Private companies are rapidly moving applications and infrastructure to the cloud, freeing them from costly maintenance for legacy systems and making technology upgrades much more nimble. But government agencies have struggled to embrace hosted services because the cloud often clashes with traditional public purchasing rules and practices.
Too often, agency procurement officers try to purchase cloud technology using contract language designed for physical products, while vendors approach the public sector with boilerplate agreements that don’t address government needs. All of these factors tend to slow down cloud procurement -- or block it altogether -- and limit the number of companies that will bid on government projects.
A new cloud procurement report -- the product of nine months of meetings orchestrated by e.Republic's Center for Digital Government -- gives CIOs, procurement officials and cloud providers a common language that sets the stage for a wider adoption of cloud technology in the public sector. (Government Technology and the Center for Digital Government are both owned by e.Republic Inc.)
Released Wednesday, Sept. 10, the report's model terms and conditions can be used by state and local agencies as baseline language for procurement contracts for software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). The recommendations cover key sticking points like ownership and protection of data, auditing of cloud-based systems, breach notification and liability for stolen information.
A workgroup created to develop the report launched its activities in Trenton, N.J., in January, hosted by New Jersey CIO Steve Emanuel. Those early meetings uncovered a split between government and service providers on what moving to the cloud entailed, said Todd Sander, executive director of the Center for Digital Government.
“When government people asked for cloud services, that meant one thing to them. When industry tried to respond to those solicitations and present themselves as potential partners, it meant something else to them,” Sander said. “That misunderstanding was creating confusion and cost, and frustrated everyone.”
Georgia CTO Steve Nichols -- representing one of the 12 state and local jurisdictions that participated in the workgroup -- said the ongoing discussions created better understanding between governments and cloud providers. Ultimately both sides compromised on contract requirements in order to produce model language that worked for both government and industry.
“I think people got off their defensive postures and met in the middle on what they could do,” Nichols said. “It was more about finding common ground on what would be acceptable, and then backing into the language that would work for that.”
For example, cloud vendors feared they would be directly subject to liability as soon as they notified a government customer of a security incident. But government IT professionals wanted to know about potential problems early and worry about assigning blame later. As a result, the guide's terms and conditions cover how vendors and government customers can communicate about security incidents without assigning liability.
Workday's Sherry Amos said the report will improve government-vendor relations by educating customers about the differences in cloud offerings and the considerations involved in procuring them. The SaaS provider was one of 14 companies that participated in the workgroup.
Former Colorado CIO Kristin Russell, now director of Deloitte Digital, was a workgroup member during her tenure with state government. She says the report will help vendors to better understand the risk profiles of public-sector customers.
"What we typically find is that although at times we start from positions that are 180 degrees apart from one another ... we usually can get to a mutually agreeable position," Russell said. "This allows us to perhaps shorten the time necessary to get to that position where interests are aligned between both parties."
Although the report addresses many of the fundamental procurement issues between government and cloud vendors, its drafters admit that the document doesn’t have all the answers.
Sander noted that there may be nuances and specific differences due to the nature of a particular procurement, and those should addressed as exemptions to a basic cloud services contract. But he says if agencies and vendors start with the report's model terms and conditions, they can spend more time addressing those unique needs instead of worrying about the basics.
Amos, Workday's managing director for government and education, cautioned that public agencies "still need to be clear" about their business objectives and engage vendors early and openly about questions they have. "Procurement and contracting processes ... still have a long way to go to adapt to buying this new type of solution delivery model, whether it is IaaS, PaaS or SaaS," she said.
But workgroup participants predicted the model contract terms contained in the report would help improve and simplify cloud procurements if they are widely adopted.
"If this guide is embraced nationally by state and local government entities, as well as our industry providers, we will see government solutions begin to keep pace with what our citizens expect," said New Jersey's Emanuel.
“This is a game-changer,” added Phil Bertolini, CIO of Oakland County, Mich. “If we would have had this last year, it could have saved us eight months of negotiations.”