Buying cloud is an evolving art. The heart of the cloud business model- ala cart or consumption-based pricing, is an evolving beast. There still is no universal model for the buy-by-the-drink philosophy that is integral to the cloud value proposition. And the other key terms- those that really should be in what is euphemistically called a “Service Level Agreement” or SLA- are still largely ad hoc and vary across many government agencies.
GAO has sought to clear the air on this knotty problem. In April, it released another in its series of reports about the state of cloud computing within the federal government. This report catalogued the ten best practices that government customers should address when negotiating to procure cloud service offerings.
The list is important to cloud service providers- not the least because they can expect to see these terms in a growing number of cloud procurements. These terms will define the expectations and requirements between the cloud service provider and the government in terms of the nature, reliability and cost of the cloud service offering.
GAO identified ten key “best practices” for agencies to follow when negotiating an SLA. These involve such areas as defining expectations, ensuring cybersecurity and establishing consequences. The list is pretty straightforward:
(1) Always define the roles and responsibilities of the major stakeholders involved in the performance of the SLA and cloud contract. These definitions would include, for example, the persons responsible for oversight of the contract, audit, performance management, maintenance, and security. This seems pretty basic, but you would be amazed how many contracts omit this kind of key data.
(2) Identify and explain key terms, including activation date, performance, and identify any ambiguities in the definitions of cloud computing terms in order to provide the agency with the level of service they can expect from their cloud provider. Without clearly defined roles, responsibilities, and terms, the agency may not be able to appropriately measure the cloud provider’s performance. For the provider, ensure that these definitions match the specific business model and cloud offering that is actually being provided.
(3) Define the performance measures of the cloud service, including who is responsible for measuring performance. These measures would include, among other things, the availability of the cloud service; the number of users that can access the cloud at any given time; and the response time for processing a customer transaction. Providing performance parameters provides both the agency and service provider with a well-defined set of instructions to be followed. Note that both NIST and the agencies are rapidly defining very specific performance metrics that can be expected to become part of government’s contracts very soon.
(4) Specify how and when the agency would have access to its data, including how data and networks will be managed and maintained throughout the life cycle of the service. Provide any data limitations, such as who may or may not have access to the data and if there are any geographic limitations. Data portability is becoming a very big issue for government, as are continuing concerns to avoid=d any cloud vendor “lock in.”
(5) Specify management requirements, for example, how the cloud service provider would monitor the performance of the cloud, report incidents, and how and when they would plan to resolve them. In addition, identify how and when the agency would conduct an audit to monitor the performance of the service provider, including access to the provider’s performance logs and reports. For the cloud provider, ensure that the incident reporting obligations are not conflicting and are very clear. Avoid multiple points of contact. Also ensure that the reporting requirements do not violate existing privacy requirements or the confidentiality of other customer data.
(6) Provide for disaster recovery and continuity of operations planning and testing. This includes, among other things, performing a risk management assessment; how the cloud service would be managed by the provider in the case of a disaster; how data would be recovered; and what remedies would apply during a service failure.
(7) Describe applicable exception criteria for when the cloud provider’s service performance measures do not apply, such as during scheduled cloud maintenance or when updates occur. Without any type of performance measures in place, agencies would not be able to determine whether the cloud services under contract are meeting expectations. For the cloud provider, fully disclose and identify policies governing maintenance and patches.
(8) Specify the security performance requirements that the service provider is to meet. This would include describing security performance metrics for protecting data, such as data reliability, data preservation, and data privacy. Cleary define the access rights of the cloud service provider and the agency as well as their respective responsibilities for securing the data, applications, and processes to meet all federal requirements. For the cloud provider, make sure that the government’s obligations regarding sue and access are fully articulated, particularly for on premise or hybrid cloud offerings.
(9) Describe what would constitute a breach of security and how and when the service provider is to notify the agency when the requirements are not being met. Without these safeguards, computer systems and networks as well as the critical operations and key infrastructures they support may be lost, and information—including sensitive personal information—may be compromised, and the agency’s operations could be disrupted.
(10) Specify a range of enforceable consequences, including the terms under which a range of penalties and remedies would apply for non-compliance with the SLA performance measures. Identify how such enforcement mechanisms would be imposed or exercised by the agency. Without penalties and remedies, the agency may lack leverage to enforce compliance with contract terms when situations arise.
Applying these criteria, in its report GAO looked at existing cloud contracts across DOD; HHS; DHS; Treasury; and VA. It found that of the 5 agencies and 21 cloud contracts reviewed 7 had fulfilled all 10 factors. The remaining 13 had incorporated 5 or more and only 1 failed to include any of these factors.
Cloud service providers doing business with the federal government should be prepared to address these key requirements if they wish to be successful at the negotiating table. Preparation with knowledgeable experts is essential to creating a fair and balanced relationship.
Cyrrus Analytics LLC
Hettinger Strategy Group
 “Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance”, GAO-16-325 (April, 2016).