Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Cloud Computing Best Practices Cloud Computing Best Practices Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Overview Cloud Computing What is it? Cloud First Policy and Guidance The Cloud Procurement White Paper Minimizing Litigation Risk and Cost Slide 2

What is Cloud Computing? NIST Definition Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Source: NIST, Definition of Cloud Computing, Draft version 15, http://csrc.nist.gov/groups/sns/cloud computing/index.html Laymen's Definition Cloud is essentially utility computing Automated services (no humans needed for change in services) Services are consumed as used ( pay per drink ) Enabled via the internet (accessible anywhere) Elasticity in amount of services consumed (rapid provisioning and deprovisioning) Transition from capital expenses to operating expense Slide 3

What Services Are In The Cloud? Software SaaS (software as a service) Applications available as an on demand service End user applications Platform PaaS (platform as a service) IT and developer tools for database and testing environments to develop applications Development or deployment activities Infrastructure IaaS (infrastructure as a service) Computing, Storage and Hosting Services Network administrators Source: http://info.apps.gov/node/17 Common Examples Applications, Internet Services Social Media (Blogs, Wikis) Email, E Meetings Productivity Tools (Office) Application Development (Workflow and Automation) Security Services (Single Sign On, Authentication) Database Management Directory Services Mainframes Servers Storage IT Facilities/Hosting Services Slide 4

What Types of Clouds Are There? PRIVATE CLOUD Operated solely for an organization COMMUNITY CLOUD Shared by several organizations can be public or private PUBLIC CLOUD Available to the general public HYBRID CLOUD Composition of two or more clouds (private, community, or public) Source: http://info.apps.gov/node/17 Slide 5

Cloud: A Fundamental Shift in IT Source: www.cio.gov Slide 6

Cloud: Cheaper, Better, Faster Cloud = Future State of Government IT A fundamental shift: Agencies get state of the art products and services when they need them, at lower, commodity based prices. Government can redirect scarce resources to mission critical efforts as opposed to managing IT. Cheaper Save money & help lower the cost of government operations while driving innovation by avoiding duplicative infrastructure by using pay as you go service models Better Allows key resources to focus on mission critical activities and/or use solutions and services on demand or as needed Faster Decrease time tomarket to deploy or implement IT solutions via secure, easy to use contract vehicles available to federal & state and local government Slide 7

Administration s Drive to the Cloud The Administration s Federal Cloud Computing Strategy requires agencies to default to cloud based solutions whenever a secure, reliable and cost effective cloud option exists however, the move to the cloud requires a dramatic shift in the way Federal agencies buy IT from capital expenditures to operating expenditures. With this shift comes a learning curve as the government analyzes how to best procure this new service based model.... Steven VanRoekel U.S. Chief Information Officer, OMB February 24, 2012 Slide 8

Federal Timeline for Cloud Cloud First 25 Point Plan to Reform Federal IT December 9, 2010 FedRAMP Policy Memo December 8, 2011 Federal Cloud Computing Strategy February 8, 2011 Creating Effective Cloud Computing Contracts February 24, 2012 Slide 9

Cloud: 25 Point Plan to Reform IT Cloud First Policy Point 3 of the White House s 25 Point Plan to Reform Federal IT Requires agencies to evaluate safe, secure cloud options before making any new investments. This means agencies should evaluate their technology sourcing plans to include cloud solutions as part of the budget process. Three Cloud Projects by June 9, 2012 Cloud First mandates agencies move three projects to the cloud At least 1 project had to move to the cloud by December 9, 2011; 2 additional must move by June 9, 2012. Slide 10

Cloud Computing Strategy Overview Details benefits of cloud to Federal government Provides decision framework for moving to the cloud Case examples to illustrate framework Promotes vision for catalyzing cloud adoption across Federal government Slide 11

Cloud Security: FedRAMP Federal Risk and Authorization Management Program Overview Mandatory for Federal agencies via OMB Policy Memo Creates government wide security process for cloud computing solutions Provides assessments, provisional authorizations, and continuous monitoring of cloud services Transparent processes for Federal agencies and cloud service providers Establishes a Federal government standard baseline for securing cloud environments Slide 12

Cloud Procurement White Paper Overview Top 10 areas Federal agencies need to address when procuring cloud Gives description of issues along with ways to address issues within contracts Provides tactical guidance through a questionnaire checklist Slide 13

Partnership of IT, Acquisition, Legal Today, the CIO Council, CAO Council, and Federal Cloud Compliance Committee released: Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service. This guide enables Federal agencies to make smarter, more informed cloud purchasing decisions by utilizing lessons learned and best practices of early adopters moving us to a more efficient and more effective government. Steven VanRoekel U.S. Chief Information Officer, OMB February 24, 2012 Slide 14

Development of White Paper Two Tier Approach to Creating Guidance. Existing Cloud Contracts Develop lessons learned from early adopters Informal data call through OMB to collect ~15 existing Federal cloud contracts Review of contracts to see variance of contract terms, establish baseline and identify themes Interview project managers and contracting officers of each contract: What worked What doesn t work How various issues were addressed FC3 Guidance Guidance Developed by Federal Cloud Compliance Committee (FC3) Informal interagency group comprised of Federal Attorneys, procurements officials, and cloud SMEs. Mission: create tactical guidance to proactively assist agencies when contracting cloud Created four working groups: Security Privacy E Discovery Records Management/FOIA Slide 15

Goals of White Paper Cloud Computing and the Federal Government: Effectively Acquiring IT as a Service Merge the Cloud First mandate and the visionary Cloud Computing Strategy The next step in government s move to cloud with specific guidance in effectively buying cloud services Provide guidance to agencies in developing requirements for a cloud computing contract. Highlight top ten areas for Federal agencies to address in cloud contracts Help shape the way that cloud computing services are purchased and consumed Establish common practices for the Federal government to take advantage of its position as the largest purchaser of IT Slide 16

Top 10 Focus Areas 1) Selecting a Cloud Service 2) CSP and End User Agreements 3) Service Level Agreements (SLAs) 4) CSP, Agency, and Integrator Roles and Responsibilities 5) Standards 6) Security 7) Privacy 8) E Discovery 9) Freedom of Information Act (FOIA) 10) E Records Slide 17

Selecting a Cloud, End User Agreements ONE Selecting a Cloud Service Agencies must choose the appropriate cloud to meet their needs Determine the appropriate service model to meet user needs Determine the appropriate deployment model that meets data protection needs TWO CSP & End User Agreements Terms of Service Agreements (TOS) need to be negotiated TOS must be compliant with Federal laws and statutes Need to ensure NDA enforceability End User Agreements need to be integrated fully into cloud contracts Slide 18

SLAs and CSP, Agency, Integrator Rs & Rs THREE Service Level Agreements SLAs should clearly define CSP performance standards Need clear terms and definitions Need to determine how CSP performance will be measured Needs to establish enforcement mechanisms for SLA compliance FOUR CSP, Agency, & Integrator Roles and Responsibilities Establishes a contract with (at least) three parties Determine integrator role with CSP Need to clearly define the roles and responsibilities of all actors to ensure effectiveness of the cloud contract Slide 19

Standards and Security FIVE Standards Agencies should ensure CSPs align with government standards Map services to NIST Reference Architecture Ensure government participation in standards creation Compliance with Internet Protocol version 6 SIX Security FedRAMP Compliance Clearly defined requirements Continuous monitoring activities Incident response to attacks and vulnerabilities Key escrow/encryption Forensic capabilities Multi factor authentication with HSPD 12 Audit capabilities Slide 20

Privacy and E Discovery SEVEN Privacy Ensure compliance with the Privacy Act of 1974 and PII requirements Privacy Impact Assessments Adequate privacy training Clearly defined data location requirements How to respond to a breach where privacy data was compromised EIGHT E Discovery Provide information management in the cloud Ability to locate relevant documents Ability to preserve data in a cloud environment Moving documents through the e discovery process Cost avoidance by inclusion of tools with CSP solution Slide 21

FOIA and Federal Recordkeeping NINE FOIA Access Ability to conduct a reasonable search to meet Freedom of Information Act (FOIA) obligations Ensure the processing of information is pursuant to FOIA requirements Allow for the tracking and reporting of information pursuant to FOIA TEN Federal Recordkeeping Agencies should have proactive records planning before using a cloud service Ensure the ability to have timely and actual destruction of records in accordance with mandated records schedules How to deal with permanent records Process for transitioning to a new CSP Slide 22

Appendix A: Questionnaire Overview Translates the paper to tactical questions to ask when reviewing or creating a cloud contract Maps to the ten areas of focus within the paper Tactical approach for Agencies to use Slide 23

White Paper: Key Takeaway All necessary stakeholders should be included when creating cloud computing contracts. OCIO OGC Privacy Records E Discovery FOIA Acquisition staff This will enable Federal agencies to more effectively procure and manage IT as a service Slide 24

Cloud Resources CIO Council www.cio.gov Federal Cloud Computing Initiative www.info.apps.gov FedRAMP www.fedramp.gov NIST http://www.nist.gov/itl/cloud NARA http://www.archives.gov/records mgmt/bulletins/2010/2010 05.html Slide 25

Questions? Matt Goodrich Federal Cloud Computing Initiative, GSA Cloud Computing Best Practices matt.goodrich@gsa.gov Allison Stanton Director, E Discovery, DOJ Civil Division allison.stanton@usdoj.gov