Cloud computing is a way to provide IT services through computer networks. With efficient execution, cloud-based services can allow agencies to pay only for IT services used and thus pay less for more services. An important element of cloud service acquisition is a service level agreement that defines, among other things, the services a cloud provider must perform and at what level. Key practices, if properly implemented, can help agencies ensure that services are delivered effectively, efficiently and safely. Under the leadership of the Office of Management and Budget (OMB), the guidelines given to agencies in February 2012 included seven of the ten key practices described in a report that could help agencies ensure the effectiveness of their cloud service contracts. Comments: The Office of Management and Budget (OMB) has taken steps to implement our recommendation. In particular, the OMB released its federal cloud computing strategy in June 2019, which contains key practices regarding the service level agreements we identified in our report with respect to defining roles and responsibilities for the Agency and the cloud service provider and defining clear performance metrics. In January 2020, OMB staff indicated that they had worked with the General Services Administration to identify best practices in service level agreements and that these guidelines had been made available to agencies to improve the Confederation`s acquisition of cloud-based technologies. These include the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 19086-1 on Information Technology – Cloud Computing – Service Level Agreement (SLA) Framework – Part 1: Overview and concepts containing the ten key practices mentioned in our report. ISO/IEC 19086-1, for example, provides guidelines for clear performance indicators regarding the availability and response time of the service; Integrating requirements for how the cloud service provider monitors performance and reports Agency results; and the indication of the metrics that the cloud provider must respect with respect to the protection of agency data.
The guidelines also identify the need for consequences in the event that the cloud provider does not meet the performance criteria. By providing agencies with guidelines covering all ten key practices for service level agreements, the OMB has helped agencies better measure the performance of the services they receive and, as a result, ensure the provision and effective implementation of the services for which they have contracted.