by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : January and February 2017
GCN JANUARY/FEBRUARY 2017 • GCN.COM 21 transparency in tracking spending and contracting efficiency [because] the cloud accounts and operational services did not have to be transitioned concur- rently with support contracts.” FEDRAMP IS NOT A PANACEA For agencies that must follow the Feder- al Cloud Computing Strategy, FedRAMP provides a centralized system to stream- line the assessment, authorization and procurement of cloud services. Howev- er, it does not obviate the need for due diligence, including service-level agree- ments (SLAs). For example, a September 2016 audit by the Government Publishing Office’s inspector general found that although GPO’s cloud provider was FedRAMP- approved, important problems persist- ed, specifically: • “GPO policy did not include cloud computing and/or hosted service defini- tions, principles, rules and guidelines.” • “Personnel did not follow configu- ration management policy during the transition to the Amazon Web Services.” • “Contract language did not address hosted services.” “Lack of appropriate contract lan- guage for data ownership established an increased risk,” the IG’s report states. “Such a risk could have allowed the cloud provider with unnecessary access to federal data.” The audit also notes that GPO did not incorporate new Amazon Web Services instances into its existing configuration management database and procedures, an oversight that illustrates an impor- tant point: Every cloud migration must include process and administration in- tegration and not treat the cloud as a one-off environment. Although cloud services are notorious The Government Accountability Office recommends that agencies incorporate the following elements in all cloud computing service contracts and service-level agreements. Roles and responsibilities 1. Specify roles and responsibilities of all parties covered by the SLA, and at a minimum, include agency and cloud providers. 2. Define key terms, such as dates, performance tests and metrics. Performance measures 3. Define clear measures for performance by the cloud service, including which party is responsible for measuring performance. Typical measures include: a. Level of service (e.g., service availability — duration the service is to be available to the agency). b. Capacity and capability of cloud service (e.g., maximum number of users who can access the cloud at one time and ability of the provider to expand services to more users). c. Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer or the response time for responding to service outages). 4. Specify how and when the agency has access to its own data, systems and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the agency in case of exit or termination of service. 5. Specify the following service management requirements: a. How the cloud service provider will monitor performance and report results to the agency. b. When and how the agency, via an audit, is to confirm the performance of the cloud service provider. 6. Provide for disaster recovery and continuity-of-operations planning and testing, including how and when the cloud service provider is to report failures and outages to the agency as well as how the provider will remediate such situations and mitigate the risks of such problems from recurring. 7. Describe any applicable exception criteria when the cloud provider ’s performance measures do not apply (e.g., during scheduled maintenance or updates). Security 8. Specify metrics the cloud provider must achieve to show it is meeting the agency’s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the agency’s data). 9. Specify performance requirements and attributes defining how and when the cloud service provider is to notify the agency when security requirements are not being met (e.g., when there is a data breach). Consequences 10. Specify a range of enforceable consequences, such as penalties, for noncompliance with SLA performance measures. guidelines for cloud SLAs 10 0217gcn_018-022.indd 21 2/1/17 3:07 PM
October and November 2016