Last June, the U.S. Federal Chief Information Officer released a report delineating Cloud Smart,* a new strategy to accelerate adoption of cloud-based solutions. One important Cloud Smart best practice states that “where a cloud solution is deployed by a vendor, a service level agreement (SLA) should be in place.”
Note, however, that not just any old SLA — likely crafted by and for the cloud solution vendor/service provider — will be acceptable. Federal data is often sensitive and must be kept secure even as it’s permitted beyond constrained Trusted Internet Connections (TICs). So, SLAs covering cloud solutions adopted by federal agencies have to be especially stringent about data security.
Continuous awareness, continuous access
Cloud Smart SLAs must provide the deploying agency “with continuous awareness of the confidentiality, integrity, and availability of its information.”
Thus, prior to signing any service agreement, “agencies should be made aware if their information will reside on a third-party information system.” In addition, Cloud Smart wants SLAs that enable continuous access to log data and prompt agency notification whenever an adverse event, like a cybersecurity incident/breach, is even suspected.
Cloud Smart also anticipates the need for public-private collaboration, especially regarding cybersecurity and across multi-cloud environments. Such continuous visibility and information sharing means agency cloud solution SLAs have to address evolving Department of Homeland Security monitoring and analysis capabilities.
Two tracks, one goal
To overcome confusion about what, specifically, should be included in a federal agency cloud solution SLA, Cloud Smart introduces a two-track, SLA-focused approach to cloud purchasing and usage.
First, SLAs governing federal agency cloud solutions are being standardized across agencies to boost cost-effectiveness/efficiency and improve risk management via greater consistency and transparency. To that end, clauses in federal agency cloud solution SLAs must:
(1) Implement a provision of law applicable to the acquisition of commercial items; and/or
(2) Be generally consistent with customary commercial practice.
Second, responsibility for managing a federal agency’s risk lies with the agency’s executive head — “even with respect to contractor-operated systems.” Therefore, every agency needs to “granularly articulate roles and responsibilities, establish clear performance metrics, and implement remediation plans for non-compliance.”
Why you need to pay attention
Cloud Smart and its requirements regarding SLAs directly affect only federal agencies; however, as Cloud Smart SLA standards spread nationwide, they will impact public sector agencies at all levels with their emphasis on using SLAs to ensure continuous awareness of IT operations and cybersecurity — and on assigning risk management responsibility to agency executive leadership.
So pay attention: public sector information technology SLAs have never mattered more.