The Growing Pains of Cloud Procurement
Deciding whether your agency will move to a public- or private-cloud model is just the beginning when it comes to adopting Internet-based services.
Devising a plan for acquiring those services, negotiating terms and conditions with vendors and ensuring those agreements comply with state laws is where chief information officers are running into roadblocks.
“You can’t just import the terms and conditions that we’ve used for our IT services contracts over the years,” said Dugan Petty, senior fellow at the Center for Digital Government. “That’s kind of the framework we’ve started from. Let’s take our IT terms and conditions and let’s put them in a cloud contract. They don’t work.”
One of the first steps to specifying contractual terms and conditions is understanding the definition of cloud and ensuring that all players involved understand what cloud is and is not, said Petty, who moderated a cloud procurement panel at NASCIO’s 2014 midyear conference in Baltimore.
The National Institute of Standards and Technology’s definition of the cloud is the best place to start, he said. It sounds like a no-brainer, but suppliers and cloud providers may be using a different definition.
Delaware has a template for vetting cloud vendors, which includes a total of 23 terms and conditions, nine of which are mandatory, said CIO Jim Sills. That template is currently being updated.
Getting Procurement on Board with the Cloud
Procurement laws have not kept pace with technology, Sills said. “A lot of the time, we were actually battling our procurement people because they are very focused on buying pencils and trucks and pens, and cloud touches four or five different disciplines in IT — maybe seven or eight,” he said.
Sills urged CIOs to be more aggressive in educating their procurement teams about the terms and conditions of cloud contracts. Initially, Delaware received pushback from vendors as the state tried to institute standard terms and conditions.
While vendors have tweaked their models over the past few years to cater to the state’s needs and legal requirements, there’s still a lot of back and forth with contractors.
“It takes longer to do the negotiation than it does to deploy the software,” Sills said. “And that frustrates me because I like to get things done fast.”
CIOs must understand and articulate the elements of a cloud contract that are absolutes, areas where they cannot waiver because of statutes, said Todd Kimbriel, chief operations officer with the Texas Department of Information Resources.
For example, the department can’t waiver on auditing requirements, Kimbriel said. The state auditors office has broad authority to audit any vendor, and state law also permits the department from paying for services in advance.
“We have to receive those services before we can actually pay for it,” Kimbriel said. The model for Infrastructure as a Service providers is to collect money in advance.
But these types of laws need not become barriers to adopting cloud technology.
For example, Texas conducted a pilot program in which it used a cloud broker as an intermediary between the agency and cloud vendor. The broker agreed to take on some of the financial risks to ensure cloud services were delivered.
While current procurement policy is designed for buying fixed goods, it doesn’t prohibit buying subscription-based services, said Sean Vinck, CIO for Illinois — it’s just not well suited for it. Often, overcoming cultural barriers can be just as challenging as dealing with legal requirements.
“Behavior that is repeated and is therefore precedent has the force and effect of law in the context of the bureaucracy,” Vinck said.
