Agencies must set rules around cloud vendors' access to data, report says

The federal government is behind many states and businesses in its adoption of cloud computing, but it is on track to be one of the largest purchasers of cloud storage and could have an outsized effect on what commerce looks like in the still developing industry, a primer on best practices for government cloud contracts argues.

Contracting officers should insist, for example, that agreements with cloud providers include specific penalties such as a fine or service credit if any terms of the agreement aren't met, according to the document, "Creating Effective Cloud Computing Contracts for the Federal Government," which was released Friday.

Cloud contracts should be a collaborative project among acquisition officers, chief information officers and general counsels, the report said. They also should clearly define how much access cloud vendors will have to government data and the standards they will be expected to meet when dealing with that data, the report said.

The report was a joint project of the federal Chief Information Officers Council and the Chief Acquisition Officers Council.

Computer clouds essentially are large banks of ultramodern off-site servers that can pack information more efficiently than traditional in-house servers. Government customers can buy space in private sector computer clouds run by Microsoft, Amazon and other companies, much as they purchase other services or utilities -- paying only for the space they use. They also have begun storing data and programs in private government-only clouds, which can pack data more efficiently than traditional data centers.

The government initiated a cloud-first policy for new IT purchases in late 2010 and plans to move one-fourth of its $80 billion annual IT budget to the cloud by 2015, which officials say will save about $5 billion annually.

Officials have been slow to migrate sensitive government programs to the cloud, partly because of delays in implementing cloud security standards outlined in the Federal Risk and Authorization Management Program, or FedRAMP, which is slated to go live in June.

Agencies have moved several large programs, such as email, calendars and public-facing websites to the cloud.

They have been slower, though, to open up standard IT requests for proposals to cloud providers, Teresa Carlson, vice president of the global public sector at Amazon, a major public cloud provider, told Nextgov on Wednesday. Often, for instance, RFPs will require specific hardware, which typically puts cloud providers out of the running, she said.

As the cloud becomes more prevalent in government, Carlson said she expects RFPs will focus less on how new IT systems should look and more on what an agency expects it to accomplish.

"It's not that they're not making them cloud-friendly," she said. "It's just automatic. It's how they've always done things. Part of this really is educating the acquisition officials jointly with the people who have applications that run in the cloud."