In this session, we provide an overview of existing cloud-ready contracts, such as cooperative, federal, and state directed contracts, and walk through steps on how to choose the right one for your procurement. We compare various cloud-ready contracts by identifying scope, end-user eligibility, and primary service offerings to help you make the right choice for your mission needs. Learn More: https://aws.amazon.com/government-education/
3. 3
What is the Cloud?
Networking
Storage
Servers
Virtualization
Operating System
Middleware
Runtime
Data
Applications
Infrastructure
(as a Service)
Networking
Storage
Servers
Virtualization
Data
Applications
Platform
(as a Service)
Operating System
Middleware
Runtime
Networking
Storage
Servers
Virtualization
Software
(as a Service)
Operating System
Middleware
Runtime
Data
Applications
Provider Responsible Consumer Responsible
5. 5
1. Build a Cloud-Centric Procurement
• Successful cloud adoption flows down from well-built procurement strategies and
cloud-centric contract vehicles.
• Getting procurement ‘right’, will lead to a portfolio of cloud technology and services that
truly realizes the benefits cloud computing offers government agencies.
• Central to the success of cloud procurement is making sure end users have access to
the cloud services they need, when they need them.
• Focus on how cloud computing can benefit agencies and end users, and work
backwards from these benefits – avoiding needless obstacles that could hinder rapid
access to the services users need.
Cloud procurement should be purposively different from existing procurement
6. 6
2. Involve Key Stakeholders Early
A successful cloud strategy involves all key stakeholders at an early stage
• Senior executive of organization
• Chief Information Officers (CIOs)
• Program managers and Contracting Officer's Technical Representatives (COTRs)
• Acquisition/procurement specialists
• Directors of IT and mission-critical systems
• IT professionals
• Security professionals
• Legal and policy experts
• Finance and budget staff
• Human Resources (HR) and staff development
• Industry partners
• Academia partners
7. 7
3. Ask the Right Questions
You’ll only get what you ask for
• You are not buying physical assets; therefore, you do not need to ask for many things
you are used to asking for in a traditional data center RFP.
• Recycling data center RFP questions will inevitably lead to data center answers, and
may leave cloud vendors unable to bid.
• Make sure you ask the right question to get the best cloud solution.
• Cloud allows you to focus on application-level and performance-based requirements –
there is no need to dictate specific methods, infrastructure, or hardware.
8. Gartner “Magic Quadrant for Cloud Infrastructure as a Service, Worldwide,” Lydia Leong, Douglas Toombs, Bob Gill, May 18, 2015. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger
research note and should be evaluated in the context of the entire report. The Gartner report is available at http://aws.amazon.com/resources/analyst-reports/. Gartner does not endorse any vendor, product or
service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of
Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or
fitness for a particular purpose.
3.1. Analyst Reports
Use third-party analyst reports during Cloud Provider evaluations
9. 4. Separate Infrastructure from Services/Labor
9
+
• Cloud IaaS/PaaS
• Training
• Support
• Marketplace
• Requirements Analysis
• Strategy & Roadmap
• Solution Design & Architecture
• Application Development/Support
• Tech Review & Audit
• Implementation/Migration
• Governance
• Security
• Billing & Account Management
• Program Management
• Service Desk
Cloud Service Providers
Resellers, System
Integrators, Managed
Services
Public Sector
Customers
11. 5. Security Is a Shared Responsibility
11
Security expertise is a scarce resource; Cloud Providers oversee the big picture,
letting your security team focus on a subset of overall security needs
12. 5.1. Architected for Government Requirements
Cloud Providers should have certifications and accreditations for workloads that
matter to public sector customers
12
13. 13
6. Utility Pricing Model
Build an acquisition model for the on-demand, pay-as-you-go nature of cloud
computing
• Traditional IT pricing approaches can reduce or eliminate benefits of cloud.
• Accept different vendor pricing models – do not create single pricing model.
• Embrace on-demand, utility-like, OpEx model cloud pricing.
• Understand cloud provider tiered pricing, and reserved pricing (such as AWS's
Reserved & Spot Instances), to budget for estimated usage and reduce expenses.
14. 14
7. Tech Refresh/Innovation
Pace of innovation and continuous service improvements are a major reason
why more and more public sector customers are moving to the cloud
16. 16
9. Acquisition Regulations
Cloud computing should be purchased as a commercial item and/or services
• Broadly speaking, a commercial item is recognized as an item that is of a type that has
been sold, leased, licensed, or otherwise offered for sale to the general public.
• In order to maximize the benefits of cloud computing, commercial terms should govern
the contract.
• Successful cloud procurements recognize that Cloud Providers are not providing
custom-built deliverables, and that the benefits of cloud stem from operating at a
massive scale.
17. 17
10.Terms and Conditions
Avoid recycling terms and conditions from traditional datacenter procurements -
this may lead to decreased Cloud Provider competition and loss of cloud benefits
• Physical Data Center Tours, Audits, and Access
• Physical Separation of Data, Assets, and Infrastructure
• Customization of Services to Interoperate with Legacy Systems
• Mandatory Flow Down of Business Terms and Conditions not Required by Statute
• Prescribed Data Center Personnel Background Checks
• Prescribed Infrastructure and Machines
• Fixed Service Terms and Pricing
• Small Business Subcontracting Plan
• Termination Assistance – Government can Terminate at any Time
• Rights in Data – Government Owns and Controls all Their Data
19. 19
Single Line Item Structure
Example from a U.S. Government Agency Task Order
MINIMUM GUARANTEE AND MAXIMUM SPEND: Because it will be impossible for the [Govt customer] to determine
exactly how much labor to be delivered by the reseller, and what volume of a specific Cloud Service Provider’s
resources will be consumed over a period of time, for the purposes of this delivery order, orders will be specified as fixed
price unit quantities of a single ordering CLIN for “Cloud Services and Ancillary Labor”.
Each unit of the CLIN ordered will equate to $50,000.00 worth of Cloud Services and Ancillary Labor. Orders will be
placed periodically for various quantities of $50,000.00 CLIN units based on the [Govt customer’s] estimated usage of
cloud services and associated labor. This arrangement will provide [Govt customer] with the flexibility to pre-order
“$50,000.00” units of “Cloud Services and Ancillary Labor” as necessary to support operations and to remain consistent
with cloud computing “pay as you go” commercial practices.
20. 20
Next Steps
Committing to a cloud-first strategy sends an important message that cloud is
indeed the new normal in the public sector, and here for the long-term
• Understand and Evangelize the Benefits of Cloud within your Organization. Work
backwards from these benefits to envision your ‘ideal cloud end state’, so that
customer and end user needs drive the effort.
• Engage with Partners. Having consulting and technology partner support in place
makes it much easier to deploy, adopt and/or shift workloads to the cloud.
• Engage with Industry. Facilitating discussions with Cloud Providers, Solution
Architects, and Business Development teams ensures that government and industry
are on the same page in respect to how cloud technology and procurement is evolving.
21. 21
Finally: Do a Pilot
Conduct iterations of small acquisitions through desired vehicles, mechanisms
and processes
• Find out quickly what works and doesn’t work, fix it in the next iteration, and try again.
• The benefit of cloud is that the cost of failure is close to zero. It may take several
attempts to perfect pilot acquisition, technical integration, business processes, and
security approaches in tandem.
• Establish a contract mechanism that is task performance-based/oriented, with a single
line item structure that provides for a range of services; with Not-To-Exceed controls,
and language associated with inclusion of governance processes.
• Incorporate regulatory guidelines to enable expansive on-boarding; with consideration
of various funding types and applicable delegated authorities.
23. AWS Public Sector Contracts Page
http://aws.amazon.com/contract-center/
24. • IDIQ (License to Hunt) available to federal, state, local, and tribal entities
• On April 29, 2015, GSA added Cloud Special Item Number (SIN) 132-40
• 132-40 Cloud Computing Services
• 132-52 Electronic Commerce and Subscription Services
• Available through these AWS Government Authorized Resellers:
• Accenture Federal Services
• A&T Systems - 8(a) - Minority Owned (holds Cloud SIN)
• Apptis, Inc
• Aquilent
• Cloudnexa
• DLT Solutions (holds Cloud SIN)
• Four Points - SDVOSB - Service Disabled Veteran Owned
• InfoReliance Corporation (holds Cloud SIN)
• JHC Technology - SDVOSB - Service Disabled Veteran Owned
GSA Schedule 70
25. • GWAC (end to end IT solution contract); available to all federal agencies
• Scope: IT products and product-related services, including Cloud Computing
• Available through these AWS Government Authorized Resellers:
• Accelera (small business)
• DLT Solutions (small business)
• Four Points Technology (SDVOSB)
• Insight Public Sector
• Strategic Communications (small business)
• Unisys Corporation
NASA Solutions for Enterprise-Wide Procurement V
(SEWP V)
26. NASPO ValuePoint (formerly WSCA-NASPO)
Public Cloud Hosting Services
• IDIQ (License to Hunt) - public cooperative contract
• GIS Cloud Hosting Services
• General Cloud Hosting Services
• Consulting and Design Services
• Available through these AWS Government Authorized Resellers:
• Day1 Solutions
• Unisys
• ESRI
27. State of Texas DIR Contract
• IDIQ (License to Hunt)
• Assessment, Cloud Broker, IaaS, PaaS
• Out of State Customers eligible to use DIR contracts via the Interlocal
Cooperation Contract
• Available through these AWS Government Authorized Resellers:
• DLT Solutions
• Avosys
• Vintage IT
• DoubleHorn
• General Dynamics
Why talk about cloud procurement in the public sector? – Well, it’s essential for people in public sector who want cloud, to be able to buy cloud – and we are moving from a discussion as to whether you should move to the cloud, to the question of how you can move to the cloud.
AWS has over 2000 government agencies, 5000 educational customers, and over 17,5000 non profits using the AWS cloud - and a decade of experience in helping them build successful cloud procurement models – cloud procurement can be done.
Existing cloud acquisition approaches were built with traditional IT still very much in mind. However, as cloud has become the new normal in public sector IT planning, it makes sense that agencies reevaluate how IT services are procured, budgeted for, and used, in order to build a cloud procurement strategy that is intentionally different from traditional IT - designed to harness the benefits of the cloud delivery model. THIS IS WHY WE NEED TO TALK ABOUT CLOUD PROCUREMENT – RECYCLING DATACENTER PROCUREMENT MODELS WILL NOT WORK AND WILL REDUCE THE BENEFITS OF THE CLOUD.
The fundamental difference between cloud computing and traditional IT is that in a cloud model customers are not buying physical assets.
Customers can use cloud services like building blocks, customizing for themselves an infrastructure on which to build their applications.
Understanding that cloud computing offers a different delivery model helps set expectations regarding CSP and customer responsibilities. As customers do not own physical assets, it follows that they should not approach cloud procurement as if buying physical assets.
There are different cloud service models available, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), and there are different approaches to procuring, managing, pricing, and securing each XaaS model. It is imperative that organizations understand each cloud model and create acquisition approaches for each.
Understand the benefits of cloud. Successful cloud migrations start with a clear understanding of why cloud is different from on-premises IT, and the benefits that cloud offers. To many people, cloud computing is new in concept as well as in practice, and starting conversations with assumed knowledge can lead to confusion. Conveying what cloud is, and basic cloud benefits, will ensure that all stakeholders are on the same page. Plus, if you don’t know why you’re doing something, you won’t buy-in to doing it.
Envision and document your ideal ‘end state’ in the cloud - so you have procurement ‘guiding principles’. Communicating the benefits of moving this end-state will ultimately lead to greater buy-in, and will help drive cloud adoption.
Build your cloud procurement model. (working backwards from your ideal ‘end state’, so that your needs, and the needs of end users, guide your priorities)
Continuous Education. Every day I learn that I know a little less that I thought I did about cloud computing – it’s a fast moving technology and requires constant re-education.
What are the current barriers end users face when trying to buy cloud services they need – THINK DIFFERENTLY when procuring cloud - THINK BEYOND existing constraints such as:
Long procurement delays
“Old world” security requirements
Restrictions/consent requirements on the ability to change and improve services and features that are available during the term of the contract
Budget cycles creating an artificial constraint to agency users
Overly prescriptive requirements limit the ability to conduct “tech refresh” in a realistic evolutionary cycle
Involving key stakeholders from an early stage ensures that there is a clear understanding of how cloud adoption will influence existing practices. It also provides an opportunity to reset expectations about how to procure IT, schedule, risk management, security controls, and compliance.
Create a culture of innovation. Educate staff so those with institutional knowledge can learn how to use cloud technology. This will accelerate buy-in during the cloud adoption journey, and foster a culture of innovation.
Commit to a cloud-first policy: A cloud-first strategy sends an important message throughout government agencies that cloud is indeed the new normal.
Cloud allows you to focus on application-level and performance-based requirements – not dictating specific methods, infrastructure or hardware.
Cloud is a fresh start – and recycling on-premises RFP questions will inevitably lead to on-premises IT answers.
You are not buying physical assets, therefore you do not need to ask for many things you are used to asking for in a traditional IT RFP.
Third party analyst reports such as Gartner are excellent barometers of Cloud Provider capabilities and scale
Understand the ecosystem of players in the cloud arena – a cloud provider is not an SI or Managed Service Provider, and does not offer all needed capabilities need to implement and manage a cloud environment.
Public sector customers will require a cloud provider for their infrastructure, then determine how big of a role they want to assume in delivering cloud services and how much they intend to outsource to a Reseller/SI/Managed Services Provider.
As in the previous slide, successful cloud acquisitions separate the purchase of cloud infrastructure from the purchase of related services and labor for planning, developing, executing, and maintaining cloud migrations and workloads.
Engage with Partners: Partnerships come in many shapes and sizes: staff augmentation, solutions delivery, managed services, Software as a Service (SaaS) solutions, etc. Having consulting and technology partner support in place makes it much easier to deploy, adopt and/or shift workloads to the cloud.
Having the support of world-class services makes it much easier to adopt and shift existing business processes to the cloud. Therefore, the strength and breadth of a cloud provider’s partner ecosystem is crucial to a successful cloud migration.
As cloud computing customers are building systems on top of cloud infrastructure, the security and compliance responsibilities are shared between service providers and cloud consumers.
In an IaaS model, customers control how they architect and secure their applications and data put on the infrastructure, while CSPs are responsible for providing services on a highly secure and controlled platform and for providing a wide array of additional security features.
Again, this highlights how the strength and breadth of a cloud provider’s partner ecosystem is crucial to a successful cloud migration, as SIs and Managed Services Providers can architect and secure customer applications.
Additionally, it is vital to have a marketplace that enables customers to find, buy, and immediately start using familiar security software to deploy a comprehensive security architecture on the cloud.
Use cloud provider tools to create standardized, reusable environments that support certifications, accreditations, and compliance processes, that can be reused across the organization. For example, AWS provides customers with a standardized environment that helps support NIST 800-53/RMF certifications, accreditations, and compliance processes.
Important points to remember:
1) Customers own their data.
2) Customers choose the geographic location(s) in which to store their data—it does not move unless the customer decides to move it.
3) Customers can download or delete their data whenever they like.
4) Customers should consider the sensitivity of their data and decide if and how to encrypt the data while it is in transit and at rest.
If you look at the amount of certifications that AWS has achieved and secured for its customers over the last several years, influenced by what they told us matters most, it’s been a real enabler for public sector customers to move to the cloud.
We understand that you have to achieve security and compliance hurdles. We’ve seen governments around the world take this on and everywhere where we’ve seen a standard, we’ve been able to meet it.
Leveraging industry best practices regarding security, privacy, and auditing provides assurance that effective physical and logical security controls are in place, preventing overly burdensome processes or approval workflows that are not justified by real risk and compliance needs. There are many security frameworks, best practices, audit standards, and standardized controls that cloud solicitations can cite, such as shown in the slide.
There are a great number of standardized controls and requirements that comprise cloud accreditation schemes, as bundling hundreds of controls into one cloud provider accreditation streamlines cloud procurement. For example, NIST 800-53 Architecture on AWS.
Think beyond the commonly accepted approach of fixed-price contracting, and building an acquisition model for the on-demand, utility-style, pay-as-you-go nature of cloud computing.
To contract for the cloud in a manner that accounts for fluctuating demand, customers need a contract that lets them pay for services as they are consumed.
CSP pricing should be:
Offered via a pay-as-you-go utility model, where at the end of each month customers simply pay for their usage.
Allowed the flexibility to fluctuate based on market pricing so that customers can take advantage of the dynamic and competitive nature of cloud pricing.
Allowing CSPs to offer different pricing models enables customers to evaluate each pricing model against the requirements of their solicitations, as opposed to an “apples to apples” pricing comparison through arbitrary compute or storage units.
CSPs should provide transparent, publicly available, up-to-date pricing, and tools that allow customers to evaluate their pricing, such as AWS’s Simple Monthly Calculator
CSPs should provide customers with the tools to generate detailed and customizable billing reports to meet customer business and compliance – also tools to budget for cloud and predict spend.
Cloud customers should allow for evolving terms and conditions in order to benefit from new services and dynamic service enhancements. Static service terms that are found in traditional IT procurements (i.e., terms of use for a particular piece of procured hardware) remain constant because the hardware no longer belongs to the vendor. With cloud computing, the infrastructure evolves with cloud services as they are developed.
Continual innovation ensures that customers maintain “state of the art” IT infrastructure without having to make recapitalization investments.
AWS has launched more than 2200 new features and/or services since inception in 2006, and our growing pace of innovation is highlighted in the slide.
Create Centers of Excellence or PMO’s: Cloud Centers of Excellence or Project Management Offices (PMO’s) can institutionalize governance, compliance, and automation across government agencies. They make it easier to incorporate best practices and/or industry standards for cloud-computing, while ensuring that mandated regulatory requirements are captured.
Utilize Cloud provider tools and features for billing, monitoring, access control, and best practices.
Automation is central to cloud governance. Build in automation so you can create and manage a collection of related resources - provisioning and updating them in an orderly and predictable fashion.
Again - create standardized, reusable environments that support certifications, accreditations, and compliance processes, that can be reused across the organization.
For example, the U.S. federal government has a published acquisition policy that favors the purchase of commercial items as opposed to items developed exclusively for government. This policy is designed to take full advantage of available and evolving technological innovations in the commercial sector, allowing commercial terms to be accepted by the government without extraneous provisions and contractual constraints. Refer to the U.S. federal government Federal Acquisition Regulation (FAR) Subpart 12.3—Solicitation Provisions and Contract Clauses for the Acquisition of Commercial Items and the Federal Acquisition Streamlining Act (FASA) at the following link: http://www.acquisition.gov/far/html/FARTOCP12.html
Recognizing that cloud is procured as a commercial item, acquisitions should leverage a Cloud Providers established commercial best practices for data center operations.
By stating requirements in commercial cloud industry-standard terminology and by permitting the use of commercial practices, customers will have access to the most innovative and cost-effective solution options.
Terms or conditions that overlap or are duplicative of existing, overarching industry standards (for example, the U.S. federal government’s cloud-focused FedRAMP accreditation) should be removed.
Leverage Cloud Providers commercial SLAs, i.e. uptime, durability, reliability etc.
Public Sector entities can terminate at any time – limiting vendor lock-in.
Here is a high-level overview of AWS’s services – if cloud procurement is done right, users will have access to all of the services they need in a transparent, efficient, and auditable manner.
Let’s analogize with a Starbucks gift card – you have a not-to-exceed amount to spend at the vendor, and can choose anything you like on the menu – with the vendor providing a bill detailing your exact spend. Should your anticipated usage add-up to more than your not-to-exceed amount, you can top-up the card based on your projected usage over a defined period of time.
If we consider the cornerstones of a cloud environment/migration as (1) Cloud Services (compute, storage, networking, etc.); (2) Professional/Managed Services; (3) Cloud Marketplace; (4) Cloud Support; and (5) Cloud Training, we can then think about how to effectively structure an acquisition. Simple and effective service categories include:
Cloud Services: In essence, the provisioning of a CSP account for a certain amount tied to a full menu or catalog of commercially-available CSP services. This provides customers with a wide array of services in addition to providing the proper level of fiscal constraints tied to budgetary mandates. For example:
Amazon EC2 – Computing; Range: X-Small to XX-Larger Services (with a Not-To-Exceed (NTE) amount, and language that outlines the process to implement NTE billing controls).
Professional/Managed Services: Services to help customers design, architect, build, migrate, and manage their workloads and applications in the cloud.
Cloud Support: Access to technical support engineers and experienced customer service professionals who help customers get the most from the products and features provided by a cloud provider.
Cloud Training: To enable customers to gain the skills, knowledge, and expertise to design, deploy, and manage applications on a cloud platform.
Cloud Marketplace: A forum for cloud customers seeking products from third party vendors to supplement their workloads and cloud requirements (for example, AWS Marketplace https://aws.amazon.com/marketplace). Such a Marketplace enables cloud customers to streamline the software procurement, licensing and configuration process, allowing software to be procured in minutes.
The table above displays an example of a single line Item structure approach. In this example, each unit of the line item ‘1001 Cloud Services’, equates to $1.00 of cloud services ordered at a not-to-exceed amount. Each month, ordering increments are funded based on current and forecasted usage projections. As an example of how to demonstrate delivery and use of each Cloud Service unit in this sample structure, AWS enables its customers to generate detailed billing reports that break down costs by the hour, day, or month; by each account in an organization; by product or product resource; or by customer-defined tags.
From discussions between government and industry, it is clear that there is a need for on-demand ordering capabilities for cloud services.
An optimal cloud contract vehicle enables agencies to purchase the specific cloud services they want, when and how they need them.
Establish a contract that supports “non-specific ordering” and includes the entire range of services that exist today (with the ability to scale to meet a rapidly expanding range of services). Any unnecessary restrictions, such as change consent requirements, will limit a CSP’s ability to scale and limit a customer’s ability to take advantage of frequent innovative service changes.
Include the flexibility to allow cloud prices to fluctuate based on market pricing. This approach takes advantage of the dynamic and competitive nature of cloud pricing and supports innovation and price reductions.
Ensure that resellers pass through all Cloud Provder price reductions.
Consider cloud governance, such as tracking usage/consumption, and associated process like instance tagging policies, monitoring, and building in automation.
Largest most widely-used acquisition vehicle in the federal government.