CIO Council and Chief Acquisition Officers Council, Creating Effective Cloud Computing Contracts for the Federal Government, Best Practices for Acquiring IT as a Service (Feb. 24, 2012) ( full-text).
This publication provides
standards against which the success of agency programs can be measured, including monitoring performance, optimizing investments, and adopting and sharing best practices.
The guidance identifies 10 key areas unique to federal agencies'
procurement of cloud services that require improved collaboration and alignment during the contracting process. The 10 areas are:
Selecting a cloud service — choosing the appropriate cloud service and deployment model.
Cloud service provider and end-user agreements — terms of service, and service provider and end-user agreements need to be fully integrated into cloud contacts.
Service-level agreements — agreements need to define performance with clear terms and definitions, demonstrate how performance is being measured, and identify what enforcement mechanisms are in place to ensure the conditions are met.
Roles and responsibilities — cloud service provider, agency, and integrator roles and responsibilities should be clearly defined.
Standards — NIST's cloud reference architecture should be used for cloud procurements.
Security — requirements for the cloud service provider to maintain the security and integrity of the agency data must be clearly defined.
Privacy — privacy risks and responsibilities need to be addressed in the contract between federal agencies and cloud service providers.
E-discovery — service providers need to be aware of the need to locate, preserve, collect, process, review, and produce electronically stored information in the event of civil litigation or investigation.
Freedom of Information Act ( FOIA) — all relevant data must be available for appropriate handling under the Act.
E-records — agencies need to ensure that cloud service providers understand the federal agencies obligations under the Federal Records Act of 1950.