Making Cloud SLAs readily usable in the EU private sector
Cloud service level agreements in federal agencies
Federal and private sector guidance highlights the importance of federal agencies using a service level agreement (SLA) in a contract when acquiring information technology (IT) services through a cloud service provider. An SLA defines the level of service and performance expected from a provider, how that performance will be measured, and what enforcement mechanisms will be used to ensure the specified performance levels are achieved.
The U.S. Government Accountability Office (GAO) was tasked with examining federal agencies’ use of SLAs. It identified ten key practices to be included in an SLA, such as:
- Identifying the roles and responsibilities of major stakeholders;
- defining performance objectives;
- specifying security metrics.
The key practices, if properly implemented, can help agencies ensure services are performed effectively, efficiently, and securely. Under the direction of the Office of Management and Budget (OMB), guidance issued to agencies in February 2012 included seven of the ten key practices described in a report that could help agencies ensure the effectiveness of their cloud services contracts.
The April 2016 report, Agencies Need to Incorporate Key Practices to Ensure Effective Performance, provides details of its findings and sets out recommendations. GAO determined that the five agencies and the 21 cloud service contracts it reviewed had included most of the ten key practices. Specifically, of the 21 cloud service contracts reviewed from the Departments of Defence, Health and Human Services, Homeland Security, Treasury, and Veterans Affairs, 7 had fulfilled all 10 of the key practices. The remaining 13 contracts had incorporated 5 or more of the 10 key practices and 1 had not included any practices.
GAO recommends that Office of Management and Budget (OMB) include all ten key practices in future guidance to agencies and that Defence, Health and Human Services, Homeland Security, Treasury, and Veterans Affairs implement SLA guidance and incorporate applicable key practices into their SLAs. In commenting on a draft of this report, OMB and one agency had no comment, the remaining four agencies concurred with GAO’s recommendations.