Cloud Computing and Government Contracts
Posted on January 29, 2014 in Government Contracts
Many government entities are following the private sector with moves toward cloud computing. Those that have not already begun the migration are planning deployment initiatives. The migration from legacy systems to a cloud environment offers industry standard platforms where agencies can have better storage and networking capabilities, and virtual servers.
At the federal, state and local level, agencies have discovered that using cloud services can offer numerous benefits. Services such as infrastructure as a service or software as a service can help to lower costs, boost efficiency and increase scalability and agility in the government.
While the potential benefits are enough to encourage an IT transformation, shifting to the cloud may also present challenges, particularly for government contracts. Putting a strong program in place as agencies leverage this new computing delivery model should be a top priority.
Why the Move to Cloud Services?
A federal cloud computing initiative began in 2011 with the release of President Obama's budget including it as an essential aspect of an IT strategy. From this strong commitment toward cloud computing were efforts to implement the concept in multiple federal government agencies. Ultimately, the goal was to develop a broad strategy to use specific applications across the government.
Four different deployment models encompass agency initiatives, which allow each agency to choose the model that best serves their needs. The National Institute of Standards and Technology defines each model separately.
- Private clouds can be used by a single agency
- Community clouds are shared by multiple agencies
- Public clouds are used largely for the benefit and use of the American public
- Hybrid clouds facilitate sharing data and utilities across more than one cloud type
According some agencies leaders, the need for more versatility and more services at a lower cost are the main drivers for government decisions to move to the cloud. It is also worth noting that moving to the cloud is not a unilateral initiative although a significant number of agencies are adopting cloud services.
Most government agencies are making this shift independently of other agencies. Embracing advanced technologies can be helpful to streamlining processes that usually get tied up in government bureaucracy. Nevertheless, there are collective issues to consider for contractors using a cloud service provider and doing business with the federal government.
Impact to Government Contractors
In many cases, federal contractors already employ cloud computing services to fulfill the requirements of their contracts. Cloud service providers offer applications that enable contractors to use real-time functions to manage and collaborate on government projects. This may include fiscal requirements and timekeeping functions. The expectation in using these services is to achieve greater efficiency with managing a project online.
To both maintain efficiency and comply with federal contract requirements, cloud service providers are hired as subcontractors to perform duties. At the same time, this raises legal issues that should be considered in fulfilling a contract without being liable for a civil, criminal or administrative infraction. Mitigating potential liability for the contractor often requires negotiating terms with the cloud service provider that is not accepted from commercial customers.
The subcontractor agreement between the primary contractor and cloud service provider will usually mandate near constant availability of government data. It is also the contractor's responsibility to make sure data maintenance requirements are flowed down to the provider. This is necessary to ensure that Federal Acquisition Regulations, or FAR, are followed properly.
An added protection for a government contractor is to include a contact clause that indemnifies the contractor from a liability caused by the provider. This may include failure by the subcontractor to maintain data according to federal specifications. Equally important for the subcontractor is to understand the responsibility this imposes on its ability to provide data maintenance and service at a certain level.
From the cloud service provider's perspective, this means recouping the potential costs. Undertaking the costs of agreeing to indemnify the government contractor will be included in the price of delivering services to the contractor.
There are also cloud service providers that offer platforms and services that are compliant with FAR to satisfy auditing requirements. In addition, these providers offer a certain level of security and 24/7 on-demand access to government data and applications that are stored in the cloud. Subcontracting with these providers can reduce the costs of trying to manage an in-house system when a provider does not normally offer these services. This costs less for the government contractor to store, accumulate and report any accounting data that should be compliant with FAR.
Government Information Assurance and Security Requirements
Typically, a contractor may use a cloud service provider to maintain government data related to contracted services. Depending on what is viewed as critical or confidential, the government contractor may need to include information assurance and security requirement language in the contract with the service provider.
For instance, there might be compliance requirements set by the National Institute of Standards and Technology that would not be part of a standard contract. Part of these requirements might include allowing government inspection of security safeguards and privacy practices at respective facilities. Further, the government may require notification whenever there is a failure of safeguards or practices.
Additionally, certain circumstances may require that the contractor have a continuity-of-operations plan in place if primary information systems fail under catastrophic conditions. This may necessitate imposing certain requirements on the cloud service provider. Therefore, compliance with a contractual agreement with the federal government means the contractor must have identical information assurance and security requirements in the CSP contract.
Government Business Practice Requirements
There are also certain business practice requirements that government contractors must follow, which can have a direct impact on using a cloud service provider. It may be necessary to flow down compliance requirements to the provider this information to maintain consistency in practices. A good example of this the government evaluates whether the contractor's systems, internal controls and policies are adequate enough to deliver contracted services.
If the contractor is using a cloud service provider to operate an internal control such as reporting accounting data or storing information, it is the contractor's responsibility to make sure the provider is in compliance. Compliance with accounting data may also need to follow the Cost Principles and Cost Accounting Standards of the federal government.
Another condition set under FAR may include document retention requirements. Including these terms in the agreement between the contractor and provider is the best approach to making sure federal requirements are applied.
Not requiring compliance by the cloud service provider could lead to failing a government audit. As a result, the contractor could lose not only their current contract, but also chances of securing future federal contracts.
Moving to cloud computing services is not always easy, as many private sector companies are discovering. In many cases, there is a sea change of IT processes and infrastructures, along with changing the way applications and computing capacity operates. For government agencies that have a long history of using legacy systems and specific software licensing arrangements, the move can present a host of challenges. All the same, the cloud is becoming a permanent fixture for corporate enterprises and the federal government.
One common challenge often cited by agencies hesitant to make the shift is security and privacy. Looming concerns about data breaches can present a challenge when moving from physical servers to cloud environments. With hackers and breaches occurring on a frequent basis, the focus on security is universal for the private and public sector. Public cloud services are shared among multiple users, which increase concerns.
Still, cloud computing poses significant benefits for federal government contractors. These benefits are realized when risks are identified and mitigated early in the contracting process. Negotiating terms and conditions with cloud service providers according to federal requirements are necessary. Doing so can pave the way for revolutionizing the way contractors do business with the government.
This article about Cloud Computing and Government Contracts was provided by 1st Commercial Credit.