ceremony to present the certiﬁcate and acknowledge the importance of the COTR in monitoring contractor performance. A special emblem may be provided to the COTR indicating the speciﬁc area in which he/she has been certiﬁed. Lack of a Well-Defined Relationship Between the Contracting Officer and the COTR A partnership between the COTR and the contracting oﬃcer is essential to establishing and achieving contract objectives, because these two oﬃcials are responsible for ensuring that the contracting process is successful. Some agencies have developed a joint partnership agreement that is signed www.GTIBookstore.com

Contracting for Cloud Services

218

during the pre-award phase, which deﬁnes how the parties will work together. The agreement will contain milestones for the various actions to be taken by each party. In some cases, daily meetings between the COTR and the contracting oﬃcer are required. In many agencies, this is accomplished by contracting oﬃcers attending training with the COTR and discussing relevant questions and concerns about the contract. In other agencies, the teamwork concept is enhanced by designating the COTR early in the process which helps the COTR to become familiar with the program requirements and assist the contracting oﬃcer in developing the contract administration plan and the statement of work.

Must Do It is essential that the program personnel and the procurement office work as a team.

In an eﬀort to help the contracting process work better and foster teamwork, the COTR should ensure that the contracting oﬃcer understands the program mission. In some cases, the COTR could invite the contracting oﬃcer to accompany him/her to meetings, conferences and inspections, so that the contracting oﬃcer can become familiar with the program requirements. Also this aﬀords other ﬁeld program personnel an opportunity to meet the contracting oﬃcer.

The COTR should furnish to the contracting oﬃcer a copy of government-contractor conference reports and correspondence in order to keep the contracting oﬃcer up-to-date on contractor performance. The COTR should be identiﬁed as the primary focal point for the customers to call concerning contractor performance. The COTR should also provide the customers with a copy of contract requirements. An example of a relationship that may exist between the procurement oﬃce and the program oﬃce is where the contracting oﬃcer works for and reports directly to the program manager. The program manager has full authority for fulﬁlling the requirements of the contract with the client. The contracting oﬃcer may be viewed as a facilitator to ensure that good contracting principles are adhered to while achieving the program’s goals. Undefined COTR Roles and Responsibilities Some COTRs view their job as a “plum assignment” because they know their judgment is critical to the success of the program requirements obtained through contracts. It is essential that program ofﬁces designate technically competent people with specialized qualiﬁcations and expertise as COTRs. The COTR is nominated in writing by the program organization, and notiﬁed by letter written and signed by the contracting oﬃcer. In turn, the COTR acknowledges acceptance by signing and returning a copy of the designation letter to the contracting oﬃcer. The COTR letter should deﬁne the COTR’s role and list speciﬁc duties and tasks, including tasks that should not be performed. The letter can be tailored speciﬁcally for each contract by listing speciﬁc duties and tasks relevant to that contract. The COTR letter can be signed by the COTR’s supervisor to indicate that he or she recognizes and accepts the demands on the COTR’s performance. A copy of the letter should be

219

Step 6. Managing Contract & Vendor Relationship

provided to the project oﬃcer and the contractor so they will understand clearly the COTR’s roles and responsibilities. The COTR can be designated in writing in the contract schedule. Some agencies specify the COTR’s name and duties in Section G, Contract Administration, of the contract. Some agencies have inserted a “Technical Direction” clause which establishes the scope of the COTR’s responsibilities in relation to the contractor in their contracts. The clause further deﬁnes the role of the COTR during contract performance. As a result of lessons learned from contracting oﬃcials, COTRs should be responsible for the following: 

Developing a cost-eﬀective contract administration plan.



Following the plan to monitor contract performance.



Informing the contracting oﬃcer of any technical or contractual diﬃculties encountered during performance in a timely manner.



Informing the contractor of failures to comply with technical requirements of the contract or to show a commitment to customer satisfaction, particularly if the contractor does not make corrections.



Coordinating site entry for contractor personnel, if applicable.



Evaluating proposals for and participating in negotiation of changes, modiﬁcations and claims at the request of the contracting oﬃcer.



Maintaining a ﬁle that would contain the following: contract and any modiﬁcations, all contract correspondence, inspections, records, memos and conversations with the contractor, invoices/vouchers, COTR appointment letter and trip reports.



Performing ﬁnal inspection/acceptance of all ﬁnal work required under the contract, including the review/approval of reports.

Undefined Limitations of Authority COTRs are responsible for understanding the contract terms and conditions and knowing the scope and limitations of their authority. COTRs are encouraged to contact the contracting oﬃcer for guidance if they are unclear about their authority or any aspects of the contract. Some agencies specify in Section G, Contract Administration, of the contract, information on the COTR’s limitation of authority. As a result of lessons learned from contracting oﬃcials, COTRs should avoid the following: 

Awarding, agreeing to, modifying, increasing the scope and dollar value of, or signing any contract.



Making commitments or promises (oral or written) to any contractor.



Issuing instructions (oral or written) to a contractor to start or stop work.



Directing changes (oral or written).



Authorizing delivery or disposition of government-furnished property. www.GTIBookstore.com

Contracting for Cloud Services

220



Obligating the government.



Granting deviations from or waiving any of the terms and conditions of the contract.



Changing the period of performance.



Authorizing subcontracting or the use of consultants.



Authorizing the use of overtime.



Executing a contract on behalf of the government.

Inadequate Surveillance and Monitoring of Contracts The development of a contract administration plan is essential for good contract administration. The plan can be simple or complex but must specify what the performance outputs of the statement of work are, and describe the methodology to conduct the inspections. This saves time and resources because the COTR is not monitoring the mundane, routine portions of the contract; instead the COTR is focusing on the major outputs of the contract. The contract administration plan should contain a quality assurance (QA) surveillance plan as a subpart. Development of a plan is important, since it provides a systematic structured method for the COTR to evaluate services and products that contractors are required to furnish. The QA plan should focus on the quality of the product delivered by the contractor and not on the steps taken or procedures used to provide that product. It includes appropriate use of pre-planned inspections, validation of complaints and random unscheduled inspections. Enhanced monitoring of contracts can be achieved by having government quality assurance monitors, technical inspectors, and COTRs report on the contractor’s Many agencies have found technical performance. They make site visits and speak that documenting surveillance with the contractor concerning the progress of the conand monitoring are key tract. Surveillance plans are used by them on a daily elements to the contract administration process. basis. Random samples are drawn, and schedules of inspection made using a contract administration checklist. A sampling plan should be designed using quality standards. Monitoring should be commensurate with the criticality of the service or task and the resources available to accomplish the monitoring.

Tip

As a result of lessons learned from contracting oﬃcials who monitor cost-reimbursement contracts, the COTRs should perform a head count periodically, examine time cards and sign-in sheets, review the overtime, and maintain spreadsheets to track direct costs and expenses. Another valuable tool in monitoring is reviewing contractor reporting requirements, such as progress reports, shop plans, and blueprints, which often can uncover potential cost overruns, late deliveries and poor contractor performance. Whatever form of monitoring the government utilizes, care should be taken so that the contractor does not have just cause to cite COTR interference in its operations. Convening quarterly meetings with

Step 6. Managing Contract & Vendor Relationship

221

top-level contractor oﬃcials, agency senior procurements and program oﬃcials to discuss the contractor’s performance helps the COTR ensure that contract terms and conditions are being followed. Consider the use of customer satisfaction surveys for major contracts to determine how program ofﬁcials, customers and others interacting with the contractor evaluate the contractor’s performance. Some private sector ﬁrms now use customer satisfaction surveys to help assess how customers feel about the services they are receiving. Lack of Incentives Consider giving an incentive award to the COTR of the year, based on such criteria as the amount of savings achieved, quality, timeliness, minimum technical contract changes and customer satisfaction. Some agencies cover COTR duties in the COTR position description and have contract administration as a critical job element in the COTR’s performance evaluation. This is essential for COTRs who handle large, complex contracts, especially cost-reimbursement ones, that require extensive surveillance. An agency COTR newsletter is one mechanism for promoting the accomplishments of the COTR, as well as providing information on changes in procurement laws and legislation.

Voucher/Invoice Review, Approval and Processing Voucher processing is just as important as any other aspect of contract administration. Payment to the contractor for the supplies and services delivered is the government’s obligation under the contract. The government expects the contractor to meet all contract requirements for quality, quantity and timeliness. The contractor expects no less of the government in meeting its obligation to timely, accurate payment for supplies and services received. A plan or process for quickly and eﬃciently meeting this obligation is as essential as the COTR’s oversight monitoring plan. Therefore, it is incumbent upon program, procurement and ﬁnance oﬃcials to understand clearly their roles and responsibilities related to reviewing and processing vouchers. This will ensure that payment is only made to contractors who perform in accordance with contract terms and conditions. It is essential that these tasks are discussed with the contractor and COTR during the postaward orientation conference. An important aspect of voucher review, approval and processing is good communication between the COTR, contracting oﬃcer and ﬁnance oﬃcial to ensure that payment is made on time.

Concerns 

Unclear roles and responsibilities of procurement, program and ﬁnance oﬃcials with regard to review and approval of contractor invoices and vouchers.

Although recommendation for approval is often obtained from the COTR, authority to approve or disapprove payment of vouchers and invoices is the responsibility of the contracting oﬃcer. Creating a good working relationship between the contracting oﬃcer, the ﬁnancial oﬃce, and the COTR

www.GTIBookstore.com

222

Contracting for Cloud Services

is a key element in the voucher review and approval process. This, in turn, helps agencies to comply with the Prompt Payment Act. Reviewing the ﬁrst voucher in detail with the contractor as far as format and level of detail makes the second and subsequent vouchers easier to review and process. COTRs are in the best position to assess the reasonableness of costs and expenditures on vouchers and invoices. COTRs must always remember that payment to a contractor implies work is progressing according to the contract; therefore, COTRs must be assured that the government is getting what it is paying for. The COTR’s recommended approval of a voucher implies that, to the best of the COTR’s knowledge, the nature, type, and quantity of eﬀort or materials being expended are in general accord with the progress of work under the contract. COTRs provide support to the contracting oﬃcer and ensure that payments are made to contractors that perform according to contract terms and conditions by monitoring contractor’s performance through review of monthly reports, onsite visits and surveillance reviews. It may be helpful for agencies to have procedures that require the COTR to certify on the invoices that supplies and services have been received and accepted. In some cases, the contracting oﬃcer may designate a resident DCAA auditor as the contracting oﬃcer’s representative for reviewing and approving vouchers under cost-reimbursement contracts. Contracting and ﬁnancial oﬃcials should always check the mathematical accuracy of the voucher to avoid any overpayment to the contractor. Financial oﬃcials should ensure that a copy of each paid voucher is returned to the contracting oﬃce for inclusion in the oﬃcial contract ﬁle. 

Inconsistent review and approval by contracting oﬃcials of vouchers for cost-reimbursement contracts prior to payment.

More in-depth review of vouchers under cost-reimbursement contracts is needed to ensure that costs are not being incurred prematurely and relate to progress under the contract. Although agencies may have diﬀerent procedures to review and approve vouchers, some agencies have successfully avoided problems by having contracting oﬃcials review each voucher. 

Insuﬃcient guidance to Contracting Oﬃcer’s Technical Representatives (COTRs) on how to conduct voucher reviews.

When reviewing vouchers under cost-reimbursement contracts, COTRs should check the voucher date against the contract performance period to ensure that costs are being billed for the proper timeframe, and compare the contractor’s billing rates against the contract rates to ensure that indirect costs are being billed properly. These measures, along with monitoring the contractor’s performance, helps the COTR determine if claimed costs are reasonable for the period covered by the voucher. In addition, comparing the contractor’s production report with any information gathered through monitoring the contractor’s performance gives the COTR some indication of the contractor’s workload. If the contractor reports the same workload for two diﬀerent tasks, this is an indication to the COTR that something maybe wrong with the invoice, and it should be discussed with the

223

Step 6. Managing Contract & Vendor Relationship

contractor. When reviewing vouchers under cost-reimbursement contracts, the COTR should review the contractor’s time cards, sign-in-sheets and overtime records to help assess the reasonableness of direct labor costs. Maintaining monthly reports or spreadsheets on costs incurred against the contract amount helps the COTR monitor the contractor’s expenditures under the contract. A checklist or some other voucher review form that includes the major cost categories (labor, travel, supplies, other direct costs and subcontract costs) may be a useful tool in reviewing vouchers to determine the reasonableness of the contractor’s claimed costs. The checklist helps the reviewing oﬃcial remember to check all cost categories before recommending approval of the voucher for payment. 

No assessment of reasonableness of direct costs when approving vouchers under cost-reimbursement contracts. (Only technical progress and product or service quality are reviewed).

Some agencies conduct a ﬁnancial management review of the contractor’s current invoices during contract performance. The review is conducted at the contractor’s location. The review helps the agency determine if the contractor’s accounting and billing systems, and internal control policies and procedures are adequate to support costs claimed on the invoice. The review, which may be done by in-house oﬃcials with audit experience results in timely recovery of overpayments and lost interest, and settle cost allowability issues and other matters associated with the contractor’s invoice. The review can ﬁll the gap between the initial invoice review and the contract audit. 

No veriﬁcation that approved indirect cost rates are being used.

If there are large cost-reimbursement contracts where a resident DCAA auditor is at the contractor’s location, consideration should be given to sending a copy of the voucher directly to DCAA for review prior to payment. This reduces the burden on the contracting oﬃcer and helps detect unallowable costs. Subsequent review by the COTR helps the contracting oﬃcer determine if contractor performance is commensurate with the amount shown on the voucher. 

Insuﬃcient policies and procedures on voucher submission and approval.

Notify contractor of defects in invoice, i.e., an “improper invoice,” within seven (7) days after receipt. Authorization to pay may be indicated by an approval stamp on the reverse of the original voucher. 

Insuﬃcient information on the voucher for thorough desk review of claimed costs to determine allowability, allocability and reasonableness.

Including detailed billing instructions in the contract provides information to the contractor on how to complete vouchers and invoices properly. The instructions could provide samples of how a voucher should be prepared and submitted to the government for payment. When appropriate, it may be helpful to deﬁne in the contract the distinction between a completion voucher (cumulative claim and reconciliation) and a ﬁnal voucher, so that the contractor can provide correct information on the voucher. If the contractor provides its ﬁnal settlement of claimed costs on the completion voucher, that voucher should be considered the ﬁnal voucher. www.GTIBookstore.com

Contracting for Cloud Services

224



Delays in processing vouchers.

Designating alternate COTRs and contracting oﬃcers that have authority to review and approve contractor vouchers and invoices may alleviate delays in the approval process. Performance measurements may be useful tools to help the ﬁnance oﬃce determine how well the agency is doing in reviewing and processing invoices/vouchers for payment in order to comply with the Prompt Payment Act. Prompt payment performance standards may help detect weaknesses in the process and, thus, improve business relationships with the contractors, and reduce costs to the government. Tracking such performance data as the amount and number of penalty payments, the reason, number and amount of discounts taken, the number and amount of lost discounts, and late payments provide valuable information to the ﬁnance oﬃce. Established standards, i.e., the number of days for review and approval by the contracting oﬃcer and COTR, help to process vouchers in a timely manner. If timely payment of vouchers is a problem, a dedicated person in the contracting oﬃce (normally a clerical position) may be needed to log vouchers in and out, check ﬁgures for accuracy, and assist the contracting oﬃcer, the ﬁnancial oﬃcer and COTR in timely processing of vouchers and invoices. 

Insuﬃcient documentation, record keeping and tracking of invoices and vouchers.

Maintaining a voucher payment log, either manually or computerized, in the contract ﬁle helps to track the contractor’s claimed costs and fee (if applicable) against contract costs and fee. Maintaining a copy of each paid voucher in the oﬃcial contract ﬁle helps to ensure proper accountability. Establishing a separate post oﬃce box for receipt of vouchers may help to avoid delays in processing. Automated invoice tracking systems may help to track vouchers and provide information to show if they are delinquent for payment because standards were not met. Automated invoice tracking systems may provide such reports as: voucher status by specialist, overdue vouchers, vouchers that have been rejected and voucher history. Contractor support may be used, if necessary, to operate the automated invoice tracking system. Care should be taken to ensure that the contractor does not make decisions about vouchers that should be made by contracting oﬃcials. Sending a list of names of authorized persons to sign invoices and vouchers on each contract to the ﬁnance oﬃce with periodic updates avoids delays in paying vouchers. 

Lack of management attention to contract closeout.

Establishing a separate closeout function within the contracting organization emphasizes the importance of contract closeout. The best time to concentrate on contract closeout is during the October to February timeframe when the contract placements workload may be less. Using contractor support may be an eﬃcient way to accomplish contract closeout when in-house resources are limited. Such administrative functions as creating the closeout ﬁle, soliciting required closeout forms from internal organizations and obtaining the contractor’s release are duties that can be performed through contractor support, as long as the forms are executed and approved by the contracting

225

Step 6. Managing Contract & Vendor Relationship

oﬃcial. Although the contract specialist continues to work with the contractor through physical completion under “cradle-to-grave” contract administration, this does not prohibit a separate group from performing the closeout function. For civilian agencies entering into agreements with the Defense Contract Management Command to perform contract administration and contract closeout functions may be useful when inhouse resources are limited. Rewarding employees through incentive awards (i.e., on-the-spot cash awards) for the highest number of closeouts completed is a good motivation factor. Using measurements standards, such as those prescribed in the FAR for closing various types of contracts, helps to keep the focus on the closeout eﬀort. Cross-training in contract closeout is good for contract specialists, as it helps them to understand the importance of writing good contracts. 

Poor management information systems to monitor the contract closeout process.

Consider using a management information system with milestones to track contract closeout from physical completion through ﬁnal payment. Integrating the closeout system with a word-processing capability allows for automatic generation of closeouts letters which speeds up the closeout process. Using contractor support for data entry services may be an alternative when in-house resources are limited. 

Poor coordination between contracting activity, inspectors general (IG) and cognizant audit agency.

It may be helpful to notify the IG and the cognizant audit agency whenever a cost-reimbursement contract is awarded that requires an incurred cost or indirect cost rate proposal audit. Providing that information at the time of award helps the audit agency program future requirements into its workload projections. Forecasting audit needs and communicating those needs to the IG and the cognizant audit agency helps to improve working relationships. Developing an information management system may be a useful tool to facilitate that process. Prioritizing audit requirements and communicating these requirements to the IG and the cognizant audit agency helps in projecting the audit workload. Speciﬁcally stating in the audit request any special information that should be included in the audit report makes the report more useful and improves working relationships between the contracting oﬃce, the IG’s oﬃce and the cognizant audit agency. Using a team approach consisting of contracting oﬃcials and audit staﬀ to determine those contractors that should be audited helps to forecast audit requirements better. Sharing such information with the cognizant audit agency as a listing of prime and subcontracts awarded that are subject to defective pricing reviews or contracts physically completed but not closed over three years helps the auditors better to deﬁne the audit backlog, determine audit resources and prioritize contractor locations for audits. Subsequently, requesting the cognizant audit agency to provide such information as the directory of for-proﬁt contractors with the audit oﬃce responsible for the contractor’s audit and those contracwww.GTIBookstore.com

Contracting for Cloud Services

226

tors that are late in submitting their indirect cost rate proposals or submitted inadequate proposals helps the contracting oﬃce project its closeout workload. 

Large backlog of unscheduled audits.

To the extent practicable, using quick closeout procedures helps to reduce the audit workload. When a determination can be made that there is no evidence of fraud or waste, the contractor’s performance is good, and there is no history of unallowable costs, then quick closeout procedures may be appropriate. Performing risk assessments to determine contractors that should be audited will help to better manage the audit workload. Using more ﬁxed-price contracts helps to reduce the requirements for contract audits. Encouraging contractors to submit their ﬁnal vouchers in a timely manner avoids delays in requesting the ﬁnal closeout audit under cost-reimbursement contracts. Using rate checks (labor and indirect cost rate) to the maximum extent possible instead of full-blown audits, when such audits would not add value, helps to reduce audit backlog. 

Noncompliance with FAR provision for submitting Indirect Cost Rate (ICR) Proposals by some contractors delays the audit process.

Using the post-award orientation session to educate the contractors (in particular small business ﬁrms) on the requirements for contract closeouts and the need to submit ICRs in a timely manner should help make the closeout process easier. 

Avoiding disputes in contract closeout.

Claims sometimes cause closeout problems. An alternative dispute resolution technique known as “partnering” should be considered. Creating a partnership agreement with the vendor helps to avoid disputes. Having the partnership agreement signed by all parties – the contracting oﬃcer, COTR and the vendor – creates a buy-in to the overall goal: “Completion on time, within budget and without claims.” 

Lack of a speciﬁc dollar threshold for using quick closeout procedures.

Using speciﬁc dollar thresholds for quick closeouts may be practicable as long as the government’s interests are protected, low risk is involved and indirect rates can be veriﬁed. Knowing the contractor’s history of incurred costs, billings and performance are additional factors to be considered when establishing thresholds for using quick closeouts. Establishing a good working relationship with the ﬁnance oﬃce helps in the closeout process. Getting the ﬁnance oﬃce to provide a listing of contracts where money will be lost if ﬁnal settlement does not occur helps to target attention on those contracts that may be closed through quick closeout procedures. 

Closeout documentation.

Always use a checklist and include it in the contract ﬁle when closing contracts. This helps to ensure that all actions have been completed.

227

Step 6. Managing Contract & Vendor Relationship

Checklist Speciﬁc contract management issues pertinent to cloud computing include:  Re-certiﬁcation/Re-inspection  SLA/KPI Monitoring  Audit Rights  DR/BC Obligations in Event of Disaster  Data Breaches  Vendor Continued Viability  Payment for Performance  Compliance

Re-certification/Re-inspection As noted earlier, to ensure an ongoing level of service, and that there are no material changes to the cloud vendor’s infrastructure and security, the cloud vendor should be responsible for re-certifying or re-auditing their infrastructure and security on at least an annual basis, as well as immediately following any actual or reasonably suspected data breach. The cloud vendor should be obligated to provide the customer with the reports resulting from the re-certiﬁcation/re-audit process. The customer must track the cloud vendor’s progress in complying with this responsibility. And the customer must also thoroughly review these reports every time they are received in order to ensure that they conﬁrm that contractually mandated infrastructure and security mechanisms and processes remain eﬀectively in place. Should the results of any subsequent certiﬁcation or audit be unsatisfactory, there should be a contractual requirement to notify you immediately, and if not immediately cured, this should be cause for breach. If you have negotiated for your rights to inspect the cloud vendor’s data center(s), then re-inspections should also be done on an annual basis to ensure that contractually mandated infrastructure and security mechanisms and processes remain eﬀectively in place, and that any shortcomings are eﬀectively addressed.

SLA/KPI Monitoring Once you have moved to the cloud, you have the responsibility to ensure that the terms of the SLAs are being met and that the KPIs are monitored. It is the KPIs that accurately reﬂect your ongoing performance. Once you have developed your KPI parameters you can work with your vendor to create alerts when performance falls out of an acceptable range. By analyzing the reason for this, you can continually optimize your performance. www.GTIBookstore.com

Contracting for Cloud Services

228

Audit Rights Audits are essential to ensure your data is secure, that the vendor is performing as required and to be in compliance with regulatory rules and data security laws. If a vendor fails to meet the audit contractual requirements it should trigger warning bells and demand your immediate action. It is the customer’s responsibility to continue regular audits of the cloud vendor’s records for the duration of the agreement to ensure that the service continues to be provided within the agreed-upon parameters.

DR/BC Obligations in Event of Disaster As discussed earlier, your negotiated contract should include language detailing the vendor’s disaster recovery/business continuity obligations. This is all to prepare you should a disaster occur. In the event of such a disaster, it is important that you actively manage the vendor relationship to ensure that the vendor fulﬁlls these obligations, including RTOs and RPOs, and that any gaps in your access to the service are minimal.

Data Breaches As detailed in Step 5, it is essential that you negotiate to include contractual language that effectively addresses the vendor’s responsibilities should a data breach occur. While we all hope that such an event never occurs for us, you need to be prepared to take additional steps should you ever receive a data breach notiﬁcation from your cloud vendor. Should such an unfortunate event occur, you will need to actively engage and manage your relationship with the vendor to ensure that they keep you notiﬁed regarding the pertinent details within the negotiated timeframe, have investigated circumstances of the breach, cut oﬀ the unauthorized data access, identiﬁed the causes of the breach, and taken corrective actions to eﬀectively prevent any recurrence. Additionally, should you incur any ﬁnancial or reputational costs as a result of the breach, you will need to work with the vendor and/or cyber-risk insurance provider to ensure indemniﬁcation and/or that your costs are appropriately reimbursed. If there are any resulting legal requirements to notify others, then you may need to coordinate that process with the vendor, including determining which speciﬁc individuals require notiﬁcation, credit checks and other assistance.

Vendor Continued Viability – Proactively Monitor It is your responsibility as part of ongoing due diligence to ensure that your vendor continues to have the ongoing ﬁnancial and organizational ability to satisfactorily provide the services promised. There are a number of data points that you can proactively monitor to track vendor viability: 

Financial Trouble – check the ﬁnancial pages and IT business magazines to see if there are any negative stories about the vendor that would suggest he is in ﬁnancial diﬃculties.



Signiﬁcant Customers Leaving Business – if the vendor is losing a lot of customers, there’s likely tobe a reason for it. Call one of the departing customers, and ask why they left.

229

Step 6. Managing Contract & Vendor Relationship 

Executives Leaving Company – it is never a good sign when several senior executives leave a company in a short period of time. They know something that perhaps you should.



Diminished Customer Service – if customer service starts to suﬀer, reports are not forwarded on time, or KPIs are not being met and so on, ﬁnd out why. There is obviously a problem.



Insurance Lapse – if a vendor allows an insurance to lapse it is time to bail out fast.



Repetitive Missed SLAs – repeated failures to meet the terms of the SLA are another red ﬂag. In fact, you shouldn’t wait for repeated failures. Challenge each failure as it occurs.

Payment for Performance Performance is not only important for you as the agency to ensure you and your users get the services contracted, it is also important to the vendor, especially if performance is tied to payment. By working together you can ensure that both your objectives are met.

Compliance Both the technology and the legal/regulatory environment continue to evolve. As laws evolve, it may be necessary to track the implications of those changes on your use of the cloud service, as well as the vendor’s continued compliance. To ensure that your contract remains current, it’s important to review at least annually and update to reﬂect any pertinent changes. While the vendor is contracted to ensure that everything is done in compliance with all relevant regulations and laws, the onus is on you to make sure this happens. Compliance is becoming more complex as foreign countries enact their own data protection and privacy laws on top of federal and state laws and regulations, and industry regulations, such as HIPAA for health data and PCI DSS for card payments. The project manager, compliance oﬃcer, CIO, CFO and CEO are among those with responsibility for ensuring compliance. The task can be made a little easier if you have chosen the right vendor with sound data protection and compliance practices. That is why it is important to include all these issues in a comprehensive SLA, and then to continue monitoring them for the lifetime of the contract.

Relationship Advice for Contract Managers Not only is the agency team very important to the success of a service acquisition, a positive relationship between the agency and the vendor in executing the requirement is equally important. The contract manager’s relationship with the performing contractor should be one that promotes a strong and positive business alliance to achieve mutually beneﬁcial goals, i.e., timely delivery and acceptance of quality services through eﬃcient business practices. It should encourage eﬀective communication, teamwork, cooperation and good faith performance between the parties to meet mission objectives and resolve conﬂict and problems. This business relationship should seek to create a cooperative attitude in executing government contracts. Each party should seek to understand the goals, objectives and needs of each party. It is essential that government www.GTIBookstore.com

Contracting for Cloud Services

230

and industry work together as a team, communicate their expectations, agree on common goals and methods of performance and identify problems early on to achieve desirable “win-win” outcomes.

Conclusion Cloud computing is already huge, and it is likely to get even bigger in the years ahead as federal agencies adopt it both to cut costs and increase eﬃciencies. It is recognized that there are risks, but government agencies and the private sector working together can overcome them. For those tasked with developing a cloud program and migrating services to the cloud, it can seem like a daunting task. Hopefully, this book will assist you with this. Understanding the many technical, operational and legal requirements is one of the ﬁrst steps, and these issues are dealt with in this book. Another important step is in building the right team to help you succeed. Because migrating to the cloud has such a broad set of implications ranging from meeting your business needs to ensuring compliance with organizational policy and the law, its scope typically extends beyond the responsibilities of any one existing position or role. So don’t go it alone. To effectively address these issues, leverage existing resources and build partnerships among: 

Business Process Owners



IT Contracts/Vendor Management



IT Security/Policy



Legal Aﬀairs



Procurement



Internal Audit

Working together, these key players can eﬀectively manage the wide-ranging implications and risks associated with adopting a cloud computing solution. Working together you can also develop guidelines and best practices regarding the appropriate acquisition and use of cloud computing services.