Procuring the Cloud: By Jon M. JoHnSon 20 Contract Management April 2012

Transcription

1 Procuring the Cloud: By Jon M. JOHNSON 20 Contract Management April 2012

2 Until agencies stop blaming the FAR for perceived non-compatibility with cloud technologies and start modeling their procurement of cloud services on the purchase of utilities rather than the purchase of IT, there is going to be difficulty with procuring cloud solutions. Contract Management April

3 The concept of cloud computing in the U.S. government marketplace was advocated in December 2010 by U.S. Chief Information Officer Vivek Kundra and articulated in the 25-Point Implementation Plan to Reform Federal Information Technology Management. 1 Since then, federal agencies have been working diligently to comply with the Office of Management and Budget (OMB) directive that requires all agencies to convert three technologies to the cloud by August However, many agencies are having difficulty with procuring cloud solutions, and there appear to be problems or limitations with the Federal Acquisition Regulation (FAR) that do not allow for its compatibility with cloud technologies Contract Management April 2012

4 It is not the FAR that restricts the acquisitions, however, but rather the frame of reference for chief information officers, program offices, and procurement officers. Cloud computing is a new concept and essentially the utilitization of a commodity; therefore, the government should proceed through a cost-contracting method of procurement before moving toward a fixedprice, utility-based model of acquisition. What is Cloud Computing? The National Institute of Standards and Technology (NIST) has assisted OMB with setting the terms and definitions of cloud computing in the federal space. There have been multiple definitions of cloud computing, but according to NIST: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 4 There are five essential characteristics that constitute a cloud product: On-demand self-service A consumer can unilaterally provision computing capabilities, such as server time and network storage (as needed) automatically without requiring human interaction with each service provider. Broad network access Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. Rapid elasticity Capabilities can be elastically provisioned and released (in some cases automatically) to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Contract Management April

5 Measured service Cloud systems automatically control and optimize resource use by leveraging a metering capability (typically on a pay-per-use or charge-per-use basis) at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. 5 There are three service models involved in cloud computing: Infrastructure-as-a-service (IaaS) Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Software-as-a-Service (SaaS) The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., Web-based ) or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform-as-a-Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, 24 Contract Management April 2012

6 including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. 6 Finally, there are four types of deployment models for cloud computing: Public cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination thereof. It exists on the premises of the cloud provider. Community cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a There may be issues with the FAR, but it is flexible enough to deal with cloud procurement. Know the Rules. Win the Contract. Federal Construction Contracting Made Easy Stan Uhlig Successfully find, plan, and complete government construction projects. This book clearly outlines where you can find solicitations and how to prepare the winning proposal. Topics include preparing quality control and safety programs that comply with federal regulations and processes, understanding the Federal Acquisition Regulation (FAR), and much more! Bonus: Federal Construction Contracting Made Easy: A Field Guide to the FAR is available as a supplement for project superintendents. Price: $ , 6 x 9 softcover, 366 pages ISBN , Product Code B619 Federal Contracting Made Easy, Third Edition Scott A. Stanberry Find out everything you need to know about federal contracting. This all-in-one source is designed to give you the basic understanding of how the federal government acquires supplies and services. This practical handbook will guide you through the intricate challenges of federal contracting, including contracting regulations, size standards, contracting activities, federal publications and forms, subcontracting opportunities, and much more! Price: $ , 6 x 9 softcover, 352 pages ISBN , Product Code B315 Scan the QR code for more information Scan the QR code for more information Make these books your first stop for quick and easy guidance on all aspects of federal contracting. Order Today! (Please use promotion code NCMA0412) Phone: Online: Contract Management April

7 third party, or some combination thereof, and it may exist on or off premises. Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination thereof, and it may exist on or off premises. A hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). 7 How Has Cloud Computing Been Procured to this Point in Time? To date there are not many examples of successful cloud computing procurements that have undergone a competitive solicitation process. Despite the desire of many agencies to comply with the stated OMB policy, only a small number of agencies have successfully procured cloud computing in a competitive environment. 8 There have been some failed attempts at procuring cloud solutions as well. 9 As a result, some are beginning to wonder whether the FAR should be relevant when dealing with cloud computing. In a Federal Computer Week article, writer Alan Joch attempts to present the case that federal procurement rules and regulations are not nearly agile enough to take advantage of the dynamic environment that is cloud computing. 10 Anecdotally, some program offices have even gone so far as to request recommendations to have the FAR revised so that it would be, in their view, more adaptable for use in procuring cloud services. What's wrong with the FAR? 26 Contract Management April 2012

8 The FAR is simply regulation that offers structure and provides ample discretion to contracting officers to make decisions. To blame the FAR for procurement problems is like an architect blaming the hammer when there is a problem with the design of a house. This is not the first time the FAR was blamed for an inability to get what is needed, nor will it be the last time. However, in a blog written in response to Alan Joch s article, Steve Kelman, from the Kennedy School of Government, states that any beliefs that rigidities in the procurement system create barriers to buying certain kinds of products and services appeal to, and exacerbate, a climate of fear, uncertainty, and doubt that many in the government feel when they are going to have to deal with the procurement system. 11 Further, all too often, consumers of the procurement system get paralyzed by worries of roadblocks they think the system creates that in fact aren t there. 12 There may be issues with the FAR, but it is flexible enough to deal with cloud procurement. If the FAR is capable of acting as procurement guidance to address some of the most complex procurements dealing with construction of nuclear storage facilities, nuclear waste clean-up and disposal, major weapons systems, satellite technology, and telecommunications, it is certainly flexible enough to work with cloud computing. The FAR is simply regulation that offers structure and provides ample discretion to contracting officers to make decisions. To blame the FAR for procurement problems is like an architect blaming the hammer when there is a problem with the design of a house. How Can the FAR be used for Procuring Cloud Services? Most competed procurements for cloud services have thus far been conducted under FAR Part 8. People involved in purchasing IT for the federal government are certainly no strangers to using IT Schedule 70 or the Alliant GWAC (depending on their need), and all have attempted to fix-price the pricing tiers in order to account for some flexibility or potential volume discounts. The assumption by many is that FAR Part 8, particularly a Federal Supply Schedules buy, is easier, saves time, and saves money. This is certainly true for items like computers, servers, or software licenses, but may not be the best approach for a more complex, solutionsbased acquisition like cloud computing. The FAR is also flexible enough to allow procurement through FAR Part 13 for simplified acquisition procedures, or FAR Part 15 to establish contracts by negotiation. The FAR has established clear guidance for major systems acquisition (FAR Part 34) and acquisition of IT (FAR Part 39). In short, the FAR provides numerous contract methods that an agency can employ in order to address cloud procurement. Further, the FAR offers guidance in terms of whether or not a contract should be fixedprice or cost-reimbursement. 13 To date the federal government has attempted to have vendors fix the price of their cloud offerings, and the executive branch has stated that this is the preferred method of doing business. 14 However, this may not be the best method for procuring cloud services initially. As stated in FAR : Complex requirements, particularly those unique to the government, usually result in greater risk assumption by the government. As a requirement recurs or as quantity production begins, the cost risk should shift to the contractor, and a fixed-price contract should be considered. Contract Management April

9 Again, the tools are there to get what you want as long as you know what you need. As long as contracting officers are consulted and involved early in the process, they can serve as advisors to navigate the FAR and provide sound business advice to assist the programs in a meaningful way that leads to a successful procurement. To do otherwise puts the procurement at risk as the program office does not get what they seek, and this often leads to undue criticism of the FAR. Where is the Guidance? The issue is not with the FAR, but rather with the perception and understanding of agency needs or requirements and what is offered in the marketplace. Cloud computing is an unknown, even for IT professionals in the government space, and there has been ample guidance and reporting in an attempt to better navigate cloud procurement. Most guidance covers all the basics and has been adapted from some NIST guidance 15 and is related more to requirements writing than the mechanism of procurement. For example, most sources make recommendations such as the following: Complete a cost benefit analysis as to whether a cloud computing solution offers viable cost savings compared to your current operations, Develop a strategy of determining potential targets to move to the cloud, Conduct market research, Set performance objectives, Address continuous monitoring of systems and reporting needs, Plan for data migration and portability, Determine the acquisition strategy, Examine pricing models, Consider security needs, and Prepare your organization for a cultural adjustment. 16 Unfortunately, however, every set of guidance available either misses the mark or overlooks the obvious. Guidance tends to focus on what should be procured and related requirements, but no guidance is given on how it should be procured. 17 That remains unsaid, and often it is the perceived framework of cloud services that determines the type of vehicle. A Paradigm Shift has Occurred and Nobody Noticed If you ask a chief information officer, an IT program office, or an IT procurement office what they are getting when they are purchasing cloud services, they associate them with what they already have in terms of equipment capabilities, only in a virtual environment. They think of cloud services in terms of server capabilities, server space, and software licenses. Even with the asa-service characterization, I contend that many think of this in terms of IT services by default. They think of the concept of cloud Federal agencies need to understand that this is a shift to a utilitization model of IT... So rather than looking at procuring cloud services as an IT procurement, agencies must instead view it as if they are procuring a utility. 28 Contract Management April 2012

10 computing with a systems mindset, and this is an incorrect frame of reference. Federal agencies need to understand that this is a shift to a utilitization model of IT. Three aspects of cloud (on-demand, rapid elasticity, and measured service) lend themselves to this point of view. So rather than looking at procuring cloud services as an IT procurement, agencies must instead view it as if they are procuring a utility. Until this realization is made, and agencies start modeling their procurement on the purchase of utilities rather than the purchase of IT, there are going to be difficulties due to the cognitive dissonance between what they think they want and what cloud is. CM About the Author JON M. JOHNSON, CFCM, is a doctoral student at the Virginia Tech Center for Public Administration and Policy in Alexandria, Virginia, specializing in organizational robustness and fragility, federal IT policy, and federal contracting. He is a federal contracting officer in Fairfax, Virginia, and treasurer of the Pentagon Chapter of NCMA. Send comments about this article to cm@ncmahq.org. Endnotes 1. See pdf. 2. See Computing-Strategy.pdf. 3. See Elizabeth Montalbano, FCCI Contractor Warns of Cloud Pitfalls, InformationWeek online (March 25, 2011), available at www. informationweek.com/news/government/ cloud-saas/ ; and Alan Joch, Is Government Procurement Ready for the Cloud? Federal Computer Week (January 27, 2012), available at Derived from NIST, ibid. 6. Ibid. 7. Ibid. 8. See GSA Becomes First Federal Agency to Move to the Cloud Nationwide, available at and Kevin L. Jackson, Homeland Security Moves to Cloud through GSA IaaS BPA, available at /10/01/homeland-security-movesto-cloud-through-gsa-iaas-bpa/. 9. See google-wins-injunction-in-microsoft-interiordepartment-cloud-computing-contract-case. htm;jsessionid=3qdhfdd+63yhu-crmx0jrg**. ecappj03 and bidpro/ pdf. 10. Joch, see note Steve Kelman, FUD Surrounds Cloud Computing Procurement Process, Federal Computer Week online blog, available at Blogs/Lectern/2012/02/FUD-cloud-computing. aspx. 12. Ibid. 13. FAR Part See Memorandum-for-the-Heads-of-Executive- Departments-and-Agencies-Subject- Government. 15. See guide.cfm. 16. See comment&id= See Contract Management April