Unique public-private partnership develops contracting language to help make the cloud work for the public sector.
With perennially challenging budget environments and fierce competition for funding, government is well known for stretching legacy technology systems past their useful life, and then paying to maintain what should have been put down years before. But it isn’t necessarily the fault of those in government IT. When faced with the dilemma of struggling to procure the latest functional tech or scratching together the funding to simply keep things running status quo, it can be hard to tip the scales in the right direction.
And the rapid pace of technology hasn’t helped this conundrum either. The gravitational pull of the often ill-defined cloud is a prime example of this larger predicament. Cloud technologies offer flexibility and scalability that can help government run programs more efficiently while benefiting from the latest innovations. But the barriers to government adoption of cloud services are considerable. Chief among them is a procurement process built for more traditional on-premise system deployments.
But that hasn’t kept government from trying, and there are plenty of examples of successful government cloud deployments over the past few years. Government and industry, however, have struggled to speak the same language in the purchasing process. From basic definitions to understanding what each side really needs from a contract, the case-by-case approach was nothing if not time consuming and costly for vendors and public-sector buyers alike.
In 2014, the Center for Digital Government (CDG), a research and advisory institute on public-sector IT under the e.Republic umbrella (e.Republic is also the parent company of Government Technology), began work with a collection of state, local and industry officials to develop best practices around cloud and as-a-service procurements. The goal of the effort was to remove 80 percent of the terms and conditions contracting workload, leaving only 20 percent for public-sector organizations to iron out with their vendors.
A second, refined iteration of this document is currently in the works and is expected to be released in October 2016.
Former New Jersey CIO Steven Emanuel, now with Alliant Technologies, was a key player behind the collaborative effort after struggling through lengthy procurement efforts in his own state — a process he openly referred to as “painful.”
In addition to taking more than 18 months to acquire software through a major vendor, Emanuel said the team and supplier had difficulty effectively defining what they were after. The search for clarity and a streamlined process would launch an effort that included some 30 representatives from the public and private sectors.
In the first document, the groups defined and outlined issues around service models, data, breach notifications, personnel, security, audits and operations. As time passed and technology evolved, working groups are taking a second look at audit requirements, encryption, flow through, service level agreements and implications around hybrid cloud environments.
“We learned early on that the first and largest hurdle is just defining what cloud is or what as-a-service is, because there are three primary variations of that, said CDG Executive Director Todd Sander. "There is software-as-a-service, platform-as-a-service and infrastructure-as-a-service. And while they are all related, there are nuances and differences over who is responsible for what and what is actually being purchased.”
Sander said the work would go on to be used in a highly anticipated National Association of State Procurement Officers (NASPO) multi-state cloud services contracting vehicle being organized by the state of Utah.
Michael DeAngelo, deputy CIO for the state of Washington, explained that cloud services have dramatically changed the business models of technology companies and forced change in the way governments access their products. Rather than simply buying a product and redistributing it to internal clients, the cloud enables government to scale services up or down according to changing needs.
DeAngelo also pointed out that the new business model has taken away some of the bargaining leverage that data-rich government tends to have around these types of purchases. With companies like Amazon, Microsoft and Google at the forefront of the as-a-service environment, case-by-case contracts no longer work for companies focused on low operating costs and scalability.
While DeAngelo said the resulting low costs are certainly appreciated when it comes to taxpayer dollars, the disadvantage is that agencies are no longer able to make asks like allowing auditors to review providers’ systems to ensure they meet government’s traditional requirements. What one organization sees as a piece of required compliance procedure poses a very real security risk to other companies and organizations hosted in the data center.
Though he sees why vendors must limit access to their servers, he feels the need to carefully shepherd constituent data. To work around limitations like this, DeAngelo and Georgia Chief Technology Officer Steve Nichols said third-party audits have been a focus of this collaborative process since the beginning.
“We’ve got a department of auditors, but realistically, they are not going to fly up to Virginia or Chicago and walk around with a clipboard in an Amazon data center or a Microsoft data center. And likewise, Amazon doesn’t want to be flooded with a bunch of auditors either,” Nichols said. “So, this is one of these things where we have to meet in the middle and say, ‘Here’s an industry standard setup to deal with exactly this, let’s just agree to it.’”
Many states also have requirements that data and personnel with access to it be U.S.-based, which had been a point of concern when contracting with global companies.
Additionally, Nichols said he has high hopes for conversations around flow through, or the layer cake-esque structure of modern technology contracts composed of a strata of subcontractors with their own responsibilities and terms and conditions.
“In the 2014 guide, we didn’t really contemplate that some things may be passing down or passing up and what to do about that," he said. "Now I recognize that at least for software-as-a-service, it’s quite common that a software-as-a-service vendor is behind the scenes and they don’t own their own data center, that they are using an infrastructure-as-a-service vendor — another cloud vendor to actually provide the servers.”
Working group members hope to provide better guidance on what is expected at all levels on complex cloud contracts.