It's time to fix our cloud procurement problems

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Michael Garland

By Michael Garland

|

Cloud presents some unique problems for contracting officers, and addressing those ambiguities would pay big dividends.

cloud playbook

The government's desire to move to cloud computing is gaining significant momentum. The White House is drafting a major new cloud policy (the first since 2010), and the newly created Cloud Center of Excellence, designed to drive government cloud adoption, began its pilot program at the Department of Agriculture several months ago. 

It's no surprise that cloud activity has escalated. For the foreseeable future, cloud computing will be the dominant modus operandi for information technology. Observers have noted that the massive migration of IT workloads to cloud is the third or fourth major disruptive shift in the history of computing, equaling in some ways the major disruption caused by the advent of the World Wide Web.

Why all the fuss? It's simple: When properly and strategically deployed, cloud saves buckets of time and money.

In the pre-cloud era, provisioning an IT application required, among other things, purchasing servers and software, waiting for it to arrive, and then physically installing it in some form of an "on-premise" data center. Unfortunately, living in the material world of hardware and software deters speed or agility. Awaiting deliveries, installing software, and dealing with data-center logistics can take several months. Also, physical ownership of IT requires expending capital dollars, instantly putting a rapidly depreciating asset on the books. Perhaps more importantly, the old IT model required the procurer to purchase significantly more capacity than needed, to accommodate rare periods of peak usage. In point of fact, Amazon created the cloud business because it had built its own data-centers to handle the peak Christmas rush in December, even when much of its computing resources lay fallow for eleven months of the year. The traditional IT model fomented delay, lack of agility, and excess capacity -- plus it incurred the table-stakes costs of running a data center: real-estate, power, and people.

Enter cloud. The cloud paradigm is to rent, on-demand, various computational resources from cloud providers, paying only for what is actually consumed, after the fact, on a monthly basis. Not only does this mean the cost of consumption is closely aligned to actual demand, but the provisioning of needed services can be almost instantaneous. Instead of ordering and installing a server, a virtual instance of a computer can be spun up by a cloud services provider in a matter of minutes, in a fully automated way, with zero human intervention. With a CSP account and a connection, you can self-serve virtually everything needed to build and deploy an application.

But wait, there's more. As the cloud providers have matured, the types of services they provide have significantly reduced the burden on software developers. CSPs now offer many of the underlying algorithms and routines that developers once were forced to code or scavenge for themselves. Cloud-native software developers no longer focus on things like tuning databases, building storage solutions or managing capacity. Unglamorous but critical tasks like keeping software versions up to date with the latest patches also can be done by the cloud company.

The cloud value proposition is obvious. It's not an overstatement to say the old "on-premise" data-center model, for most applications, will soon go the way of the VHS video recorder. The advent of cloud computing has done for software developers what the medieval inn did for early European travelers – it has relieved them of the obligation to pack and drag along all their own stuff. This is a stunning generational shift and best represented by an amazing data-point: Netflix now accounts for approximately 40 percent of all U.S. evening internet traffic. Every pixel of Netflix content that finds its way to a phone, tablet or TV is delivered by Amazon Web Services, which has turned itself into a $20-billion-a-year global cloud colossus in just 12 short years.

While the future of IT isn't completely written, we do have the basic vocabulary -- and it starts with the word cloud. From a government perspective, however, do we know how best to buy cloud services and truly gain its economic advantage?

From an acquisition perspective, cloud offers a variety of unique problems for contracting officers. Firstly, a quick keyword search of "cloud" against the Federal Acquisition Regulation shows zero hits. The word simply doesn't appear.

Expanding the search to include all agency FAR supplements produces six references in the Defense Federal Acquisition Regulation Supplement, and one reference in the Defense Information Systems Agency's addendum. These sparse references are all focused on security and advise contracting officers to be wary of security concerns.

This lack of references in the FAR would be less problematic if cloud snugly fit into other procurement categories. Unfortunately, it does not.

Cloud is a particularly cagey item -- sometimes it feels like a product, and sometimes it feels like a service. And IT companies, looking to cash in on the branding cachet, are increasingly calling everything cloud, whether it fits the National Institute of Standards and Technology's technical definition or not. From an acquisition perspective, cloud is a bit of a mess.

Here are just some of the most obvious acquisition problems with cloud:

  1. The value of cloud is based on paying only for what is consumed, in arrears, after the fact. Contracting officers are schooled on the "bona-fide need" rule, and the "Anti-Deficiency Act," which requires them to be able to define a fairly precise amount of money to obligate to a contract. Too much money obligated creates the problem of de-obligation at the end of the year, and returning money to the Treasury. Too little money obligated could force the agency into a deficit, which is a violation of the Anti-Deficiency Act.

    Yet when a mission critical application is running in the cloud, what's an agency to do, if it had accidently underfunded it? Spin down the servers? Likewise, over-obligating funding as a precaution negates the value of cloud, and creates a bureaucratic nightmare for later recovery of said funds. And what happens when the government temporarily shuts down? Should the cloud application be shut off, the same way a services contractor can be sent home? Perhaps there should be way to color cloud money, to negate some of these tricky funding issues.
  2. Government contracting requires well-crafted scopes of work and precise definitions of the items to be procured. This level of precision is hard with cloud. Providers have a huge catalogue of rapidly changing services. AWS for instance, added over 200 services last year, and once they were added, they were instantly available to all contract holders. Rapidly changing and updating services is part of the cloud value proposition.

    To make matters more complicated, the pricing for these various items also can change on the fly, and there is no one size fits-all consumption metric. Some service pricing is based exclusively on time, while others are based on volume or quantity or a combination of all of the above. To cope with this, some government cloud acquisitions are being done by what's colloquially called "the gift card model." The contracting officer effectively loads up a gift card with a certain amount of funding that can be used for items the cloud service provider sells. This is a consumer-friendly approach, but without appropriate controls it could be a recipe for abuse. By analogy, with a Starbucks Gift Card, you can purchase anything from a single croissant to a hundred insulated travel mugs. The potential for an equivalent wide-ranging scope of cloud services needs to be controlled. Plus, the gift card concept still doesn't solve the underlying "bona-fide need" rule or the "anti-deficiency act" conundrum.
  3. In general, agencies are rightfully obsessed with data security, but guidance on the proper terms and conditions to include in a federal contract do not exist. While there is ample opportunity for a contracting officer to accidently omit security requirements, there is even more opportunity for abuse by over-prescribing it.

    I am personally aware of a government cloud contract that is approximately 400 pages with a full 300 pages dedicated to security. Isn't most of this security concern, already alleviated when an application has been properly vetted by the Federal Risk and Authorization Management Program (FedRAMP)? Unnecessarily prescribing security artificially inflates the price of the service, as a conscientious vendor will factor in added risk to the price.

    Alternatively, overzealous security requirements may be so onerous that only less-than-scrupulous vendors may agree to them, without much intent to even understand them. With the well-thought-out security controls inherent in FedRAMP, there is likely an elegant way to create standard security terms and conditions designed to protect the government, where FedRAMP isn't protective enough. Perhaps this can be done with a collection of a few well-crafted clauses.
  4. The fact that cloud feels a like a product and also like a service creates unique problems. It's particularly confusing, because consumers previously purchased all of their IT capability as individual hardware and software products. The cloud model takes traditional IT products, fractionalizes them and rents them as a service. When we characterize cloud as a service, as we currently do, it is unlikely that we can ever procure it from a small business, because the requirement of massive scalability makes it impossible for a small business to play in this space. Indeed, all the IT industry players in the infrastructure- or platform-as-a-service space are huge. It's also impossible to gain small business credit by using a small business reseller, because the requirement to provide at least 51 percent of the services while selling AWS or Microsoft Azures would not be feasible.

On the flip side, if we characterized cloud as a product, we could potentially gain the credit of small business resellers, under the non-manufacturer rule, by correctly determining there are no small businesses that make cloud. But there's another issue that I almost hesitate to address. If we characterize cloud as a product, we'd most certainly have to determine if it were Trade Agreement Act (TAA) complaint, meaning an analysis of where it was manufactured or significantly transformed would be an issue.

If cloud was a product and used hardware manufactured in China, where much of IT hardware is made, it would not be TAA compliant. By transforming non-TAA compliant hardware and software into a rental service, we obviate the traditional TAA analysis. Services and products are evaluated differently. But what if our cloud provider is using Huawei router devices manufactured in China, thought by some to include spyware? What if Russian-made Kaspersky anti-virus software was on every machine? Do we care about the nature of the products we deploy only when we possess them, and our concerns evaporate if we rent them as a service?

Despite these concerns, the government is reasonably proficient in purchasing large-scale cloud implementations like the CIA's Intel Cloud (provided by AWS) and the Defense Department's planned Joint Enterprise Defense Infrastructure cloud program. But these are huge programs that bring together the best and brightest in government procurement (lawyers and contracting officers) who work together for many months to create a large-scale, FAR Part 8, customized solicitation. This won't work for every agency. What about the contracting officer who has been asked to procure a simple test-and-development environment, with a budget of $100,000, a desire to use the simplified acquisition procedures, and a preference for a small business? Where does this contracting officer turn for advice?

An overlooked opportunity?

There is a woefully under-utilized place in the FAR, where cloud guidance would nicely fit. Although the U.S. government spends north of $80 billion a year on IT, FAR Part 39, aptly named "Acquisition of Information Technology," remains mostly a dusty remnant of Clinger-Cohen from 1996, with little to no useful regulations for contemporary IT. Its primary focus can best be summed up as 1) a mandate to manage IT project risk by breaking up IT system development into small modular parts, and 2) assurance that IT systems meet the rules of 508 compliance so those with disabilities are not disadvantaged by non-complying IT applications. As recently as 2012, FAR Part 39 still included a provision for dealing with the Year 2000 problem.

With the government's dramatic and necessary push into cloud computing, the time is ripe to convene a panel of smart experts who possess technical, industry and federal procurement knowledge in order to lay down some basic guidance for contracting officers to make procurement of cloud as efficient and agile as the promise of its consumption.

This call to action isn't to build an overly prescriptive and burdensome new set of procurement rules. The right outcome would be to create a series of useful FAR provisions that would clarify ambiguities and give contracting officers a level of confidence in purchasing this new type of IT item, that defies easy categorization. Without some help and guidance for contracting officers, all we have done is reposition the cloud acquisition bottleneck from the point of data-center provisioning, back to the point of initial procurement.

To take full advantage of cloud, let's assess the entire universe of cloud procurement ambiguities, reduce those issues to manageable and clear guidance, and thereby significantly improve the government's chances of realizing the full benefits of cloud.

NEXT STORY: DISA in high gear on MilCloud migration

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.