Is government procurement ready for the cloud?

Cloud computing can present unfamiliar territory for government acquisition officials.

Mention cloud computing to true believers and you’ll likely hear all about speed and agility. They'll tell you that agencies can simply dial IT services up or down as needed to quickly support new mission plans or workload changes. As a bonus, agencies pay only for what they use instead of bankrolling the often idle, over-provisioned computing capacity common in most data centers.

Unfortunately, there’s a rub when it comes to the cloud. Many IT procurement practices and contracting vehicles were designed to help managers provision hardware and software, not on-demand services. Can the current acquisition practices translate easily to the dynamic world of cloud computing?

Not really, said Barry Brown, executive director of the Enterprise Data Management and Engineering Division at Customs and Border Protection. He echoed a view shared by others in the federal government. With cloud computing, “the technology delivery model has changed,” he said. "What has not changed is the procurement model."

The methodology gap between procuring IT systems and procuring IT services has been intensifying in the past year, ever since former Federal CIO Vivek Kundra outlined the government's cloud-first policy. That initiative seeks to reduce costs and increase IT acquisition flexibility by pushing federal IT systems to cloud environments. Each agency has until May to identify three IT resources that it will move to the cloud.

But the move is straining traditional procurement departments. Rather than promoting speed and agility, in some cases cloud initiatives are spawning extended contract negotiations and legal challenges that are making it take even longer for agencies to get the resources they need.

Not all the early obstacles are specific to the cloud, so they won't be permanent. But other features that are essential parts of the cloud model will continue to present challenges. Technology executives will need to accommodate them with new procurement and vendor management practices if the switch to on-demand, utility computing is to succeed.

Stumbling blocks

Why do some experts believe that current procurement practices are ill-suited to the cloud? They point to four key challenges.

Challenge 1: Variable service levels

With the cloud model, IT managers can shop for new, on-demand services via online catalogs. That approach acknowledges that demands can change from month to month, or even more frequently.

“From a contracting perspective, that’s pretty tough to deal with,” said Wolf Tombe, chief technology officer at Customs and Border Protection. He contrasts that variability with contracts that designate the technologies purchased and specify the delivery date.

Challenge 2: Nonstandard terms of service

Backers of the cloud model promote economies of scale, whereby costs decline because multiple customers share common resources, such as a suite of office productivity software. But consultants say many agencies try to negotiate cloud contracts that have custom services, which slows the procurement process.

“Everybody thinks what they need is special,” said Michael Sorenson, director of cloud services at systems integrator QinetiQ North America. Some compare the approach to asking Microsoft to customize its Office suite before buying the product.

Challenge 3: A shifting landscape

Cloud providers bring additional uncertainties to service terms. In the past, when a software vendor revised a commercial package, agencies could choose to install the new features or stick with the existing version of the program. But cloud providers regularly revise their service offerings, and the changes automatically flow to all customers, whether they ask for them or not.

“This makes procurement uncomfortable because you cannot be sure what you buy today will be there tomorrow,” said Peter Gallagher, a partner in the Civilian Federal Systems group at Unisys. “The pace of change is more rapid than with [off-the-shelf software].”

Challenge 4: Pricing uncertainties

Some agencies struggle to determine whether a firm fixed-price or cost-plus approach delivers the most benefits in a cloud-computing contract. “The best procurement procedure we’ve seen is a firm fixed price, and then if there are any modifications to the core service — say, additional storage for an e-mail user — the agency will pay for it by the drink,” Sorenson said. “But that is more complex than a standard utility scenario.”

All of that is leading some government executives to call for new procurement methods that address contracts oriented to service and performance. Officials are still far from having all the answers, but they understand the challenges they face. “It is a new way of doing business, and it requires new contracts,” Tombe said.

Counterpoint

Not everyone agrees that cloud services represent such a significant departure from past IT practices that they require new acquisition methods. Some say only minor changes are needed for future cloud acquisitions to be well served by existing contracting vehicles, such as the General Services Administration’s Alliant governmentwide acquisition contract and IT Schedule 70 blanket purchase agreements, which specify firm fixed prices for cloud services negotiated on behalf of the entire federal government.

“I don’t think cloud procurement is as different or problematic as people make it out to be,” said Larry Allen, president of Allen Federal Business Partners, which provides procurement policy support for government contractors. “I’m not an advocate for creating new cloud-based contract vehicles. It’s much better to use what’s out there.”

In fact, for all the contracting uncertainties, agencies are making progress toward the cloud-first deadline. GSA and the National Oceanic and Atmospheric Administration are just two examples of agencies with large-scale cloud initiatives. Last year, GSA moved 17,000 staff members to Google Apps for Government, a cloud-based e-mail and collaboration system, and NOAA awarded an $11.5 million, three-year contract to migrate 25,000 employees to the Google messaging platform.

Wake-up calls

But cloud procurements don’t always go smoothly. In some cases, the problems are inherent to the cloud, such as determining how much customization of services, if any, is acceptable. In other cases, procurement officers are still sorting out when and how to apply existing rules to the cloud environment. Working through those issues can put the brakes on cloud procurements.

For example, in October 2011, the Government Accountability Office upheld a protest by Technosource Information Systems and TrueTandem that challenged a specification in a GSA request for quotations for cloud-based e-mail services. The RFQ required that data services be located in the United States or other designated countries.

GSA responded to the challenge in part by arguing that the government needs to control where information is stored because of concerns about foreign jurisdictions asserting access rights to data that resides in or moves through their country. Location would likely not have been an issue for agencies that opted to host services in-house, but in the cloud, data could conceivably be stored anywhere in the world.

Nevertheless, the challenge by the two contractors said the GSA requirement unduly restricted competition. GAO agreed, saying that GSA failed to establish a legitimate government need for the stipulation and calling on the agency to amend the RFQ to reflect its actual needs regarding data centers located outside the United States. After reviewing the decision, GSA issued an amended RFQ, nearly six months after issuing the original request.

Earlier, the Interior Department became embroiled in an even bigger contracting controversy after a lawsuit by Google put the brakes on a $59 million, five-year external private cloud intended to provide e-mail and collaboration capabilities for 88,000 of Interior’s employees. A lawsuit by Google charged that Interior’s request for proposals was “unduly restrictive of competition” because it specified a private cloud solution using Microsoft Business Productivity Online Standard Suite. Early last year, a federal judge sided with Google in a ruling that said Interior violated federal acquisition rules for open competition.

Part of the ruling stemmed from Interior’s choice of Microsoft technology, which the department had been using in a traditional implementation. The bigger question appeared to be Interior’s stipulation of a private cloud, which Google, as a supplier of technology for multi-tenant public cloud solutions, could not support.

Knowing that the private cloud stipulation might be challenged, Interior’s procurement and legal staffs tried to be proactive by documenting market research the agency had gathered about the potential risks of public clouds, said William Corrington, Interior’s CTO at the time and now cloud strategy lead at Stony Point Enterprises, a consulting firm that specializes in cloud strategies for federal agencies.

According to court documents, Interior said its research led it to a single-user, private cloud solution because of the sensitive nature of the data that would be stored in the cloud, the agency’s tolerance for risk, and “the benefits and liabilities of each cloud model.”

The case illustrates how questions about emerging cloud technologies add complexity to government procurements. As a result, some Interior officials felt they were being forced to accept undue risks because acquisition rules altered the agency’s original cloud choice, Corrington said.

The legal challenges also led to significant delays. Interior awarded the original contract in late 2010 but is still trying to move the project forward. In early January, the agency issued a new RFP that just now reopens the bidding. This time the department is calling for a commercial provider that can transition its current in-house e-mail systems to “an integrated, cost-effective, cloud solution.” It makes no mention of a private cloud or specific products.

Such legal challenges and protracted contract negotiations over sticking points such as security and service-level monitoring are prompting some observers to call for new methodologies to guide everyone in the procurement community.

“Our acquisition people are doing the best they can, but progress [toward cloud adoption] represents transformation and change for IT,” Tombe said. “That transformation and change require that some of our partners and stakeholders change along with us.

5 ways to prep for the cloud

Government acquisition personnel must often perform a balancing act to achieve the cost and efficiency benefits promised by cloud providers. On the one hand, they need to contract for solutions that share a common set of hardware and software resources to benefit from money-saving economies of scale. Unfortunately, one-size-fits-all solutions aren’t always appropriate, especially when missions and support requirements differ so widely across the government.

Agency officials and consultants say some core definitions and tools could speed contract negotiations and bridge the sometimes conflicting needs of agencies and cloud providers. Here is a list of techniques that could help speed government’s move to the cloud.

1. Security accreditation

Security fears rank among the top obstacles to cloud migrations. Fortunately, procurement officers could have an important tool to address those issues this year — the Federal Risk and Authorization Management Program (FedRAMP). It will create a security baseline that any agency can use to ensure that cloud contracts meet a standard level of protection. Combined with security guidelines from the National Institute of Standards and Technology, FedRAMP promises to simplify and speed the acquisition process.

2. Service-level agreements

The FedRAMP model for an accredited baseline of requirements could be useful in other areas, including the creation of service-level agreements. Agencies and cloud providers often struggle to balance conflicting requirements when it comes to SLAs, said William Corrington, former chief technology officer at the Interior Department and now the cloud strategy lead at Stony Point Enterprises.

For example, the Office of Management and Budget or the General Services Administration might specify that all cloud-based e-mail solutions achieve a minimum uptime rating of 99.95 percent, which would relieve agencies and vendors from hashing out those terms for each contract and thereby speed negotiations.

“Government lawyers would have some confidence that contract language is coming down from OMB or GSA, and cloud vendors would understand what the government is expecting for terms and conditions,” Corrington said.

3. Standardized service definitions

A similar framework for predetermined terms and conditions would benefit common cloud services, such as e-mail solutions or IT infrastructure services. “There are a lot of variables, but if you lock everyone down into a set of services that are utilitarian, then many challenges go away and agencies can compare pricing apples to apples,” said Michael Sorenson, director of cloud services at QinetiQ North America.

The framework would differ from traditional governmentwide acquisition contracts and blanket purchase agreements (BPAs) by establishing standard service definitions all vendors in a particular cloud category would use. Cloud providers might be willing to embrace standardized definitions as a way to discourage agencies from negotiating special terms for commodity solutions.

“Even when the new BPA for [GSA’s proposed e-mail-as-a-service agreement] comes out, I still think agencies will look at terms of service and want to negotiate them,” said Peter Gallagher, a partner in the Civilian Federal Systems group at Unisys. “If you are a [software-as-a-service] provider, it is difficult to negotiate different terms of service in a multi-tenant environment.”

To accommodate varying needs, the government could create standardized terms for tiers of service, such as gold, silver and bronze levels with different performance characteristics, Gallagher added.

4. Clear rules for data management

Today, agencies must negotiate to insert clauses into cloud contracts that specify how their information is maintained and protected by cloud providers. For example, officials at Customs and Border Protection are concerned about having exit strategy options for their data if they decide to switch cloud providers.

“I want that language in the contract going in," said Wolf Tombe, the agency's chief technology officer. "I don’t want that to be an afterthought.”

Another issue is the physical location of the storage systems that house government data. Some security rules call for sensitive data to remain in the United States or in select overseas countries. But that can be hard to nail down, as GSA learned when two contractors successfully challenged its original e-mail-as-a-service request for quotations, which restricted data services to certain specified locations.

5. New skill sets for procurement employees

Some acquisition officers might need training to help them negotiate and manage cloud contracts. “Agencies don’t necessarily need to hire legions of new people, but they should make sure their acquisition workforce understands the difference in service acquisitions and why they’re different from products,” said Larry Allen, president of Allen Federal Business Partners.

Key skills for a cloud-rich environment include project and vendor management. The IT Acquisition Advisory Council, among others, is working with the government to promote new acquisition methodologies that are better suited to the cloud, Tombe said.