The Tricky Business of Crafting Solid Cloud SLAs
In the five years since the U.S. government put a clear emphasis on utilizing cloud technology, federal procurement offices have engaged in seemingly endless tinkering of contracting vehicles to promote cloud adoption.
The core element of virtually every type of federal cloud procurement contract is the service level agreement, upon which billions of dollars of cloud investments are based. However, federal agencies have struggled with incorporating SLAs into cloud contracts that make sense for both the government and vendors.
That is why the federal General Accountability Office and the Office of Management and Budget have focused on the role SLAs play in cloud investing -- and it appears that now, after five years of the Cloud First policy, agencies are making progress in writing SLAs.
For the most part, government agencies have complied with federal guidance for SLAs, based on GAO's April 2016 report covering five major departments.
However, performance varied considerably among the agencies, and significant deficiencies still needed to be corrected to ensure full implementation of SLA provisions, GAO concluded.
"Overall, this is a good start towards ensuring that agencies have mechanisms in place to manage the contracts governing their cloud services" said David Powner, director of information technology management issues at GAO.
A Focus on the Big Bucks Agencies
The agencies GAO examined -- Defense, Homeland Security, Health and Human Services, Treasury, and Veterans Affairs -- together accounted for US$57 billion in IT investments in fiscal 2015. That was nearly 72 percent of the total federal IT budget.
"An important part of acquiring IT cloud computing services is incorporating an SLA into the contract. An SLA defines levels of service and performance that the agency expects the contractor to meet, and the agency uses the information to measure the effectiveness of its cloud services," notes the GAO report.
GAO developed a list of 10 elements that should be incorporated into every SLA, based on research from sources such as the Federal Chief Information Officers Council, the National Institute for Standards and Technology, MITRE and Gartner.
Among the 10 elements:
- Specify roles and responsibilities of all parties
- Define clear measures for performance by the contractor, such as service availability
- Specify capacity and capability, such as number of simultaneous users, as well as processing speed for transactions and response time for outages
- Determine how and when the agency has access to its own data and networks
Other elements: provisions for both the contractor and the agency to monitor performance; requirements related to disaster recovery and continuity of operations; security provisions including notification procedures; and specifications covering enforcement of the SLA, including penalties.
GAO Compliance Scoreboard
Seven of the 21 cloud contracts it examined contained all 10 practices, GAO found. Another 13 included at least five of the elements, while one contract failed to include even one.
The Defense Department had two SLAs with five of the 10 provisions incorporated, another with seven provisions, and a fourth with nine.
Homeland Security had three contracts with all 10 provisions and one with seven.
HHS reported one contract with six elements, three with eight, and one with nine.
Treasury had three contracts with 10 elements, one with nine and one with eight.
The VA had one contract with 10 and one with nine.
The relatively strong showing should prove beneficial to vendors, which often complain that government agencies don't communicate their goals with reasonable clarity. Agencies should benefit from being able to manage contracts more efficiently, with fewer vendor misunderstandings and protests.
One reason for the various deficiencies GAO found is that OMB's guidance covers only seven of the 10 practices.
Within the agencies, guidance was insufficient as well, GAO said. The Defense Department, for example, did not issue any SLA guidance until 2014 -- and those instructions covered only four of GAO's provisions.
Homeland Security told GAO that it evaluated contractor performance but not as part of the SLA process with vendors.
"While this may explain their shortfalls in not addressing all SLA key practices, the agency may be placing its systems at risk of not conducting adequate service level measurements, which may result in decreased service levels," GAO said.
Shoring Up the SLA Process
All ten recommended provisions should be in every cloud contract, GAO said.
"Given the importance of SLAs to the management of these million-dollar service contracts, agencies can better protect their interests by incorporating the pertinent key practices into their contracts in order to ensure the delivery and effective implementation of services they contract for," the study points out.
Agencies can improve management and control over providers by implementing all recommended and applicable SLA key practices, according to GAO.
To strengthen the SLA process, GAO urged OMB to revise its guidance to incorporate all 10 of the recommended provisions. In addition, GAO specifically told each department that it should provide better guidance.
Cloud business, service and deployment models matured in the five years preceding last summer's release of MITRE's report on federal cloud SLAs.
"In turn, the complexity of cloud arrangements, opportunities, and risks have increased, and agencies are recognizing the importance of SLAs as a cornerstone for balancing risk, performance and cost," the report notes.
"The government is not a commercial operation. This drives some key distinctions in how service levels must be effectively negotiated and managed," said Kevin Buck, a principal member of the Center for Acquisition and Management Science at MITRE.
"The success of federal government cloud procurement negotiations hinges on the consumer truly understanding and effectively communicating ultimate objectives from cloud providers and capturing those in the SLA," he told the E-Commerce Times.
SLA Contracts Are Evolving
"Cloud SLAs are complex, so the guidance previously developed by OMB and now more recently by GAO is necessary to help federal agencies address those complexities," said Doug Bourgeois, director and federal cloud leader at Deloitte Consulting.
"While federal agencies need flexibility to align their cloud efforts to support mission delivery, there is a need for additional details and information sharing when it comes to SLAs," he told the E-Commerce Times.
"For example, metrics and additional clarity on roles and responsibilities -- particularly in the area of cloud security -- would help agencies manage the risks involved. Thus, the more OMB and GAO can do to foster improved understanding and sharing of such additional information, [the more it] would help to close the gaps identified by GAO," Bourgeois explained.
"Looking farther down the road, the development of additional guidance would also help agencies lower risks and successfully navigate the journey to the cloud," he said.
The evolution of various performance metrics for cloud procurements will be helpful both to agencies and vendors, said MITRE's Buck.
Government organizations such as NIST and the General Services Administration, as well as independent groups, are developing various metrics agencies can use for cloud contract SLAs. One of those groups is the Cloud Standards Customer Council.
"We're pleased to see, across the entire cloud customer base, increasing awareness of the SLA topic, and the accompanying interest in best practices about SLAs," said Tracie Berardi, program manager at CSCC.
The Council has had "constructive conversations with the GAO, and they used our publications as one of their inputs in formulating their recommendations," she told the E-Commerce Times.
The Council is "committed to providing further help to any organization on this and related subjects," Berardi added, and as a "step in that direction," CSCC soon will update Public Cloud Service Agreements: What to Expect and What to Negotiate, a guidance document first issued in 2013.