Cloud Procurement Guide 2.0 Tackles Security, Encryption

After two years of heavy use in government circles, the Center for Digital Government has released updates to its Best Practices Guide for Cloud and As-a-Service Procurements.

by / November 30, 2016
Image via Shutterstock

Ask your local IT shop to explain exactly what cloud services are, and you’ll be met with more information than you had ever hoped to get. Ask the same shop to explain how they purchased it, and you’ll likely be met with a blank, slightly terrified stare. 

While the technology itself may be relatively simple to explain, the means to procure it has been a thorn in the sides of public organizations from the outset. Where some government entities have chosen to brave the process on their own, others banded together and paved the way for streamlined purchasing and adoption.  

That collaboration resulted in the Best Practices Guide for Cloud and As-a-Service Procurementsreleased in 2014 by the Center for Digital Government (CDG)* to close the understanding gap and better arm the public sector to procure the services they needed in a more standardized and effective way.

The first iteration of this guide gathered input from a wide range of public and private partners through facilitated working groups, and laid the groundwork for multistate contracting vehicles. It also has offered guidance to smaller jurisdictions without the resources and purchasing power of state government. 

Download the Guide

The updated guide outlines and explains the changes needed for more flexible and agile procurement processes.

Now, nearly two years later, the guide has been instrumental in discussions around a multistate procurement vehicle and is being re-released with some minor improvements.

Facilitating Procurement in Utah

For more than two years, Utah has been at the helm of a multistate procurement vehicle through NASPO Value Point, and just recently wrapped up the final stages of awarding contracts to the 38 participating vendors.

As of late November, 34 states are involved and Utah contracting officials are moving ahead with trying to negotiate master agreements with their vendors. And the CDG guide established a jumping off point that the state and vendors could use to start more focused discussions, said Christopher Hughes, assistant director of operations and contracts  for the state of Utah’s Division of Purchasing, who spearheaded the Utah-NASPO initiative. 

“So what we did was collaborate with quite a few people in the initial part of the RFP to better understand this industry, and part of that was working with somebody who had worked with the Center for Digital Government,” he explained. “The Center for Digital Government had established what they believed were good, or adequate terms for cloud contracts, and … we looked at using those terms and incorporated them into the RFP.”

During discussions around data security, Hughes said the CDG document language represented a firm foundation to build on from the public-sector perspective. As the vendors weighed in, adjustments were made to the language to better suit the requirements of their particular business solutions.

“As we worked with some of these vendors, they needed to clarify some of these terms in accordance with their business solutions so that we weren’t requiring them to rewrite their business process in order to handle data that was processed as a result of the contract,” Hughes said.

Adjustments and Fine-Tuning

As for changes to the 2016 iteration of the best practices guide, CDG Director Todd Sander explained that it was more of a fine-tuning exercise than a complete rework of the center's 2014 guide. 

Despite a two-year gap between the documents and technological advances in the cloud space, he said public and private partners focused their collective energy on better defining certain sections of the guide and clarifying wherever possible.

“I think all of us in both public and private sectors were pleasantly surprised how well the 2014 document held up," Sander said. "We substantially got it right the first time."

Among the more notable adjustments that working groups focused on were the issues of security and encryption, better distinguishing between data at rest and data in motion, and systems audits. The topics of hybrid cloud and service level agreements were also points of discussion, while areas like terms and conditions remained largely untouched.

Former New Jersey CIO Stephen Emanuel, now with cloud service provider Alliant Technologies, led the hybrid cloud working group and participated in the working group. He agreed that many of the changes were based more on adjusting for evolving nuances than anything else.

“I think it was refreshing that we spent better than nine months on the first pass, and after almost 18 months to put it in play, we really didn’t have a whole lot of significant issues,” said Emanuel, who also was the main catalyst for the 2014 guide. At the time, his role in the public arena sent him in search of a better way to buy the tools he needed. Now working in private industry, he said he relishes the opportunity to collaborate and work through the procurement barriers with a new perspective. 

The cloud environment will continue to change, he said, and stakeholders on both ends should remain open to discussing what is happening in the space.

“Given the fact that cloud is going to morph as things move on, I have a totally different view now that I am in the private sector providing hybrid cloud services,” Emanuel said. “I think part of the clarity that we brought to this was at least if we start with terms and conditions being somewhat standardized, the next step is let’s talk about some of the ways we ask for things.

*The Center for Digital Government is a research and advisory institute on public-sector IT under the e.Republic umbrella. e.Republic is also the parent company of Government Technology. 

Eyragon Eidam Web Editor

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as  assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.