Federal Cloud SLAs: Devil's in the Details
Cloud technology appears to have taken the world by storm. The U.S. government is among those moving aggressively to the cloud, as federal agencies implement a White House generated "cloud first" policy that instructs agencies to give primary consideration to using the cloud for IT solutions.
Adoption of the cloud depends on a number of factors: adequate security, appropriate functionality, cost and performance. For both the government and the private sector, a central element in cloud adoption is the Service Level Agreement, or SLA, between the cloud user and the cloud service provider.
"The technology behind the cloud is familiar, and elements have been around for years. Cloud migration isn't so much a major change in technology. Instead it's more of a change in IT organization and procurement," John McDonald, chief executive officer at Cloud One, told the E-Commerce Times.
"In the procurement phase, the essential factor is the SLA between the vendor and customer," he said.
Feds Seek Help on SLAs
In pursuing the "cloud first" policy, the U.S. government has been developing modified procurement vehicles to facilitate use of the cloud. Some of these have bubbled up from the General Services Administration, which handles a wide range of government purchasing tasks. Whatever cloud contracting mechanism is employed, the SLA comes into play -- and GSA apparently feels that the current SLA approach in federal cloud contracts needs to be significantly improved.
In a recent "request for information," the Federal Acquisition Service, a unit within GSA, asked for help from public and private sector sources on SLA contracting. The RFI dealt mainly with the potential for using cloud brokerages, but FAS said it was also seeking information on better ways of handling cloud adoption in general, including the improvement of SLAs.
SLAs should be well-constructed, enforceable, and measurable, and the government wants to learn more about how SLAs can better help agencies achieve cloud computing benefits, said FAS.
The agency specifically asked what functionality -- development, negotiation, enforcement, standardization, measurement, implementation -- could improve the quality and ease of use of government SLAs for cloud computing.
Wild West Scenario
"SLAs are the cloud service provider's promise that a specific level of performance will be maintained," Shawn McCarthy, research director at IDC Government Insights, told the E-Commerce Times.
SLAs form the core of the contracting, legal and performance aspects of cloud adoption, he noted.
"Methods and Practices: IT Service Level Agreements -- Strategies for Government," a report authored by McCarthy and released by IDC this spring, specifically addresses government SLA issues.
"Government IT managers and procurement officials face multiple challenges when choosing appropriate service-level agreements for cloud-based computing solutions. For some, this may be uncharted territory. For others, the multiple decision points they face when making cloud decisions can seem overwhelming," McCarthy says in the report.
One possible way to meet SLA contracting challenges would be the creation of standardized SLA "template" that could be used across the government. In terms of cloud security, that approach has been used to develop the Federal Risk and Authorization Management Program (FedRamp) process for meeting federal IT security requirements. Agencies can reference the FedRAMP procedure generated by GSA, which saves each agency the task of developing its own security protocol.
The process helps to standardize federal security requirements and provides consistency. It also helps vendors to address security issues. Each agency may need to supplement or tweak the FedRAMP protocol, but at least most elements are available in the standard vehicle.
The use of an SLA composed of standard, generic provisions, supplemented with agency task- or mission-related objectives, is a possibility.
"Maybe you could use a starter template that deals with the basic standardized information, followed by what you need to have customized beyond the basic solution," McCarthy said. "It would be great for GSA or someone to develop a standardized approach to SLAs in government," suggested Cloud One's McDonald. "This is not just a government issue but shows up in the commercial market as well. SLAs are kind of a wild west situation right now. There is no gold standard among vendors. And in government, each agency is trying to drive its own criteria into the contracted SLA."
A list "decision points" that federal agencies should use to guide the drafting of SLAs is provided in the IDC report.
"A government agency may not need an SLA that encompasses every item on the list. But all of these points should be part of the discussion when SLAs are being evaluated," the report says.
Understanding what level of service is required -- well ahead of time -- is key to finding a cloud partner that is capable of meeting all the needs and promising an acceptable level of service for a cloud-based solution, McCarthy points out in the report.
The Role for Vendors
Similarly, vendors should be active in the SLA development process, according to IDC, which recommends that vendors take the following actions:
- assume responsibility for meeting SLA requirements;
- be knowledgeable about the government client's business;
- provide money back or other credits for inadequate performance;
- consider third-party verification of compliance with certain SLAs to ensure unbiased analysis.
Vendors should become involved in developing appropriate SLAs with clients, said McDonald, and not try to slide through with ambiguously worded agreements.
"There needs to be some effort at standardization. That's the reason this issue has been taken up by the Cloud Standards Customer Council," he pointed out.
McDonald was a contributor to the council's "Practical Guide to Cloud Service Level Agreements," published in April.
"I am not sure a comprehensive government-wide SLA template would be appropriate, but it could be. Certainly a department-wide or agency-wide standard SLA could be developed which would work for units within a given department, " Steven Bucci, senior research fellow at the Heritage Foundation, told the E-Commerce Times.
f "You have to weigh the potential advantages of a government-wide approach against the disadvantages of thinking there is a 'one-size fits all' solution," he said.
"Many SLAs contain worrisome provisions which allow the cloud service providers to change the contracts unilaterally, delete data on certain grounds, determine which service outages are compensated, issue disclaimers regarding security of customer data, and so forth. Writing SLAs to address the needs and unique position of the government can mitigate the principal-agent problem significantly," Bucci said.
"It's in the best interests of vendors, in the long run, to get the SLA part right. The FedRAMP protocol might not be perfect, but I think it goes in the right direction on recognizing the value of a standardized approach -- so it's kind of a model for SLAs," Bucci said.
The cloud concept should trigger a different way of viewing information technology on the part of government chief information officers, Bucci contended.
"CIOs also need to shift their IT mindset from asset management to service management. This requires shifting focus from input to output metrics and greater tracking of usage rates and service-level agreements," he said.
The flexibility associated with cloud technology by scaling usage up or down "is critical to reducing excess government computing capacity," Bucci observed.
As long as appropriate SLAs are instituted for cloud migrations, "the government should be able to rapidly increase its capacity in times of need to avoid shortages while not paying for those same resources when they are not needed," he said.
Responses to the GSA/FAS Request for Information on SLAs should be sent by email to the contracting officer, firstname.lastname@example.org, by Aug. 17.