BEST PRACTICE GUIDE FOR CLOUD AND AS-A-SERVICE PROCUREMENTS Executive Summary 1 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data EXECUTIVE SUMMARY Breach Notification Personnel Security While private companies rapidly move systems and Vendors share blame, too. Lots of cloud providers are new to Encryption applications to the cloud, public agencies still struggle to adopt public sector business, having grown up selling to consumers Audits Operations hosted services that could save money and provide better value. and private firms. These companies don’t always understand Hybrid Cloud Environments legitimate demands that make government contracting Preparation for Migrating Yet states and localities have much to gain from the different from selling to other markets. Failure to accommodate Workloads to the Cloud technology industry’s “as-a-service” revolution. Many unique government requirements can be a deal-breaker for jurisdictions face huge legacy system replacement challenges. agencies charged with protecting the public’s interests. Conclusion They’re also under pressure to provide new classes of digital services. The cloud can offer a better path toward All too often, government and industry aren’t on the same page Workgroup Members modernization — there’s no hardware to buy, you’re always when it comes to cloud services. They may not even speak the and Contributors on the latest version of the software and system capacity same language. can be adjusted almost instantly based on your needs. Appendix 1 Bridging the Gap Model Terms and Conditions Templates So why is government lagging behind? The fact is that These pressures led us to release the first version of this guide Software-as-a-Service governments often struggle to buy cloud-based services because two years ago. Our mission was to build better understanding Platform-as-a-Service of the way they buy. Over a period of decades, agencies have between buyers and sellers — and ultimately help state and local Infrastructure-as-a-Service amassed complex sets of laws and practices that govern how governments take advantage of the best solutions the market has they spend public dollars. These purchasing processes support to offer. Our approach was straightforward: put some of the nation’s Appendix 2 worthy goals like protecting taxpayers, preventing corruption and most progressive state and local government jurisdictions in the SLA Metrics ensuring a level playing field for potential contractors. They also same room with some of the industry’s top cloud service providers promote policy objectives like encouraging participation of small to look for common ground. The result was a mutually acceptable Appendix 3 businesses or firms owned by women and minorities. package of definitions, contracting terms and related information Key Contact Information designed for the rapidly emerging as-a-service environment. The problem is that the rules were developed to buy physical Appendix 4 products — servers, networking gear, software packages Agencies across the nation continue to cope with Guiding Principles — not services like subscription-based email or remotely outdated purchasing policies addressed in the original hosted applications that are delivered via the internet. So version of this guide. But in the two years since the guide’s Appendix 5 even when agencies want to move toward modern cloud- initial release, government adoption of cloud services has Procurement Approaches based solutions, the process holds them back. Old rules expanded, creating new complexities around the growth clash with the new way of doing business, making it difficult of hybrid — part cloud, part on-premises — computing Appendix 6 or even impossible for cloud vendors to submit a bid. environments, as well as rapidly evolving security risks. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 2 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Our updated guide adds critical information about how This language offers a starting point for creating cloud Encryption agencies and vendors can work together to effectively purchasing contracts that work. Individual jurisdictions will Audits Operations manage hybrid cloud deployments. There’s also a collection need to customize the terms to fit their own needs, but Hybrid Cloud Environments of best practices for classifying and encrypting data, the groundwork is here to begin modernizing contracting Preparation for Migrating including methods for safeguarding information on mobile processes and adopting cloud-based solutions. Workloads to the Cloud devices. And we added extensive advice around how to approach security audits of cloud service providers. What Now? Conclusion The material presented on these pages supplies a backdrop Of course, we’ve retained and updated the resources and a foundation for change, but change won’t occur without Workgroup Members that made the first release of this guide so valuable. action. Quite simply, these recommendations are designed to and Contributors You’ll still find concise definitions for the three primary be adopted. If state and local governments want to enjoy the cloud service models — Software-as-a-Service (SaaS), benefits of cloud-based solutions, a wide array of leaders must Appendix 1 Platform-as-a-Service (PaaS) and Infrastructure-as-a- get involved. Modernizing the rules and oversight processes that Model Terms and Conditions Templates Service (IaaS) — and guiding principles to consider when prevent governments from moving to the cloud requires help from Software-as-a-Service evaluating these offerings. Most importantly, the guide policymakers, finance directors, auditors, procurement officers, Platform-as-a-Service includes detailed recommendations and actual model attorneys and ultimately elected officials. Infrastructure-as-a-Service contract language covering some of the most contentious issues for government buyers and cloud providers: We offer these suggestions for getting started: Appendix 2 • Ownership and proper handling of government data • Use the model terms and conditions in this guide to SLA Metrics in the cloud. frame new relationships with cloud service providers. • Procedures for handling security incidents and data • Make changes necessary to modernize and improve your Appendix 3 breach notification. procurement infrastructure and acquisition processes. Key Contact Information • Background checks, work rules and removal of • Develop new oversight processes that both protect the contractor personnel. public interest and enable the use of as-a-service solutions. Appendix 4 • Data encryption and other security requirements for Guiding Principles cloud contractors. State and local governments can’t ignore trends sweeping • Appropriate audits for ensuring contract compliance, society and the technology market. Cloud-based services are Appendix 5 security and financial practices. commercially proven, and they support a level of innovation Procurement Approaches • Business continuity, system uptime, change control and value that public agencies desperately need. It’s time for and other operational requirements. governments to embrace this change and benefit from it. Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix © 2016 e.Republic. All Rights Reserved.
Endnotes • Executive Summary 3 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data INTRODUCTION Breach Notification Personnel Security This updated guide, like its predecessor, is the product of than the way traditional technology solutions are purchased. Encryption an ongoing discussion among government IT leaders and These emerging business models present challenges for Audits Operations cloud service providers. Representatives from 9 state and local traditional public procurement practices and the contracting Hybrid Cloud Environments agencies and 10 cloud service providers met throughout 2016 relationships used by many state and local governments. Preparation for Migrating to produce this latest version. They built on the original material Workloads to the Cloud developed in 2014 by a similar government/industry workgroup. The primary task for the workgroups involved in creating this guide was to come to substantial agreement on key pro Conclusion Extensive public/private collaboration is the key to helping visions that would lead to more timely and effective procure government agencies take full advantage of the cloud. To ment of cloud services. The terms and conditions (T&Cs) Workgroup Members understand the importance of this consensus among leaders, templates they developed offer state and local governments and Contributors one must first understand the initial challenge. The language an excellent starting point for XaaS contracts, while recog of technology procurement in government is rapidly and nizing that each procurement will likely have at least a few Appendix 1 profoundly changing, and that has created confusion and unique requirements that need to be further negotiated. Model Terms and Conditions Templates uncertainty in the market. New business models for delivering Software-as-a-Service IT services are becoming increasingly popular. “Anything The model T&Cs are intended to work with service Platform-as-a-Service as-a-Service” or “X-as-a-Service” (XaaS) are two names for models as defined by the National Institute of Standards and Infrastructure-as-a-Service cloud-based services delivered to customers over the Internet. Technology (NIST) (later in this document). Looking at each term through the specific service model lens can help public Appendix 2 The most common service models used in government today jurisdictions and service providers adopt the right T&Cs SLA Metrics are Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) for their XaaS contracts. A full understanding of the XaaS and Infrastructure-as-a-Service (IaaS), although other models architecture and the party’s respective responsibilities for Appendix 3 such as Communication-as-a-Service (CaaS) and Monitoring control and operation of the stack of software and hardware Key Contact Information as-a-Service (MaaS) are now available. The two most common is an essential first step to developing the appropriate T&Cs ways to pay for these types of services are to “pay as you go” and service level agreements. While many of the terms are the Appendix 4 or through a subscription model, which is radically different same across the three service models, one size does not fit all. Guiding Principles
Appendix 5 Procurement Approaches This guide has been a collaborative effort and contains the contributions and collective views of several authors representing various companies, governmental agencies or themselves. Each contributor is responsible for his/her own Appendix 6 views and opinions which may or may not be expressed in this guide. Such opinions are not necessarily those of e.Republic Glossary or of any of the other contributors. This guide contains general information only and should not be considered as professional advice or services of any nature, and it is not intended as a substitute for any such advice or services. Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 4 Introduction
Specific Models and Understanding Cloud Procurement SPECIFIC CLOUD MODELS AND Service Models Data UNDERSTANDING CLOUD PROCUREMENT Breach Notification Personnel Security In this model, as shown in Table 1, the service provider owns and Encryption Service Models operates all software and hardware needed to provide the service. Audits Operations Software-as-a-Service (SaaS) is “the capability provided Only limited controls are available to the public jurisdiction. The Hybrid Cloud Environments to the consumer to use the provider’s applications running model is suited for full-service applications accessed by end users Preparation for Migrating on a cloud infrastructure. The applications are accessible within an organization. It requires a minimal level of support by the Workloads to the Cloud from various client devices through a thin client interface jurisdiction. Applications range from email and collaboration tools such as a Web browser (e.g., Web-based email), or a to office productivity tools/suites to integrated ERP systems. Conclusion program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, Platform-as-a-Service (PaaS) is “the capability provided to Workgroup Members servers, operating systems, storage or even individual the consumer to deploy onto the cloud infrastructure consumer- and Contributors application capabilities, with the possible exception of created or -acquired applications using programming languages limited user-specific application configuration settings.” and tools supported by the provider. This capability does not Appendix 1 Model Terms and Conditions Templates Software-as-a-Service 1 Platform-as-a-Service Table 1: SaaS Technology Stack Controls Infrastructure-as-a-Service
Service Provider Technology Stack Public Jurisdiction
5 5 Appendix 2 5 SLA Metrics Limited Admin Control
Administrative Control (e.g., mail)
Application User Level Control
5 Appendix 3 5 Key Contact Information
Total Control Middleware (e.g., java) No Control
5 Appendix 4 5 Guiding Principles
Total Control Operating System No Control
5 Appendix 5 5 Procurement Approaches Total Control Hardware No Control Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 5 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security necessarily preclude the use of compatible programming to deploy and run arbitrary software, which can include operating Encryption languages, libraries, services and tools from other sources. systems and applications. The consumer does not manage or control Audits Operations The consumer does not manage or control the underlying cloud the underlying cloud infrastructure, but has control over operating Hybrid Cloud Environments infrastructure, including network, servers, operating systems systems, storage and deployed applications; and possibly limited Preparation for Migrating or storage, but has control over the deployed applications and control of select networking components (e.g., host firewalls).” Workloads to the Cloud possibly application hosting environment configurations.” The service provider maintains control over the hardware Conclusion With this service model, the public jurisdiction has complete and administrative control over the hypervisor that uses the control over its application software and program control over hardware to synthesize one or more virtual machines. The Workgroup Members middleware. The service is suited for public jurisdictions that want public jurisdiction maintains control over the operation of the and Contributors to use the PaaS provider’s tools to develop, deploy and administer guest operating system and all the software layers above it. In applications to its end-user customers. this model, the consumer may make requests to create and Appendix 1 manage new virtual machines. The public jurisdiction assumes Model Terms and Conditions Templates Infrastructure-as-a-Service (IaaS) is “the capability provided to the greatest operational control responsibility. This model is Software-as-a-Service the consumer to provision processing, storage, networks and other suited to a public jurisdiction where systems administrators Platform-as-a-Service fundamental computing resources where the consumer is able need quick access to virtual computing and storage capacity. Infrastructure-as-a-Service
Appendix 2 Table 2: PaaS Technology Stack Controls2 SLA Metrics
Service Provider Technology Stack Public Jurisdiction
5 5 Appendix 3 5 Key Contact Information
No Control Application (e.g., mail) Admin Control
5 5 Appendix 4 5 Guiding Principles
Admin Control Middleware (e.g., java) Program Control
5 5 Appendix 5 5 Procurement Approaches Total Control Operating System No Control Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 6 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Different Terms and Conditions leasing the infrastructure to the public jurisdiction, requiring the Encryption The service models do not all work the same way. As a result, public jurisdiction to be responsible for its own data protection, Audits Operations the three model T&Cs share many common clauses, but those encryption and reporting. Additionally, termination and Hybrid Cloud Environments dealing with operational responsibilities (e.g. data protection, suspension of service is managed differently for SaaS contracts Preparation for Migrating security incident or breach notification, breach responsibilities, than for PaaS and IaaS. SaaS contracts specifically require Workloads to the Cloud access to security logs and reports, and encryption of data at a service provider to maintain data for up to 10 days after a rest) vary. For example, a SaaS service provider is responsible for contract expires in accord with the termination timelines. Finally, Conclusion most of the technology stack and for these clauses. The service clauses dealing with compliance for application accessibility provider has more and broader responsibility for protecting data standards and requiring Web services are simply not applicable Workgroup Members and reporting. However, the IaaS service provider is essentially to IaaS contracts. and Contributors Table 3: IaaS Technology Stack Controls3 Appendix 1
Model Terms and Conditions Templates
Service Provider Technology Stack Public Jurisdiction
5 5 Software-as-a-Service 5 Platform-as-a-Service Infrastructure-as-a-Service
No Control Application (e.g., mail) Total Control
5 5 Appendix 2 5 SLA Metrics
No Control Middleware (e.g., java) Total Control
5 5 Appendix 3 5 Key Contact Information
No Control Guest Operating System Total Control
5 5 Appendix 4 5 Guiding Principles
Administrative Control Hypervisor Make Requests
5 5 Appendix 5 5 Procurement Approaches Total Control Hardware No Control Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 7 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security to the data to use within the provider’s data center and Encryption Data then only for the intended purposes of the contract, Audits Operations Ownership of Data and prevents access to the data for any other purpose Hybrid Cloud Environments Governments have a fundamental responsibility to limit except as authorized by the jurisdiction in writing. Preparation for Migrating access to non-public information and to protect the integrity • Clause 3 Data Protection requires the service provider Workloads to the Cloud of their data. It is critical for a public jurisdiction and the to protect the confidentiality and integrity of a public service provider to affirm the jurisdiction’s ownership of jurisdiction’s data. It requires the service provider Conclusion its data and how it is to be managed. This is typically a to encrypt both personal data and non-public data. mandatory provision for public jurisdictions. Key public Non-public data is defined in Clause 1 Definitions to Workgroup Members jurisdiction concerns that should be addressed in a data cover all data deemed sensitive by the jurisdiction and Contributors ownership clause include: that requires some level of protection. This is typically • Public jurisdictions must protect the privacy of certain information that is exempt from public records Appendix 1 citizen information. To protect privacy, the public requests. Providers are prohibited from using the Model Terms and Conditions Templates jurisdiction must control and continuously own the data for any purpose not intended or authorized. This Software-as-a-Service data, including personally identifiable information (PII) includes copying, disclosing or otherwise using the Platform-as-a-Service and protected health information (PHI). Personal data data or any information collected under the contact Infrastructure-as-a-Service is defined in Clause 1 Definitions* to cover both PII for purposes not required as part of the services under and PHI. Regardless of the type of service selected to the contract or authorized by the government. Appendix 2 process and manage the data, the public jurisdiction still SLA Metrics has a duty as owner to comply with state and federal laws requiring protection of PII and PHI. Protection of Governments have a fundamental responsibility Appendix 3 data in a XaaS contract is often a shared responsibility. to limit access to non-public information and to Key Contact Information Specific roles and responsibilities should be clearly protect the integrity of their data. identified within the service level agreement (SLA). Appendix 4 • Data must not be accessed for any purposes except Guiding Principles those authorized by the public jurisdiction. Establishing • The treatment of data, including treatment of sensitive ownership and prohibiting the provider from accessing data, is a key cost factor for service providers. Unique data Appendix 5 the data or user accounts for any purpose not authorized requirements create both constraints and costs. To manage Procurement Approaches by the government limits access to the minimum level costs and constraints, a thorough understanding of the data needed to perform the services of the contact. Clause 2 controlled and managed by the XaaS provider is essential Appendix 6 Data Ownership affirms data ownership, restricts access for both the public jurisdiction and the service provider. Glossary
Appendix 7 Clause Comparison Matrix * Clauses can be found in Appendix 1.
Endnotes • Executive Summary 8 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security • Public jurisdictions can protect the security and • Provide services only from data centers located within Encryption integrity of data through encryption. Depending on the the United States Audits Operations type of service received under the contract, identity • Prevent employees or subcontractors from storing Hybrid Cloud Environments access management and encryption could be a public public jurisdiction data on portable devices except Preparation for Migrating jurisdiction responsibility, provider responsibility or a joint as used in data centers within the United States Workloads to the Cloud responsibility. The SLA must include a clear delineation • Permits use of “Follow-the-Sun” technical support of responsibilities based on the nature of the relationship. concept when needed for 24/7 end-user support Conclusion Data Protection Clause 3 makes it the service provider’s responsibility to encrypt and otherwise protect personal Workgroup Members data and non-public data for SaaS. However, in an Public jurisdictions want services provided from and Contributors IaaS model, the public jurisdiction is responsible for and their data maintained in data centers located encryption and protection of its data. It is critical that within the United States. Data and services Appendix 1 the public jurisdiction understand the integration of data provided outside the United States are subject Model Terms and Conditions Templates architectures between its on-premises systems and those to the laws of the country where the data is Software-as-a-Service of the service providers’, the roles and responsibilities for physically stored. Platform-as-a-Service software and system control, and data flow. Each party Infrastructure-as-a-Service may have responsibilities that cannot be performed by the other. These must be understood and identified in the Import and Export of Data Appendix 2 SLA and contract. NIST provides an excellent reference Public cloud XaaS models are attractive to public SLA Metrics framework in its Cloud Computing Architecture. jurisdictions in part because they allow rapid provisioning of applications using public jurisdictions’ data. This may Appendix 3 Location of Data mean moving data and applications between service Key Contact Information Public jurisdictions want services provided from providers. As cloud-driven service models proliferate, it and their data maintained in data centers located within will be important for government agencies to be prepared Appendix 4 the United States. Data and services provided outside for smooth disengagement and reengagement between Guiding Principles the United States are subject to the laws of the country service providers. where the data is physically stored. By requiring services Appendix 5 to be provided from data centers within the United States, Clause 16 Import and Export of Data affirms the public Procurement Approaches public jurisdictions are certain about laws impacting jurisdiction’s ability to import and/or export its data in their data. Clause 4 Data Location requires the service whole or in part at the public jurisdiction’s sole discretion Appendix 6 provider to: with the cooperation of the service provider. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 9 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security • Adopting requirements for notice Encryption Breach Notification • Creating exemptions and safe harbors Audits Operations Security Incident and Breach Notification • Clarifying preemptions and relationships to federal laws 6 Hybrid Cloud Environments All public jurisdictions are critically concerned about • Creating penalties, enforcement authorities and remedies Preparation for Migrating protecting PII and other sensitive data. In the event of an Workloads to the Cloud incident, a public jurisdiction must take action both internally In addition to state laws covering PII, there are federal laws and through service providers to monitor and investigate. Of to protect health information. Under the Health Insurance Conclusion course, not all incidents result in a security breach. Prompt Portability and Accountability Act of 1996 (HIPAA), covered notice of an incident gives an agency more time to take any entities holding protected health information (PHI) must Workgroup Members actions needed to address the incident. It also allows the comply with privacy rules, including the HIPAA Breach and Contributors agency to understand what appropriate actions the service Notification Rule, 45 CFR 164.400. provider is taking to protect personal data and non-public data. Appendix 1 Security policies adopted by state and local governments Model Terms and Conditions Templates Forty-seven states have laws that govern actions in the guide the security of the technology systems they operate. Software-as-a-Service event of a security breach of personal information.4 NIST These policies also guide compliance with state and Platform-as-a-Service defines PII as, “any information about an individual maintained federal laws. When entering into a contract with an XaaS Infrastructure-as-a-Service by an agency, including (1) any information that can be used provider, it is important to understand and apply the to distinguish or trace an individual‘s identity, such as name, elements of the policy that are applicable to the service Appendix 2 Social Security number, date and place of birth, mother‘s model that will be under contract. Not all policies will SLA Metrics maiden name or biometric records; and (2) any other make sense or should be applied, but the requirements information that is linked or linkable to an individual, such as set by law must be addressed. Appendix 3 medical, educational, financial and employment information.”5 Key Contact Information Service providers that have contracts with entities A Congressional Research Service report described state covered under HIPAA and Health Information Technology Appendix 4 security breach notification laws as generally following a similar for Economic and Clinical Health (HITECH) typically have Guiding Principles framework and characterized by similar elements, including: security procedures in place to protect PII and PHI data. Their • Identifying who must comply with the law breach notification procedures must be designed to comply Appendix 5 • Defining the terms “personal information” and “breach with these federal requirements. Procurement Approaches of security” • Establishing elements of harm that must occur, if any, To effectively protect personal data, the service provider Appendix 6 for notice to be triggered and public jurisdiction must understand what constitutes Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 10 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security a breach. Contract terms must align with state laws to incident to the designated contact person. A public jurisdiction Encryption require service providers to detect data breaches and notify must clarify what is meant by “immediately” and outline other Audits Operations the public jurisdiction in a way that enables the public reporting requirements in the SLA. Hybrid Cloud Environments jurisdiction to comply with its obligations under law. Preparation for Migrating Breach Responsibilities Workloads to the Cloud Prompt notice of an incident gives an agency Often one of the most difficult contract terms to define and more time to take any actions needed to agree on is the liability the service provider agrees to assume. Conclusion address the incident. It also allows the agency It is very hard for either party in a contract to define the risk to understand what appropriate actions the and the potential cost involved if there is a situation where the Workgroup Members service provider is taking to protect personal clause is triggered. and Contributors data and non-public data. Service providers not only have a fiduciary duty to Appendix 1 shareholders, but also have legal reporting requirements Model Terms and Conditions Templates Clause 5 Security Incident or Data Breach Notification under Sarbanes-Oxley (SOX). Under section 302 of SOX, Software-as-a-Service requires a service provider to notify the public jurisdiction of service provider management is required to have systems in Platform-as-a-Service a data breach. Data breach is defined in Clause 1 Definitions place to identify material information that must be disclosed Infrastructure-as-a-Service as the unauthorized access by non-authorized person/s that to investors and other third parties who rely on financial results in the use, disclosure or theft of a public jurisdiction’s statements of publically traded companies.7 This makes it Appendix 2 unencrypted personal data. Personal data is defined to difficult for a service provider to agree to unlimited liability in SLA Metrics include PII or PHI, but the clause allows for individual state a contract of significant size. When a service provider cannot definitions to take precedence over any other definition of quantify its potential liabilities, it makes it very difficult to Appendix 3 PII. Data breach notification requires the service provider enter into an agreement. Key Contact Information to notify the appropriate designated contact person by telephone within 24 hours of the time the service provider The issue of unlimited liability has been addressed in Appendix 4 has actual knowledge of a confirmed data breach of personal more traditional IT contracts in some states by creating Guiding Principles data, unless applicable law requires a faster notification. a liability cap calculated as a multiplier of the total contract value (i.e. 2X contract value). Clause 6 Breach Appendix 5 Non-public data typically does not have the same legal Responsibilities uses a similar method to create a known Procurement Approaches requirements for reporting as PII. A potential loss, theft or amount for which the service provider is liable if the unauthorized access to unencrypted non-public data or provider is the cause of a breach. The cap amount must Appendix 6 personal data must be reported immediately as a security be sufficient to cover all costs needed to address a breach. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 11 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security It creates a definitive amount that is understood by both Legal Requests Encryption parties. This answers the service provider’s question of Public jurisdictions must be aware of legal requests that Audits Operations what is the quantifiable exposure if a data breach occurs. might require access to their data. As data owners, any Hybrid Cloud Environments It also answers the question of what the public jurisdiction request for access to the data should come to them. Most Preparation for Migrating will receive in the event of a breach. The approach seems to public information is available upon request, however, Workloads to the Cloud be a fair and reasonable way to apportion risk and mitigate public jurisdictions are subject to specific state and local damages in the event of a breach. rules and laws governing the protection of the public’s data Conclusion • The liability for a data breach caused by the service that vary from place to place. If the public jurisdiction is a provider recommendation in Clause 6 Breach party to legal proceedings, any request for legal information Workgroup Members Responsibilities is based on studies conducted must appropriately come to the public jurisdiction. and Contributors annually by the Ponemon Institute. In its most recent 2014 Cost of Data Breach study, the global average Appendix 1 cost paid in 2013 for each lost or stolen record on a Public jurisdictions must be aware of legal Model Terms and Conditions Templates per-person basis in the United States was $201 per requests that might require access to their data. Software-as-a-Service record.8 The Ponemon samples do not specifically As data owners, any request for access to the Platform-as-a-Service benchmark public sector data breaches in the data should come to them. Infrastructure-as-a-Service United States, but they provide a place to start when seeking to quantify data breach mitigation costs. Appendix 2 • Clause 6 Breach Responsibilities requires the service Clause 7 Notification of Legal Requests protects the public SLA Metrics provider to pay the cost of the breach investigation, jurisdiction by requiring that the service provider contact the resolution, notification, credit monitoring and call public jurisdiction when it receives a request for electronic Appendix 3 centers support up to a set amount per record/per discovery, a litigation hold, a discovery search or an expert Key Contact Information person, if the service provider is responsible for the data witnesses request related specifically to public jurisdiction breach. The service provider will take corrective action data stored by the service provider under the contract. It Appendix 4 to mitigate the breach based on a root cause analysis. further restricts the service provider from responding to Guiding Principles • Finally, public jurisdictions must pay attention to the last subpoenas, service of process and other legal requests without sentence of Clause 6 Breach Responsibilities. It limits notifying the public jurisdiction, unless prohibited by law. Appendix 5 service providers’ collective obligations and liabilities by Procurement Approaches limiting them to all corrective actions, “… as reasonably Termination and Suspension determined by service provider based on root cause Any service contract must be clear about how it can Appendix 6 … subject to this contract’s limitation of liability.” be terminated. With XaaS contracts, there is more to Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 12 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security consider than just a cessation of services and accounting the public jurisdiction with appropriate certifications to Encryption for final billings. With XaaS contracts, public jurisdictions document the disposal. Certifications protect both parties Audits Operations must be sure they receive their data in an agreeable by documenting the method and date of destruction. Hybrid Cloud Environments format that enables them to move the data to another • Since a suspended service may be reinstated, an Preparation for Migrating provider or to their own on-premises solution. understanding of how the data will be preserved is Workloads to the Cloud • Depending on the nature of the service received and the important. If the service is reinstated, the data will circumstances under which the services are terminated, be used. If the contract is not reinstated, it will be Conclusion there are timing concerns for the transfer of data. Providers terminated and disposal of data would follow the want to dispose of data as quickly as possible since its prescribed steps specified under contract termination. Workgroup Members continued storage is a cost to the service provider. A and Contributors public jurisdiction will expect a service provider to securely The amount of time the service provider must dispose of data immediately after data is transferred to a continue to store and make the data accessible Appendix 1 new provider or the public jurisdiction’s own on-premises to the jurisdiction largely depends on the Model Terms and Conditions Templates solution. The contract terms and conditions need to reflect circumstance of the termination. Software-as-a-Service reasonable timelines, acceptable to both the jurisdiction Platform-as-a-Service and the provider, for the retention and disposal of the data. Infrastructure-as-a-Service • The amount of time the service provider must continue • Clause 8 Termination and Suspension of Service addresses to store and make the data accessible to the jurisdiction these issues by requiring the service provider to return Appendix 2 largely depends on the circumstance of the termination. all public jurisdiction data in an orderly and agreed upon SLA Metrics Contracts that reach their natural expiration point format. The specific service model can make a difference have a known termination date so the issue should in the data transfer and disposal protocols. As a result, Appendix 3 not be a surprise to either party. In this case, the the specific time periods are different for the SaaS clause Key Contact Information period that the provider must wait to dispose of the than for the PaaS and IaaS clauses. Each clause sets out data is the shortest. Contracts that are terminated specific time periods in which the service provider must Appendix 4 for convenience or for cause, however, come with continue to maintain the data. The service provider agrees Guiding Principles less opportunity to plan and should provide public to provide any post-termination assistance that it generally jurisdictions with a longer window prior to data disposal. makes available to other clients, unless the parties agree Appendix 5 • Typically disposal should consist of destruction of all to a specific and unique procedure in the SLA. The service Procurement Approaches files and data in all forms, in accordance with NIST- provider agrees to destroy all data when requested by approved standards, to prevent any further use or misuse the public jurisdiction in accordance with NIST-approved Appendix 6 of the information. The service provider should provide methods and provide a certificate of destruction. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 13 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security A prudent practice in contracting for services Encryption Personnel Audits is to make sure the service provider’s team Operations Background Checks of Personnel has a background that is free of dishonesty, Hybrid Cloud Environments One of the biggest threats to data security can be internal. fraud or other offenses that could jeopardize Preparation for Migrating Public jurisdictions have a duty to protect their data no matter the security of data. Workloads to the Cloud where it is and who is handling it. A prudent practice in contracting for services is to make sure the service provider’s Conclusion team has a background that is free of dishonesty, fraud or of job duties and limit staff knowledge of customer other offenses that could jeopardize the security of data. data to staff that absolutely need the knowledge to Workgroup Members perform their job duties. Commercially reasonable and Contributors Clause 9 Background Checks requires the service non-disclosure agreements are required of the provider to conduct criminal background checks on its service provider for their staff handling this data. Appendix 1 employees and subcontractors. Service providers are Model Terms and Conditions Templates prevented from utilizing staff that fail the background Right to Remove Personnel Software-as-a-Service check. The clause further makes it a duty of the service An effective working relationship between the service Platform-as-a-Service provider to promote and maintain the awareness and provider and the public jurisdiction is critical to the Infrastructure-as-a-Service importance of securing the public jurisdiction’s information. success of a service relationship. The public jurisdiction can ensure the working relationship remains positive Appendix 2 Separation of Duties and Non-Disclosure and productive by maintaining the right to require SLA Metrics One way that public jurisdictions help protect their the service provider to remove any service provider data and information is to limit the number of staff with representative who is detrimental to that relationship. Appendix 3 access to their data. With sensitive and PII data, reducing This ability can also provide recourse to the public Key Contact Information the exposure of the information to others reduces the jurisdiction when a service provider representative risk of breach and loss of privacy. Service providers with compromises the security of the jurisdiction’s data. Appendix 4 a wide variety of clients are sensitive to this concern Guiding Principles and typically have procedures in place to limit the Clause 19 Right to Remove Individuals establishes knowledge of customer data to essential staff, as well the right of public jurisdictions to require the removal of Appendix 5 as require staff to sign non-disclosure agreements. service provider representatives and sets out conditions Procurement Approaches for their removal. A representative can be staff or Clause 15 Non-Disclosure and Separation of Duties subcontractor personnel. In the event of a potential Appendix 6 requires the service provider to enforce separation security violation, the removal must be immediate. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 14 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security data has been lost or compromised. For a public cloud Encryption Security service provider, sharing technical information such as Audits Operations A public jurisdiction is obligated to protect the integrity security logs creates vulnerabilities for the provider. Hybrid Cloud Environments and security of the public’s data. To uphold the public’s Service providers believe their unique reports would Preparation for Migrating trust, a public jurisdiction entering into XaaS contracts must be difficult for public jurisdictions to decipher in any Workloads to the Cloud perform due diligence on the service provider and their meaningful way. To address this issue, service providers second-tier subcontractors, including determining whether typically are willing to pledge their cooperation to Conclusion the service provider has sufficient and adequate security assist a customer in the event of an incident. processes in place to protect and safeguard the data. Workgroup Members Public jurisdictions need meaningful and relevant reports, and Contributors Any assessment should include a review of the service provider’s statistics, access information and security log information technical security procedures to ensure security is commensurate to understand vulnerabilities and threats to their data and Appendix 1 with the level of data classification to be stored and managed by systems when linked to the service provider. Service providers Model Terms and Conditions Templates the provider. To obtain a complete assessment of the security chain, must share access information with their clients to assist Software-as-a-Service the service provider and the jurisdiction must understand their roles them in assessing their vulnerabilities and responding to Platform-as-a-Service and responsibility for data security. A framework for assessment threats and attacks. At the same time, service providers have Infrastructure-as-a-Service can be found in ISO 27001. Although not a requirement, FedRAMP a duty to all their clients to not disclose information that certified service providers can make the due diligence of security creates vulnerabilities. From a business model perspective, the Appendix 2 assessments much easier. Another third-party security report from service provider cannot create expensive and unique services SLA Metrics the service provider that includes independently audited AICPA that aren’t included in the SLA, or in the case of public cloud Service Organization Control (SOC) 2 report can also support offerings, consistent with the general service offering. Clear Appendix 3 security due diligence requirements. expectations and responsibilities must be spelled out and Key Contact Information agreed to in the SLA. Clause 14 Security requires the service provider to disclose Appendix 4 its non-proprietary security process and any technical Clause 10 Access to Security Logs and Reports Guiding Principles limitations. It requires a joint understanding of respective roles requires the service provider to provide reports that and responsibilities by each party. include latency statistics, user access IP addresses, user Appendix 5 access history and security logs for the data covered Procurement Approaches Security Logs and Reports under the contract. The clause requires the format for the Security officers in public jurisdictions use security reports to be specified to and agreed upon by both parties Appendix 6 logs when investigating an incident to determine if in the SLA. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 15 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security public jurisdiction. Service providers typically encrypt data in Encryption Encryption transit and at rest within their network. It is important that the Audits Operations Encryption of Data at Rest (Mobile Devices) jurisdiction understands the level of encryption required and Hybrid Cloud Environments Some of the most notorious public data breaches involve affirms that it is the appropriate level for the classification of Preparation for Migrating data at rest. Data at rest typically refers to any data that is not its data. Workloads to the Cloud transiting through a network via email, wireless transmission or other electronic interchange. It is data that resides in a Clause 23 Encryption of Data at Rest requires the service Conclusion database, file system, hard drive, portable storage device, provider to prevent its employees and subcontractors from memory or any other structured storage method. Data at rest, storing personal data on portable devices, except within data Workgroup Members particularly in mobile devices (flash drives, laptops, tablets, centers located in the United States. If personal data must be and Contributors etc.), is highly vulnerable to theft or loss. Data at rest in file stored on portable devices to accomplish the work, the service servers and other structured data management systems is provider must use hard drive encryption in accordance with Appendix 1 also at risk of attack. cryptography standards referenced in FIPS 140-2, Security Model Terms and Conditions Templates Requirements for Cryptographic Modules.10 Software-as-a-Service Jurisdictions that classify their information and data can Platform-as-a-Service select the appropriate level of protection based on that data Tips and Best Practices for Encryption in the Cloud Infrastructure-as-a-Service classification. Data that contains personally identifiable Knowing your data is protected in the cloud can go a long information (PII) is critical to protect and typically has way toward relieving the reluctance, anxiety and uncertainty Appendix 2 the highest data classification level. Public data is at the for governments wanting to move applications and data to SLA Metrics lower end of the classification scale. It is available to the the cloud. Using cloud encryption can also help alleviate public upon request and is often readily available on the some of the fears of storing your data in the cloud. Knowing Appendix 3 public jurisdiction’s portal. Since it has the lowest level of what data needs to be encrypted; which mandates or Key Contact Information classification, it may not require special security treatment. regulations apply; what encryption techniques to use; and Non-public data is sensitive information that is typically who owns, stores and has access to the encryption keys Appendix 4 classified in the middle. can help make your journey to the cloud a safe one. End Guiding Principles to-end encryption has been clearly highlighted as critical to The primary security controls for restricting access to protecting corporate data, for any corporate environment Appendix 5 sensitive data such as PII and non-public data stored on end- and for those back office applications moving to the cloud. Procurement Approaches user devices are encryption and authentication.9 The specific It is critical for protecting data on devices, and against level of protection or strength of encryption depends on the insider and advanced threats. Encryption is now easy to Appendix 6 sensitivity of the data and the classification level set by the deploy, use and manage, and is available for everyone. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 16 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security • Encrypt only what you need to or what is required › Other confidential information — Data classified Encryption It is important to only encrypt what you need to or what or protected by regulations, mandates, etc. Audits Operations is required to encrypt by law, regulation or mandate. Some Hybrid Cloud Environments data may be public information and likely does not need • Conduct a security review before moving to the cloud Preparation for Migrating to be encrypted. For this reason, classifying data before Before moving any applications and data to the cloud, all Workloads to the Cloud moving it to the cloud is extremely important. Lastly, information should undergo a security review and require only store data you need to store and purge old data. signoff from the data owner. Conclusion It is important to only encrypt only what you Data governance and classification are critical to the successful Workgroup Members need to or what is required to encrypt by law, movement of data from an internal data center to a cloud provider. and Contributors regulation or mandate. Some data may be If you do not know what you have, you cannot apply the appropriate public information and likely does not need to protections to sensitive data. Identify each data owner and have Appendix 1 be encrypted. them designate data as public, sensitive or internal only. Also, know Model Terms and Conditions Templates that special types of data (HIPAA, PCI and CJIS) have mandates Software-as-a-Service • Consider special data encryption conditions that describe how data may be used and protected. After it has been Platform-as-a-Service In some cases, encryption standards are dictated classified, decide which components of data will be moved to the Infrastructure-as-a-Service by the type of data being stored, in transit or in use. cloud and what protections are required.
Appendix 2 Some special encryption conditions and Other standard security practices also apply to encryption SLA Metrics considerations include: including, but not limited to SLAs, defined policies, procedures, › IRS 1075 — For using and storing income tax data practices, where data is located (continental United States), Appendix 3 › Payment Card Industry (PCI) — For using background checks, security measures deployed, audits, etc. It Key Contact Information and storing credit cardholder data is important to “trust but verify.” › Criminal Justice Information System (CJIS) — Appendix 4 A division of the United States Federal Bureau • Know where your sensitive data resides — Guiding Principles of Investigation (FBI) that establishes minimum at rest, in transit or in use security requirements to protect and secure If you do not know what kind of data you have and Appendix 5 various types of criminal justice information where that data is located, you cannot protect it. Procurement Approaches › Health Insurance Portability and Accountability › Data at Rest Act of 1996 (HIPAA) — Data privacy and security It seems like a simple concept, but at any given time Appendix 6 provisions for safeguarding medical information your structured and unstructured data may be stored Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 17 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security or archived in a database, storage media, file server, practice is for the keys to encrypted data to remain Encryption application server, network, etc. Encrypting where with the owners of the data. Keeping the encrypted Audits Operations your data resides is often referred to encrypting data keys with the data owner is an important safeguard and Hybrid Cloud Environments at rest. Define where your data is located and what helps alleviate the owner’s fear of storing and protecting Preparation for Migrating data your organization needs to encrypt at rest. data in the cloud. Options for vendor managed keys Workloads to the Cloud › Data in Transit could include key escrow, key storage, controls, etc. Data doesn’t just sit still. When encrypting data, Conclusion you also need to be concerned about data in transit. Educate your organization on protecting your Data is often in transit from server to server or one credentials, otherwise all the encryption in the world Workgroup Members location to another. How is your data being encrypted won’t prevent your data from being compromised. and Contributors in transit across your network and servers? › Data in Use Appendix 1 Most of the time, data is in use by applications. • Don’t forget the human factor Model Terms and Conditions Templates Data may be processed, modified, deleted, updated Often it is easier for hackers or cyber criminals to go Software-as-a-Service or viewed through a server or end-user device at any after your credentials rather than trying to compromise Platform-as-a-Service time in the process. Where is your data in use and the encryption. Educate your organization on protecting Infrastructure-as-a-Service how is it being encrypted? your credentials, otherwise all the encryption in the world won’t prevent your data from being compromised. Appendix 2 • Encrypt to the strictest regulations SLA Metrics required to protect your data • Get help if you need it A common standard for encryption is the 256-bit Make sure your data is encrypted properly in the Appendix 3 Advanced Encryption Standard (AES). 256-bit AES cloud and get help if you need it. Data encryption Key Contact Information encryption seems to be a viable encryption method offered is a very important aspect of protecting your data by all major vendors and with little performance constraints. in the cloud. Don’t be afraid to ask for help from Appendix 4 Data sets that only encrypt partial sensitive data run the your vendors and other security professionals. Guiding Principles risk of leaving sensitive data unencrypted. Therefore, the recommendation is to encrypt the entire data set. Appendix 5 Other Resources and Useful External Links Procurement Approaches • Identify who manages and stores encryption keys NIST — http://csrc.nist.gov/publications/PubsSPs.html It is important to decide whether encryption keys FBI CJIS — https://www.fbi.gov/services/cjis Appendix 6 will be managed by you or a vendor. A common best IRS 1075 — www.irs.gov/pub/irs-pdf/p1075.pdf Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 18 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Who is responsible for protecting your data when it is moved to the cloud? Encryption Audits Cloud Provider Secures the Cloud Customers Secure Assets in the Cloud Operations Hybrid Cloud Environments Preparation for Migrating Where? What needs to be protected? Who’s responsible? Workloads to the Cloud Customer Data Conclusion Platform, Applications, Identity & Access Management Workgroup Members and Contributors Operating System, Network & Firewall Configuration Customer Appendix 1 Workloads Model Terms and Conditions Templates Client Side Data Encryption & Server Side Encryption Network Traffic Protection - Software-as-a-Service Data Integrity Authentication (File System/and/or Data) Encryption, Integrity, Identify Platform-as-a-Service Infrastructure-as-a-Service
Where? What needs to be protected? Who’s responsible? Appendix 2 SLA Metrics Compute Storage Database Networking
Appendix 3 Key Contact Information
Cloud Global Regions Edge Cloud Provider Provider Appendix 4 Infrastructure Availability Zones Locations Guiding Principles Infrastructure
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 19 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security potential security threats to the objectives should be Encryption Audits assessed. Risks should be prioritized according to severity Audits Operations The services delivered to the public through contracts require and likelihood. Prioritized risks should then be removed, Hybrid Cloud Environments appropriate management and oversight to ensure the public’s controlled or accepted. The resulting set of risk-based Preparation for Migrating interests are served. In addition to the normal oversight and controls can then serve as the template for the controls Workloads to the Cloud contract management, independent security audits are needed expected of the service provider. The NIST Cybersecurity to confirm the public’s interests are protected. With XaaS-based Framework is a commonly used, straightforward tool Conclusion service contracts, audits typically cover the following key areas: that can be used for undertaking and communicating • Contract Compliance — Is the public jurisdiction getting this assessment of necessary security controls. Workgroup Members what is required by the contract? This is usually limited and Contributors to determining if the parties to a contract are meeting A rapidly expanding range of proven service models that their obligations under the contract and identifying offer great opportunities and benefits are available to state Appendix 1 any gaps in the performance of the contract. Contracts and local governments.11 Service providers can offer their Model Terms and Conditions Templates with clear performance expectations simplify audits. catalog of services at a value point for their customers due Software-as-a-Service • Financial —Are the payments consistent with the terms to a high degree of standardization and the benefits of taking Platform-as-a-Service of the contract? When the contracted service supports their business model to scale. Cloud service providers have Infrastructure-as-a-Service financial reporting, the audits may examine the integrity described it as “one line of code for many.” of the information and data upon which reports depend. Appendix 2 • Security — Are appropriate security measures and SLA Metrics Cloud service models are causing a major shift in protections in place to protect the data from unauthorized how public jurisdictions ensure security controls access and to keep it private and confidential? Appendix 3 protect the public’s interest. Key Contact Information Cloud service models are causing a major shift in how public jurisdictions ensure security controls protect the To economically meet the audit needs of their many Appendix 4 public’s interest. Jurisdictions must understand how utilizing customers, service providers typically will contract with an Guiding Principles XaaS impacts their risk by understanding their vendor’s independent audit firm to perform a SOC 2 audit. The Service security controls. Organization Controls (SOC) 2 report was established Appendix 5 by the leading standards organization for accountants, Procurement Approaches To assess and manage overall risk, effective use of XaaS the American Institute of Certified Public Accountants based contracts should start with a clear understanding (AICPA). Its purpose is to enable data security and other Appendix 6 of the public jurisdiction’s business objectives. Next, trust principles to be reviewed and verified by the same Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 20 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security independent accounting and auditing firms trusted by in the SOC 2 must be carefully examined to determine if Encryption clients to vouch for the financial integrity of companies. the security controls meet the jurisdiction’s requirements. Audits Operations The AICPA Web page introducing SOC 2 reports for This involves mapping the security controls required by Hybrid Cloud Environments relying entities is at www.aicpa.org/InterestAreas/FRC/ the jurisdiction to those detailed in the SOC 2 report. Preparation for Migrating AssuranceAdvisoryServices/Pages/Users.aspx. Included on the page is a link to ISACA’s helpful “SOC 2 User Guide.” Workloads to the Cloud Audits are often viewed as a safeguard that permits independent parties to determine if Conclusion A SOC 2 report may include review of up to five different trust principles that the vendor provides to its customers, service providers and public jurisdictions are including security, availability, confidentiality, privacy and meeting contractual requirements. Early Workgroup Members detection of risks can help shore up a contract and Contributors processing integrity. Generally, security and availability are included for any IaaS, PaaS and SaaS provider. Processing and put it back on track, but are not a substitute for good planning and contract management. Appendix 1 integrity may apply for PaaS or SaaS providers. The Model Terms and Conditions Templates confidentiality and privacy trust principles would potentially Software-as-a-Service apply to SaaS vendors. SaaS vendors that in turn rely on SOC 2 reports are designated for use by an audience Platform-as-a-Service PaaS or IaaS vendors may need to refer jurisdictions to the limited to the vendor and its current and potential Infrastructure-as-a-Service SOC 2 of their underlying PaaS or IaaS vendor. Providers are customers who understand its service and potential risks generally not allowed to share a SOC 2 of another vendor. at providing that service. They are not posted publicly. Appendix 2 A unilateral non-disclosure agreement will generally SLA Metrics A SOC 2 report includes a statement of the controls in place be required before a SOC 2 report is provided. to meet the covered trust principles along with an opinion of Appendix 3 their suitability by the audit firm. The auditor is guided by the SOC 2 reports come in two types. Type 2 includes an Key Contact Information AICPA with a set of criteria to use in evaluating controls and is evaluation of how well controls are operating. The auditor will not required to look for any specific set of security controls. The gather evidence from records and interviews on how well the Appendix 4 auditor is evaluating the controls with reference to the service controls have been followed by the vendor over a recent 6- or Guiding Principles provider’s information security goals and risk management. 12-month time period. This is in addition to an evaluation of the suitability of the defined controls defined for supporting Appendix 5 The vendor’s information security goals — which are the covered trust principles. In contrast, a Type 1 report only Procurement Approaches documented in the SOC 2 report — must be compared evaluates the suitability of the defined controls. Therefore, to the jurisdiction’s assessment of the controls required jurisdictions should require a Type 2 report. The procurement Appendix 6 to manage risk for their business objectives. The details contract should be specific about the type of audit that Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 21 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security will be performed, the frequency of the audit (annually or Encryption The nature of new cloud-based business models semiannually), and the jurisdiction’s access to the audit. Audits results in service providers relying on a variety of Operations partners, subcontractors or other third parties to Hybrid Cloud Environments While most XaaS vendors will already have SOC 2 Type provide services to its customers. Preparation for Migrating 2 audits, it is a substantial effort for vendors to undergo a Workloads to the Cloud SOC 2 audit the first time. Since Type 2 audits require 6 or 12 months of operating history of security controls, there State and local governments have an opportunity to Conclusion might not be a feasible timeline for vendors without a SOC improve government service delivery through responsible 2 report to contract for one during a procurement cycle. The development of XaaS contracts. However, traditional control Workgroup Members jurisdiction should determine if the classification of the data models — designed to protect and safeguard the public’s and Contributors to be stored by the vendor is of low enough sensitivity that interest — may prevent some public jurisdictions from taking the procurement can proceed without the audit in scope. advantage of new service models. Other policy makers in Appendix 1 government, beyond procurement officials and CIOs, must Model Terms and Conditions Templates The AICPA also defines SOC 1 and SOC 3 reports, which look at their policies to identify barriers to the adoption of Software-as-a-Service generally would not be needed by a jurisdiction. The SOC 1 these service models. Appropriate oversight and control is Platform-as-a-Service report is targeted to services that affect an entity’s financial a critical part of any public expenditure, but both must Infrastructure-as-a-Service reporting. It grew out of the need for CPA financial audits to also be tailored to work effectively with the service model. encompass controls on data coming from services outside Without this alignment, the full benefit or the service will Appendix 2 of the entity. As it became clear over time that audits not be received. SLA Metrics were needed on services of a more general nature, SOC 2 was established. SOC 2 reports are hence appropriate for Clause 11 Contract Audit requires the service Appendix 3 general XaaS needs. A SOC 3 report concerns the same provider to audit conformance to the contract Key Contact Information trust principles included in a SOC 2 report as a public terms. The public jurisdiction or a contractor of its attestation-only report. A SOC 3 does not include the details choice may perform the audit. The cost of the audit Appendix 4 of the controls in place to meet the trust principles and is the responsibility of the public jurisdiction. Guiding Principles hence would not enable comparison to the jurisdiction’s control requirements as is possible with a SOC 2 report. Clause 12 Data Center Audit requires the service provider Appendix 5 The AICPA’s audit guidance may change as XaaS markets to perform an independent SOC 2 Type 2 audit annually for Procurement Approaches evolve. As SOC 2 is a stable current standard, subsequent all relevant data centers at the service provider’s expense. replacement guidance from the AICPA would clearly The audit must be made available to the jurisdiction if Appendix 6 reference SOC 2 as its predecessor. requested under unilateral NDA or after being redacted. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 22 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Encryption Operations Even though the service is more seamless than on- Audits Operations Operations Responsibility and Uptime Guarantee premises systems of the past, public jurisdictions still need Hybrid Cloud Environments System performance and service reliability are important to keep their users apprised of any changes that could impact Preparation for Migrating to the business of public jurisdictions. CIOs know how little the performance of the system and their use of the services. Workloads to the Cloud tolerance end users have for service outages — no matter the cause. Establishing clear service expectations in the Clause 13 Change Control and Advance Notice requires the Conclusion terms and conditions is essential for XaaS contracting. service provider to give advanced notice of upgrades or system Jurisdictions find it helpful to conduct market research changes that may impact the public jurisdiction’s performance. Workgroup Members before the procurement to know what to expect in the and Contributors market and to make sure applications selected for XaaS Subcontractors contracts are well suited to expected operational reliability. The nature of new cloud-based business models results in Appendix 1 service providers relying on a variety of partners, subcontractors Model Terms and Conditions Templates The service provider and the public jurisdiction must or other third parties to provide services to its customers. For a Software-as-a-Service agree to the specific details of service performance measure public jurisdiction, it is important to identify the prime contractor Platform-as-a-Service and maintenance downtime schedules in the SLA. and the various third-party providers and their relationship Infrastructure-as-a-Service with the service provider. Ideally, a public jurisdiction will seek Clause 17 Responsibilities and Uptime Guarantee this information as a part of its pre-contracting due diligence. Appendix 2 make the service provider responsible for all of the plant, SLA Metrics capacity, hardware, software and personnel needed to CIOs know how little tolerance end users provide the service, and commits the service provider have for service outages — no matter the Appendix 3 to service 24/7. Key Contact Information cause. Establishing clear service expectations in the terms and conditions is essential for Changes and Maintenance XaaS contracting. Appendix 4 Today’s XaaS providers are providing performance through Guiding Principles a service. Unlike traditional on-premises solutions that require upgrades and service maintenance contracts that Clause 18 Subcontractor Disclosure requires the Appendix 5 expire, XaaS providers simply provide the service. For these service provider to identify all strategic business partners, Procurement Approaches business models to achieve economies of scale, the providers subcontractors, and other entities and individuals who will must use a “one line code” for all. Upgrades and changes are be involved with the public jurisdiction’s applications and Appendix 6 rolled out to all, not to individual users. data in the performance of the contract. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 23 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Operations Business Continuity and Disaster Recovery Encryption For any application that supports business operations and Audits Operations business continuity, disaster recovery plans are critical to Hybrid Cloud Environments address potential public jurisdiction business disruptions Preparation for Migrating and how the elements of the business will be returned to Workloads to the Cloud service. For any public jurisdiction XaaS business application, the contract recovery objectives should be aligned with Conclusion the public jurisdiction’s overall business continuity plan.
Workgroup Members Clause 20 Business Continuity and Disaster Recovery and Contributors requires a business continuity plan and a disaster recovery plan for the service provider’s operations. It specifically Appendix 1 requires the service provider to recover the public Model Terms and Conditions Templates jurisdiction’s data to meet recovery time objectives agreed Software-as-a-Service upon by both parties. The details of the recovery time Platform-as-a-Service must be negotiated between the service provider and the Infrastructure-as-a-Service public jurisdiction, and should be specific in the terms and conditions and SLA. Appendix 2 SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 24 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Terms and conditions associated with hybrid cloud Encryption Hybrid Cloud Environments management require the accommodation of the increased Audits Operations Hybrid cloud is a cloud computing environment that system complexity. There is currently no genuine “single Hybrid Cloud Environments uses a mixture of on-premises, private cloud and third- pane of glass” that will work in all hybrid environments, but Preparation for Migrating party cloud services with orchestration between the administrators require visibility across public and private clouds Workloads to the Cloud two platforms. Hybrid cloud environments require both that minimizes the requirements for administrators to constantly management and governance models that encompass all bounce from management application to management Conclusion of the environments used in any particular deployment. application and attempt to correlate the results. Further, the A hybrid application may be as simple as a single authoritative source of diagnostic data must be agreed upon. Workgroup Members application running in multiple hosted computing and Contributors environments that leverages the strengths of each. Governance Governance is a mix of terms and conditions and best Appendix 1 Management practices. External cloud governance is the system by which Model Terms and Conditions Templates Data center technicians need to track workload locations, the provision and use of cloud services is controlled. In this Software-as-a-Service ensure device connections are clean and monitor performance. case, many of the different components of the hybrid cloud Platform-as-a-Service Although mandatory, clearly the management of the computing environment are likely already operating under SLAs Infrastructure-as-a-Service heterogeneous hybrid environments will be as varied as that will form the basis of the governance for each environment. the combinations imaginable. However, there may be some Internal cloud governance focuses on the application of run Appendix 2 solutions available which allow for some central management time policies to ensure that cloud services are designed, SLA Metrics so that visibility and control can be maintained across the implemented and delivered according to specified expectations. entirety of the environment(s). Data centers already Appendix 3 struggle with multiple control environments (servers, Public clouds are, by definition, vastly shared resources Key Contact Information storage systems, network devices, specialized appliances, built for only the most standard of uses and this does not database platforms, etc.). The hybrid cloud adds complexity permit unusual customizations. This requires jurisdictions Appendix 4 to the control environment. Operational management to articulate the potential conflicts and interdependencies Guiding Principles visibility requirements expand the already complex array in SLAs across the differing elements in the different hybrid of components to link new disparate sets of devices. Clear cloud service components (for each application). Appendix 5 agreements are needed across each area to determine Procurement Approaches what source of measures is authoritative. These agreements Customizations or supplementary agreements may be need to be negotiated between the customer and the needed to address specific service management gaps, Appendix 6 service provider. objectives or concerns. The primary consideration will have Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 25 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security to be a gap analysis of the differing service agreements responsible for an outage or incident and vendor contracts Encryption and the harmonization of new and existing policies. may limit resolution of customer disputes. Therefore, Audits Operations Organizational SLAs need to be as close to a standard as decisions on what workload may be run on what portion of Hybrid Cloud Environments possible to ensure easy comparison and understanding of a hybrid cloud needs to consider the remedies for outages Preparation for Migrating the “net” performance results of multiple SLAs. and incidents. Workloads to the Cloud As hybrid and multiple-clouds consist of different Opportunity Conclusion subsystems, which could be sourced from different providers, Even though complexity increases with hybrid cloud it is critical to understand the data about the interactions deployments they provide a unique opportunity for Workgroup Members between the hybrid cloud components. government customers to leverage industry best practices, and Contributors and provide access to more capable technology stacks In terms of vendor selection, hybrid cloud environments and massively scalable environments. Hybrid cloud Appendix 1 require a governance model that encompasses all of the implementations also allow government customers to Model Terms and Conditions Templates environments used in any particular deployment. The extent leverage and reuse common infrastructure components as Software-as-a-Service to which a cloud service provider participates in governance externally managed services, such as database and load Platform-as-a-Service related activities can be used as a differentiator when balancing environments. This can provide significant cost Infrastructure-as-a-Service choosing between providers for particular workloads. savings as well as improved access to highly specialized cloud provider staff resources. Appendix 2 SLA governance (management) for hybrid cloud SLA Metrics computing environments need to take into account multiple communication touch points, change management cycles, Appendix 3 responsibility hand-offs and probably even time zones. Key Contact Information The overarching governance for the specific hybrid Appendix 4 environment is impacted by each included service and Guiding Principles system, which may have its own architecture and governance model. These need to be considered when planning the Appendix 5 whole and can change with new application considerations. Procurement Approaches The multiple integration and touch points between hybrid Appendix 6 components mean it may not be clear what or who is Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 26 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security how services are meeting customer needs and their Encryption Preparation for Migrating uniqueness within government. Audits Workloads to the Cloud Operations 3. Cost considers careful analysis of the existing real costs Hybrid Cloud Environments Governments looking at leveraging cloud opportunities of doing business. What kind of budgetary room for Preparation for Migrating with existing application portfolios face a number of change is possible within the organization and with Workloads to the Cloud different considerations and perspectives. First, what are key stakeholders? the alternatives? 4. Value considers what added intangible values might be Conclusion • Continue to strengthen premise-based services and available if an organization deployed services differently maintain current investment and staffing patterns. but maintained and improved usability and reliability. Workgroup Members • Begin leveraging cloud services for PaaS and SaaS 5. People considers organizational capacity, capability and and Contributors opportunities with familiar government cloud change management functions required to implement contract providers. change throughout the organization. This perspective Appendix 1 • Consider migrating to IaaS for critical government provides opportunities to define capability and skill Model Terms and Conditions Templates infrastructure services. requirements, assess current organizational effectiveness, Software-as-a-Service • Begin developing and rewriting existing agency and acquire necessary skills. Platform-as-a-Service applications so they are optimized for leveraging 6. Maturity identifies the target state of an organization’s Infrastructure-as-a-Service cloud services stacks. capabilities, measuring maturity and ability to optimize resources. A maturity perspective can help assess the Appendix 2 Cloud Preparedness Considerations organization’s ability to prioritize and sequence initiatives SLA Metrics Migration to cloud platforms, and preservation and to develop execution roadmaps. improvement of existing data center services, in whole or 7. Platform focuses on describing the structure and Appendix 3 in part, requires a great deal of planning and sensitivity to relationship of technology elements and services in complex Key Contact Information changing needs of government customers. Government IT environments. This perspective can help develop IT organizations need to be able to transform and perform conceptual and functional models of the IT environment. Appendix 4 simultaneously. A number of perspectives and areas of focus 8. Process looks at processes for managing portfolios, Guiding Principles need to be considered including: programs and projects to deliver expected business 1. Business, focuses on identifying, measuring and creating outcome on time and within budget, while managing Appendix 5 business value using technology services. risks at acceptable levels. Procurement Approaches 2. Product considers what services agencies are providing to 9. Operations focuses on the ongoing operation of customers and looks at why, what, how, who, where and IT environments, operating procedures, service Appendix 6 when services are provided. This perspective considers management, change management and recovery. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 27 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security 10. Security emphasizes the methods for government to Encryption achieve risk management and compliance goals with Audits Operations rigorous methods to describe structure of security and Hybrid Cloud Environments compliance processes, systems and personnel. Preparation for Migrating Workloads to the Cloud Government organizations have run into walls with simplifying infrastructure management, speed of deployment, Conclusion agility, faster innovations and lower costs. Customer and stakeholder expectations are rising, necessitating changes in Workgroup Members the way government IT does business. and Contributors Cloud services stacks from major cloud providers have Appendix 1 the capability of delivering mature services designed to Model Terms and Conditions Templates meet unique security, compliance, privacy and governance Software-as-a-Service requirements of agency and government IT organizations. Platform-as-a-Service Professional services offer significant depth for planning and Infrastructure-as-a-Service migration projects and can provide deep assistance.
Appendix 2 Cloud platforms are exceeding security, reliability and SLA Metrics scalability requirements associated with government mission-critical and strategic services. There is opportunity Appendix 3 for government to move toward new approaches for adding Key Contact Information value to customers by leveraging cloud services contracts. Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 28 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data CONCLUSION Breach Notification Personnel Security Many governments still try to buy XaaS through traditional accountability must be identified and used that not only Encryption procurement methods and standard contract terms and protect the public interest, but also enable the purchase of Audits Operations conditions, even though what they are buying is fundamentally XaaS technology when appropriate. Hybrid Cloud Environments different from traditional IT. This approach is not working. Preparation for Migrating Former New Jersey CIO Steve Emanuel asked, “What Workloads to the Cloud Procurement processes that require strict conformance to actions can we take? What things can we quickly put in place prescribed specifications and unique terms and conditions that will give our work value and create benefit for our states Conclusion are ineffective in the current technological environment. They and the taxpayers?” The answers include: were originally developed to acquire products, not services. • Use the model terms and conditions to frame these new Workgroup Members Effective procurement achieves timely results and good service relationships and Contributors outcomes, and protects the public’s interest. That is all still • Make the changes necessary to modernize and improve the possible through a more flexible, services-centric approach. procurement infrastructure and acquisition processes Appendix 1 Continued over-reliance on traditional state and local • Develop alternative controls that protect the public interest Model Terms and Conditions Templates procurement policies, rules or statutes impedes effective and allow the use of XaaS when it best meets the need Software-as-a-Service procurement of technology services and unnecessarily Platform-as-a-Service inflates both a project’s cost and delivery schedule. Infrastructure-as-a-Service Many governments still try to buy XaaS through The XaaS model of today relies on standardization and traditional procurement methods and standard Appendix 2 consistency in code, process, security and, ultimately, a contract terms and conditions, even though what SLA Metrics business model supporting the delivery of service over the they are buying is fundamentally different from Internet. XaaS delivers value and benefit for its users because traditional IT. This approach is not working. Appendix 3 services are not unique to each purchaser. This creates Key Contact Information tremendous efficiency and economy of scale. It may, however, The rapid proliferation of these service offerings is require significant changes in government business practices. profoundly changing how the world does business. State Appendix 4 and local governments must not isolate themselves from Guiding Principles If state and local governments want to take advantage that change, but rather position themselves to embrace and of this service model, policy makers — finance directors, benefit from it. It is the time to set aside outdated practices Appendix 5 auditors, procurement officers, attorneys and elected that inhibit progress, and move confidently toward a new Procurement Approaches officials — must reconsider and modernize their controls set of commercially proven practices and procedures that and processes that now create barriers to accessing support innovation, collaboration and economy through Appendix 6 these services. New ways to provide transparency and Internet-based services. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 29 Introduction
Specific Models and Understanding Cloud Procurement WORKGROUP MEMBERS Service Models Data AND CONTRIBUTORS Breach Notification Personnel Security Encryption Workgroup Members Contributors Audits Operations Anthony Booyse, Chief Bruce Hermes, Deputy Robert Myles, National Brett Stott, Director of Todd Sander, Executive Hybrid Cloud Environments Technical Architect, CIO, City of Austin State & Local Govt Marketing, NIC Director, Center for Preparation for Migrating State of Utah Practice Manager, Digital Government Workloads to the Cloud Bruce High, Executive Symantec James Taylor, Gary Buonacorsi, Chief Director & Chief Chief Technology Teri Takai, Senior Conclusion Technology Officer — Information Officer, Steve Nichols, Chief Officer, Oakland Advisor, Center for State and Local Gov, Harris County, Texas Technology Officer, County, Michigan Digital Government Workgroup Members Dell EMC Georgia Technology and Contributors Shannon Kelley, Authority Curtis Unruh, Deputy Robert D. Woolley, Wendy Crowe, Enterprise Contract State Chief Information Senior Fellow, Center Appendix 1 WWPS BD Capture Management, Texas Jennifer Nowell, Officer/Executive for Digital Government Model Terms and Conditions Templates Manager, Amazon Department of National Director, Director, Florida Agency Software-as-a-Service Web Services Information Resources Symantec for State Technology & Platform-as-a-Service Economic Opportunity Infrastructure-as-a-Service Michael DeAngelo, Kim LaCombe, Robert Paglia, Deputy Deputy CIO, State of Technical Architect, Chief Information Appendix 2 Washington — WaTech Veritas Officer, Indiana Office SLA Metrics Of Technology Steven Emanuel, Lisa Logan, Interim Appendix 3 Industry Advisor, SLED Chief Information Kurt Rapelje, Director Key Contact Information & Regulated Industries, Officer, Illinois of Software Engineering, Alliant Technologies, Department of Laserfiche Appendix 4 LLC. Commerce Guiding Principles Mason J. Smith, Katie Gaston, Nelson Moe, CIO, State Corporate Counsel, Appendix 5 Customer Success of Virginia — Vita Amazon Procurement Approaches Manager, Laserfiche Jenifer Mojonnier, Ann Shook, Appendix 6 Public Sector Sales Director, US Business Glossary Operations Consultant, Development State Verizon Enterprise and Local Government, Appendix 7 Solutions Dell EMC Clause Comparison Matrix
Endnotes • Executive Summary 30 Introduction Underwritten By Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Encryption provides cloud-based As the pioneer IT Audits Accela Alliant Amazon Web Services (AWS) A fully connected network Operations software to drive efficiency for infrastructure utility company, Worldwide Public Sector helps brings it all together. Hybrid Cloud Environments more than 2,200 governments Alliant designs, deploys government, education, and Preparation for Migrating worldwide, including more and manages global IT nonprofit customers deploy Government is where Workloads to the Cloud than 80% of America’s 50 infrastructure for some of the cloud services to reduce costs, innovation happens. largest cities. The Accela Civic most well-known brands in drive efficiencies, and increase Delivering services to Conclusion Platform includes solutions the world. We do this though innovation across the globe. constituents where they live and mobile apps for asset, land our scalable IT infrastructure With AWS, you only pay for and work, agencies are using Workgroup Members and legislative management, utility for enterprise Wide Area what you use, with no up-front technology to strengthen and Contributors licensing, finance, Network, Local Area Network, physical infrastructure expenses community connections. environmental health and Unified Communications, or long-term commitments. AT&T continues to spearhead Appendix 1 more. Accela is headquartered Network Security and Data Learn more about AWS in the network revolution, driving Model Terms and Conditions Templates in San Ramon, California. Center systems. Our IT the public sector and how to innovation and investing more Software-as-a-Service www.accela.com utility enables customers to get started here: https://aws. capital than any other US Platform-as-a-Service efficiently scale and meet amazon.com/government public company. By bringing Infrastructure-as-a-Service the demands of Internet of education/ together solutions that Things (IoT) and the Digital protect, serve and connect — Appendix 2 Age. Alliant Technologies is dedicated AT&T professionals SLA Metrics unique in the industry in the are working with the public way it provides simplicity and sector to identify and Appendix 3 peace of mind, while lowering implement technology Key Contact Information operating costs and risk for to transform the business commercial enterprises. Learn of government. Appendix 4 more: www.allianttech.com. www.att.com/stateandlocal Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 31 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Encryption brings innovation has provided services Since 1987, As a global initiative, Audits Dell EMC Deloitte Laserfiche Microsoft ® Operations to public sector agencies of to government clients for more has used its Run Smarter CityNext empowers more Hybrid Cloud Environments all types and sizes so they can than 50 years. Our teams philosophy to create simple sustainable, prosperous, and Preparation for Migrating transform and thrive in the take an intense industry focus and elegant enterprise economically competitive Workloads to the Cloud digital economy. We uniquely working with government content management (ECM) cities—with a simplified power digital transformation leaders to solve their toughest solutions. More than 35,000 approach that puts people Conclusion by delivering best-in-class challenges through applied organizations worldwide — first. It helps cities unlock their technology for applications, innovation – backed by a including federal, state and people’s potential by delivering Workgroup Members data, infrastructure and security– network of dedicated resources, local government agencies innovative digital services that and Contributors from the edge to the core to deep strategic alliances, and and Fortune 1000 companies can help citizens lead safer, the cloud. Visit Dell EMC at full-spectrum delivery across — use Laserfiche® software healthier, and more educated Appendix 1 www.emc.com/emcpublicsector. strategy, implementation, to streamline document, lives. Cities can tap into Model Terms and Conditions Templates management and operations. records, and business the extensive public-sector Software-as-a-Service Visit Deloitte at process management. expertise, experience, and Platform-as-a-Service www.deloitte.com. To learn more, visit: solution portfolios of Microsoft Infrastructure-as-a-Service www.laserfiche.com and our partners and innovate at their own pace, deploying Appendix 2 real-time solutions that can SLA Metrics interoperate with their legacy IT investments. These can Appendix 3 transform their operations and Key Contact Information infrastructures; engage citizens and businesses, workers, and Appendix 4 businesses; and accelerate Guiding Principles their economic development and environmental Appendix 5 sustainability. Learn more at Procurement Approaches http://microsoft.com/citynext Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 32 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Encryption is the leading provider offers custom IT solutions Audits NIC SHI Symantec Corporation Veritas Technologies Operations of eGovernment services, for every aspect of your (NASDAQ: SYMC) is the enables organizations to Hybrid Cloud Environments websites, and secure payment environment. We provide global leader in cybersecurity. harness the power of their Preparation for Migrating processing solutions. Our value to our customers by Operating one of the world’s information to drive success, Workloads to the Cloud innovative eGovernment connecting them with the right largest cyber intelligence with solutions designed services reduce costs and technology at the right time networks, we see more threats, to serve the world’s most Conclusion generate efficiencies for — cloud solutions, datacenter and protect more customers complex, heterogeneous government agencies and refresh, mobility, virtualization, from the next generation of environments. From traditional Workgroup Members constituents. NIC supports video surveillance, and “as a attacks. We help companies, data centers to private, public and Contributors more than 4,500 federal, state, service” solutions. We help our governments and individuals and hybrid clouds, Veritas and local agencies nationwide. customers address their needs, secure their most important helps enterprises protect, Appendix 1 To learn more, visit us at acquire the right technology, data wherever it lives. identify and manage data Model Terms and Conditions Templates www.egov.com. and adopt that technology For more information, visit regardless of their environment Software-as-a-Service for a successful outcome. www.symantec.com. through a comprehensive Platform-as-a-Service To learn more, visit product strategy and Infrastructure-as-a-Service www.publicsector.shidirect.com. roadmap focused on their needs. Visit Veritas online at Appendix 2 govdatarevolution.com. SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 33 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Encryption At Audits Verizon Enterprise Operations Solutions, we help Hybrid Cloud Environments organizations like yours Preparation for Migrating improve customer experience, Workloads to the Cloud drive growth and manage risk. We offer solutions for Conclusion your industry, built on our secure mobility, IT solutions, Workgroup Members networking, Internet of Things and Contributors and advanced communications platforms, so you can seize Appendix 1 new opportunities to Model Terms and Conditions Templates innovate and grow. Software-as-a-Service www.verizonenterprise.com. Platform-as-a-Service Infrastructure-as-a-Service
Appendix 2 SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 3434 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 1 Breach Notification Personnel Security point for a public jurisdiction and a service provider to create Encryption Model Terms and Conditions Templates a responsive and effective XaaS contract. As with any model Audits Operations The workgroup recommends that contracts for document, the templates have no force or effect until used Hybrid Cloud Environments XaaS include four well-defined, mutually exclusive or adopted. Preparation for Migrating sections, along with any other sections required under Workloads to the Cloud the jurisdiction’s established procurement processes. These necessary and mutually exclusive sections are: Conclusion • A Statement of Work (SOW), which contains a broad array of functional requirements. While Workgroup Members many SOWs repeat similar needs, those functional and Contributors needs do not cross the boundary into terms and conditions. Such common functions may Appendix 1 include, for example, daily activity reporting, Model Terms and Conditions Templates alerts when certain conditions are met, etc. Software-as-a-Service • Terms and Conditions, which is the major focus of Platform-as-a-Service this document. For ease of maintainability, certain Infrastructure-as-a-Service metrics and dynamic information should be placed into a separate document, which we label as the Appendix 2 SLA Metrics Outline, and which is referred to in SLA Metrics various places in the Terms and Conditions. • The SLA Metrics Outline, which contains Appendix 3 expected service metrics and description of Key Contact Information consequences for unmet agreed expectations • Contact Details Outline, which contains the names Appendix 4 and contact information of the individuals who Guiding Principles represent the parties for operations purposes.
Appendix 5 The workgroup offers three templates as model terms and Procurement Approaches conditions for each specific service model: SaaS, PaaS and IaaS. As a model, each template is intended to accelerate the Appendix 6 XaaS adoption by providing either a foundation or starting Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 35 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security and confidential by the public jurisdiction because Encryption Software-as-a-Service it contains information that is exempt by statute, Audits Operations 1. Definitions: ordinance or administrative rule from access by the Hybrid Cloud Environments a. “Authorized Persons” means the service provider’s general public as public information. Preparation for Migrating employees, contractors, subcontractors or other agents Workloads to the Cloud who need to access the public jurisdiction’s personal e. “Personal Data” means data that includes information data to enable the service provider to perform the relating to a person that identifies the person by name Conclusion services required. and has any of the following personally identifiable information (PII): government-issued identification Workgroup Members b. “Data Breach” means the unauthorized access by numbers (e.g., Social Security, driver’s license, and Contributors a non-authorized person/s that results in the use, passport); financial account information, including disclosure or theft of a public jurisdiction’s unencrypted account number, credit or debit card numbers; or Appendix 1 personal data. protected health information (PHI) relating to a person. Model Terms and Conditions Templates Software-as-a-Service c. “Individually Identifiable Health Information” means f. “Protected Health Information” (PHI) means Platform-as-a-Service information that is a subset of health information, individually identifiable health information transmitted Infrastructure-as-a-Service including demographic information collected from an by electronic media, maintained in electronic media, individual, and (1) is created or received by a health or transmitted or maintained in any other form or Appendix 2 care provider, health plan, employer or health care medium. PHI excludes education records covered by SLA Metrics clearinghouse; and (2) relates to the past, present or the Family Educational Rights and Privacy Act (FERPA), future physical or mental health or condition of an as amended, 20 U.S.C. 1232g, records described at 20 Appendix 3 individual; the provision of health care to an individual; U.S.C. 1232g(a)(4)(B)(iv) and employment records held Key Contact Information or the past, present or future payment for the provision by a covered entity in its role as employer.13 of health care to an individual; and (a) that identifies Appendix 4 the individual; or (b) with respect to which there is a g. “Public Jurisdiction” means any government or Guiding Principles reasonable basis to believe the information can be used government agency that uses these terms and to identify the individual.12 conditions. The term is a placeholder for the Appendix 5 government or government agency. Procurement Approaches d. “Non-Public Data” means data, other than personal data, that is not subject to distribution to the public h. “Public Jurisdiction Data” means all data created or in Appendix 6 as public information. It is deemed to be sensitive any way originating with the public jurisdiction, and all Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 36 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security data that is the output of computer processing of or other (3) security notice requirements, (4) timeframes for Encryption electronic manipulation of any data that was created by or response to operational problems and failures, and (5) Audits Operations in any way originated with the public jurisdiction, whether any remedies for performance failures. Hybrid Cloud Environments such data or output is stored on the public jurisdiction’s Preparation for Migrating hardware, the service provider’s hardware or exists in any l. “Service Provider” means the contractor and its Workloads to the Cloud system owned, maintained or otherwise controlled by the employees, subcontractors, agents and affiliates who public jurisdiction or by the service provider. are providing the services agreed to under the contract. Conclusion i. “Public Jurisdiction Identified Contact” means m. “Software-as-a-Service” (SaaS) means the capability Workgroup Members the person or persons designated in writing by the provided to the consumer to use the provider’s and Contributors public jurisdiction to receive security incident or applications running on a cloud infrastructure. The breach notification. applications are accessible from various client devices Appendix 1 through a thin-client interface such as a Web browser Model Terms and Conditions Templates j. “Security Incident” means the potentially unauthorized (e.g., Web-based email) or a program interface. The Software-as-a-Service access by non-authorized persons to personal data consumer does not manage or control the underlying Platform-as-a-Service or non-public data the service provider believes could cloud infrastructure including network, servers, Infrastructure-as-a-Service reasonably result in the use, disclosure or theft of a operating systems, storage or even individual application public jurisdiction’s unencrypted personal data or capabilities, with the possible exception of limited user- Appendix 2 non-public data within the possession or control of the specific application configuration settings.14 SLA Metrics service provider. A security incident may or may not n. “Statement of Work” means a written statement in a turn into a data breach. solicitation document or contract that describes the Appendix 3 public jurisdiction’s service needs and expectations. Key Contact Information k. “Service Level Agreement” (SLA) means that part of the written agreement between both the public 2. Data Ownership: The public jurisdiction will own all Appendix 4 jurisdiction and the service provider that is subject to right, title and interest in its data that is related to the Guiding Principles the terms and conditions in this document and that services provided by this contract. The service provider unless otherwise agreed to includes (1) the technical shall not access public jurisdiction user accounts or public Appendix 5 service level performance promises, (i.e. metrics for jurisdiction data, except (1) in the course of data center Procurement Approaches performance and intervals for measure), (2) the amount operations, (2) in response to service or technical issues, of time required for notice by the provider to the public (3) as required by the express terms of this contract Appendix 6 jurisdiction for notification of upcoming changes, or (4) at the public jurisdiction’s written request. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 37 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security 3. Data Protection: Protection of personal privacy and e. At no time shall any data or processes — that Encryption data shall be an integral part of the business activities of either belong to or are intended for the use of Audits Operations the service provider to ensure there is no inappropriate or a public jurisdiction or its officers, agents or Hybrid Cloud Environments unauthorized use of public jurisdiction information at any employees — be copied, disclosed or retained by the Preparation for Migrating time. To this end, the service provider shall safeguard the service provider or any party related to the service Workloads to the Cloud confidentiality, integrity and availability of public jurisdiction provider for subsequent use in any transaction information and comply with the following conditions: that does not include the public jurisdiction. Conclusion a. The service provider shall implement and f. The service provider shall not use any maintain appropriate administrative, technical information collected in connection with the Workgroup Members and organizational security measures to safeguard service issued from this proposal for any and Contributors against unauthorized access, disclosure or theft of purpose other than fulfilling the service. personal data and non-public data. Such security Appendix 1 measures shall be in accordance with recognized 4. Data Location: The service provider shall provide its Model Terms and Conditions Templates industry practice and not less stringent than the services to the public jurisdiction and its end users solely Software-as-a-Service measures the service provider applies to its own from data centers in the U.S. Storage of public jurisdiction Platform-as-a-Service personal data and non-public data of similar kind. data at rest shall be located solely in data centers in the Infrastructure-as-a-Service b. All data obtained by the service provider in the U.S. The service provider shall not allow its personnel or performance of this contract shall become and contractors to store public jurisdiction data on portable Appendix 2 remain the property of the public jurisdiction. devices, including personal computers, except for devices SLA Metrics c. All personal data shall be encrypted at rest and in transit with that are used and kept only at its U.S. data centers. The controlled access. Unless otherwise stipulated, the service service provider shall permit its personnel and contractors Appendix 3 provider is responsible for encryption of the personal data. to access public jurisdiction data remotely only as required Key Contact Information Any stipulation of responsibilities will identify specific roles to provide technical support. The service provider may and responsibilities and shall be included in the statement of provide technical user support on a 24/7 basis using a Follow Appendix 4 work (SOW), or otherwise made a part of this contract. the Sun model, unless otherwise prohibited in the SLA. Guiding Principles d. Unless otherwise stipulated, the service provider shall encrypt all non-public data at rest and in transit. 5. Security Incident or Data Breach Notification: Appendix 5 The public jurisdiction shall identify data it deems The service provider shall inform the public jurisdiction Procurement Approaches as non-public data to the service provider. The level of any security incident or data breach. of protection and encryption for all non-public data a. Incident Response: The service provider may need Appendix 6 shall be identified and made a part of this contract. to communicate with outside parties regarding a Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 38 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security security incident, which may include contacting law b. The service provider, unless stipulated otherwise, shall Encryption enforcement, fielding media inquiries and seeking promptly notify the appropriate public jurisdiction identified Audits Operations external expertise as mutually agreed upon, defined by contact within 24 hours or sooner by telephone, unless Hybrid Cloud Environments law or contained in the contract. Discussing security shorter time is required by applicable law, if it confirms that Preparation for Migrating incidents with the public jurisdiction should be handled there is, or reasonably believes that there has been a data Workloads to the Cloud on an urgent as-needed basis, as part of service provider breach. The service provider shall (1) cooperate with the communication and mitigation processes as mutually public jurisdiction as reasonably requested by the public Conclusion agreed upon, defined by law or contained in the contract. jurisdiction to investigate and resolve the data breach, b. Security Incident Reporting Requirements: The (2) promptly implement necessary remedial measures, Workgroup Members service provider shall report a security incident if necessary, and (3) document responsive actions taken and Contributors to the appropriate public jurisdiction identified related to the data breach, including any post-incident contact immediately as defined in the SLA. review of events and actions taken to make changes in Appendix 1 c. Breach Reporting Requirements: If the service business practices in providing the services, if necessary. Model Terms and Conditions Templates provider has actual knowledge of a confirmed c. Unless otherwise stipulated, if a data breach is a direct Software-as-a-Service data breach that affects the security of any public result of the service provider’s breach of its contract Platform-as-a-Service jurisdiction content that is subject to applicable obligation to encrypt personal data or otherwise prevent Infrastructure-as-a-Service data breach notification law, the service provider its release, the service provider shall bear the costs shall (1) promptly notify the appropriate public associated with (1) the investigation and resolution Appendix 2 jurisdiction identified contact within 24 hours or of the data breach; (2) notifications to individuals, SLA Metrics sooner, unless shorter time is required by applicable regulators or others required by state law; (3) a credit law, and (2) take commercially reasonable measures monitoring service required by state (or federal) law; Appendix 3 to address the data breach in a timely manner. (4) a website or a toll-free number and call center for Key Contact Information affected individuals required by state law — all not to 6. Breach Responsibilities: This section only applies exceed the average per record per person cost calculated Appendix 4 when a data breach occurs with respect to personal data for data breaches in the United States (currently $201 Guiding Principles within the possession or control of the service provider. per record/person) in the most recent Cost of Data a. The service provider, unless stipulated otherwise, shall Breach Study: Global Analysis published by the Ponemon Appendix 5 immediately notify the appropriate public jurisdiction Institute15 at the time of the data breach; and (5) complete Procurement Approaches identified contact by telephone in accordance with the all corrective actions as reasonably determined by agreed upon security plan or security procedures if it service provider based on root cause; all [(1) through Appendix 6 reasonably believes there has been a security incident. (5)] subject to this contract’s limitation of liability. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 39 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security 7. Notification of Legal Requests: The service provider After such period, the service provider shall have no Encryption shall contact the public jurisdiction upon receipt of obligation to maintain or provide any public jurisdiction Audits Operations any electronic discovery, litigation holds, discovery data and shall thereafter, unless legally prohibited, Hybrid Cloud Environments searches and expert testimonies related to the public delete all public jurisdiction data in its systems or Preparation for Migrating jurisdiction’s data under this contract, or which in otherwise in its possession or under its control. Workloads to the Cloud any way might reasonably require access to the data d. The public jurisdiction shall be entitled to any post- of the public jurisdiction. The service provider shall termination assistance generally made available with Conclusion not respond to subpoenas, service of process and respect to the services, unless a unique data retrieval other legal requests related to the public jurisdiction arrangement has been established as part of the SOW. Workgroup Members without first notifying the public jurisdiction, unless e. The service provider shall securely dispose of all requested and Contributors prohibited by law from providing such notice. data in all of its forms, such as disk, CD/DVD, backup tape and paper, when requested by the public jurisdiction. Appendix 1 8. Termination and Suspension of Service: Data shall be permanently deleted and shall not be Model Terms and Conditions Templates a. In the event of a termination of the contract, the service recoverable, according to National Institute of Standards Software-as-a-Service provider shall implement an orderly return of public and Technology (NIST)-approved methods. Certificates of Platform-as-a-Service jurisdiction data in a CSV or another mutually agreeable destruction shall be provided to the public jurisdiction. Infrastructure-as-a-Service format at a time agreed to by the parties and the subsequent secure disposal of public jurisdiction data. 9. Background Checks: The service provider shall conduct Appendix 2 b. During any period of service suspension, the service criminal background checks and not utilize any staff, including SLA Metrics provider shall not take any action to intentionally erase subcontractors, to fulfill the obligations of the contract who any public jurisdiction data. have been convicted of any crime of dishonesty, including Appendix 3 c. In the event of termination of any services or agreement but not limited to criminal fraud, or otherwise convicted of Key Contact Information in entirety, the service provider shall not take any action any felony or misdemeanor offense for which incarceration to intentionally erase any public jurisdiction data for a for up to 1 year is an authorized penalty. The service Appendix 4 period of: provider shall promote and maintain an awareness of the Guiding Principles • 10 days after the effective date of termination, if the importance of securing the public jurisdiction’s information termination is in accordance with the contract period among the service provider’s employees and agents. Appendix 5 • 30 days after the effective date of termination, Procurement Approaches if the termination is for convenience 10. Access to Security Logs and Reports: The service • 60 days after the effective date of termination, provider shall provide reports to the public jurisdiction Appendix 6 if the termination is for cause in a format as specified in the SLA agreed to by both Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 40 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security the service provider and the public jurisdiction. Reports limitations to the public jurisdiction such that adequate Encryption protection and flexibility can be attained between Audits shall include latency statistics, user access, user access Operations IP address, user access history and security logs for the public jurisdiction and the service provider. For Hybrid Cloud Environments all public jurisdiction files related to this contract. example: virus checking and port sniffing — the Preparation for Migrating public jurisdiction and the service provider shall Workloads to the Cloud 11. Contract Audit: The service provider shall allow the public understand each other’s roles and responsibilities. jurisdiction to audit conformance to the contract terms. The Conclusion public jurisdiction may perform this audit or contract with a third 15. Non-disclosure and Separation of Duties: The service party at its discretion and at the public jurisdiction’s expense. provider shall enforce separation of job duties, require Workgroup Members commercially reasonable non-disclosure agreements, and and Contributors 12. Data Center Audit: The service provider shall perform limit staff knowledge of public jurisdiction data to that an independent audit of its data centers at least annually which is absolutely necessary to perform job duties. Appendix 1 at its expense, and provide a redacted version of the audit Model Terms and Conditions Templates report upon request. The service provider may remove its 16. Import and Export of Data: The public jurisdiction shall Software-as-a-Service proprietary information from the redacted version. A Service have the ability to import or export data in piecemeal or in Platform-as-a-Service Organization Control (SOC) 2 audit report or approved entirety at its discretion without interference from the service Infrastructure-as-a-Service equivalent sets the minimum level of a third-party audit. provider. This includes the ability for the public jurisdiction to import or export data to/from other service providers. Appendix 2 13. Change Control and Advance Notice: The service SLA Metrics provider shall give advance notice (to be determined 17. Responsibilities and Uptime Guarantee: The service at the contract time and included in the SLA) to the provider shall be responsible for the acquisition and Appendix 3 public jurisdiction of any upgrades (e.g., major upgrades, operation of all hardware, software and network support Key Contact Information minor upgrades, system changes) that may impact related to the services being provided. The technical and service availability and performance. A major upgrade professional activities required for establishing, managing Appendix 4 is a replacement of hardware, software or firmware and maintaining the environments are the responsibilities Guiding Principles with a newer or better version in order to bring the of the service provider. The system shall be available system up to date or to improve its characteristics. 24/7/365 (with agreed-upon maintenance downtime), Appendix 5 It usually includes a new version number. and provide service to customers as defined in the SLA. Procurement Approaches 14. Security: The service provider shall disclose its 18. Subcontractor Disclosure: The service provider shall Appendix 6 non-proprietary security processes and technical identify all of its strategic business partners related to Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 41 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security services provided under this contract, including but not 22. Web Services: The service provider shall use Encryption Web services exclusively to interface with the public Audits limited to all subcontractors or other entities or individuals Operations who may be a party to a joint venture or similar agreement jurisdiction’s data in near real time when possible. Hybrid Cloud Environments with the service provider, and who shall be involved Preparation for Migrating in any application development and/or operations. 23. Encryption of Data at Rest: The service provider Workloads to the Cloud shall ensure hard drive encryption consistent with 19. Right to Remove Individuals: The public jurisdiction validated cryptography standards as referenced in Conclusion shall have the right at any time to require that the service FIPS 140-2, Security Requirements for Cryptographic provider remove from interaction with public jurisdiction any Modules for all personal data, unless the public Workgroup Members service provider representative who the public jurisdiction jurisdiction approves the storage of personal data and Contributors believes is detrimental to its working relationship with the on a service provider portable device in order to service provider. The public jurisdiction shall provide the accomplish work as defined in the statement of work. Appendix 1 service provider with notice of its determination, and the Model Terms and Conditions Templates reasons it requests the removal. If the public jurisdiction 24. Subscription Terms: Contractor grants to a Software-as-a-Service signifies that a potential security violation exists with Purchasing Entity a license to: (i) access and use the Platform-as-a-Service respect to the request, the service provider shall immediately Service for its business purposes; (ii) for SaaS, use Infrastructure-as-a-Service remove such individual. The service provider shall not underlying software as embodied or used in the Service; assign the person to any aspect of the contract or future and (iii) view, copy, upload and download (where Appendix 2 work orders without the public jurisdiction’s consent. applicable), and use Contractor’s documentation. SLA Metrics 20. Business Continuity and Disaster Recovery: Appendix 3 The service provider shall provide a business Key Contact Information continuity and disaster recovery plan upon request and ensure that the public jurisdiction’s recovery Appendix 4 time objective (RTO) of XXX hours/days is met. Guiding Principles (XXX shall be negotiated by both parties.)
Appendix 5 21. Compliance with Accessibility Standards: Procurement Approaches The service provider shall comply with and adhere to Accessibility Standards of Section 508 Appendix 6 Amendment to the Rehabilitation Act of 1973. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 42 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security it contains information that is exempt by statute, Encryption Platform-as-a-Service ordinance or administrative rule from access by the Audits Operations 1. Definitions: general public as public information. Hybrid Cloud Environments a. “Authorized Persons” means the service provider’s Preparation for Migrating employees, contractors, subcontractors or other agents e. “Personal Data” means data that includes information Workloads to the Cloud who need to access the public jurisdiction’s personal data to relating to a person that identifies the person by name enable the service provider to perform the services required. and has any of the following personally identifiable Conclusion information (PII): government-issued identification b. “Data Breach” means the unauthorized access by numbers (e.g., Social Security, driver’s license, Workgroup Members a non-authorized person/s that results in the use, passport); financial account information, including and Contributors disclosure or theft of a public jurisdiction’s unencrypted account number, credit or debit card numbers; or personal data. protected health information (PHI) relating to a person. Appendix 1 Model Terms and Conditions Templates c. “Individually Identifiable Health Information” means f. “Platform-as-a-Service” (PaaS) means the capability Software-as-a-Service Information that is a subset of health information, provided to the consumer to deploy onto the cloud Platform-as-a-Service including demographic information collected from an infrastructure consumer-created or -acquired Infrastructure-as-a-Service individual, and (1) is created or received by a health applications created using programming languages care provider, health plan, employer or health care and tools supported by the provider. This capability Appendix 2 clearinghouse; and (2) relates to the past, present or does not necessarily preclude the use of compatible SLA Metrics future physical or mental health or condition of an programming languages, libraries, services and tools individual; the provision of health care to an individual; from other sources. The consumer does not manage or Appendix 3 or the past, present or future payment for the provision control the underlying cloud infrastructure, including Key Contact Information of health care to an individual; and (a) that identifies network, servers, operating systems or storage, but has the individual; or (b) with respect to which there is a control over the deployed applications and possibly Appendix 4 reasonable basis to believe the information can be used application hosting environment configurations.17 Guiding Principles to identify the individual.16 g. “Protected Health Information” (PHI) means Appendix 5 d. “Non-Public Data” means data, other than personal individually identifiable health information transmitted Procurement Approaches data, that is not subject to distribution to the public by electronic media, maintained in electronic media, or as public information. It is deemed to be sensitive transmitted or maintained in any other form or medium. Appendix 6 and confidential by the public jurisdiction because PHI excludes education records covered by Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 43 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security the Family Educational Rights and Privacy Act (FERPA), non-public data within the possession or control of the Encryption as amended, 20 U.S.C. 1232g, records described at service provider. A security incident may or may not Audits Operations 20 U.S.C. 1232g(a)(4)(B)(iv) and employment records turn into a data breach. 18 Hybrid Cloud Environments held by a covered entity in its role as employer. Preparation for Migrating l. “Service Level Agreement” (SLA) means that part Workloads to the Cloud h. “Public Jurisdiction” means any government or of the written agreement between both the public government agency that uses these terms and jurisdiction and the service provider that is subject to Conclusion conditions. The term is a placeholder for the the terms and conditions in this document and that government or government agency. unless otherwise agreed to includes (1) the technical Workgroup Members service level performance promises, (i.e. metrics for and Contributors i. “Public Jurisdiction Data” means all data created or in performance and intervals for measure), (2) the amount any way originating with the public jurisdiction, and of time required for notice by the provider to the public Appendix 1 all data that is the output of computer processing of jurisdiction for notification of upcoming changes, Model Terms and Conditions Templates or other electronic manipulation of any data that was (3) security notice requirements, (4) timeframes for Software-as-a-Service created by or in any way originated with the public response to operational problems and failures, and (5) Platform-as-a-Service jurisdiction, whether such data or output is stored on any remedies for performance failures. Infrastructure-as-a-Service the public jurisdiction’s hardware, the service provider’s hardware or exists in any system owned, maintained or m. “Service Provider” means the contractor and its Appendix 2 otherwise controlled by the public jurisdiction or by the employees, subcontractors, agents and affiliates who SLA Metrics service provider. are providing the services agreed to under the contract.
Appendix 3 j. “Public Jurisdiction Identified Contact” means n. “Statement of Work” means a written statement in a Key Contact Information the person or persons designated in writing by the solicitation document or contract that describes the public jurisdiction to receive security incident or public jurisdiction’s service needs and expectations. Appendix 4 breach notification. Guiding Principles 2. Data Ownership: The public jurisdiction will own all right, k. “Security Incident” means the potentially unauthorized title and interest in its public jurisdiction data that is related Appendix 5 access by non-authorized persons to personal data to the services provided by this contract. The service provider Procurement Approaches or non-public data the service provider believes could shall not access public jurisdiction user accounts or public reasonably result in the use, disclosure or theft of a jurisdiction data, except (1) in the course of data center Appendix 6 public jurisdiction’s unencrypted personal data or operations, (2) in response to service or technical issues, Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 44 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security (3) as required by the express terms of this contract or d. Unless otherwise stipulated, it is the public jurisdiction’s Encryption (4) at the public jurisdiction’s written request. responsibility to identify data it deems as non-public Audits Operations data to the service provider. The level of protection and Hybrid Cloud Environments 3. Data Protection: Protection of personal privacy and data encryption for all non-public data shall be identified and Preparation for Migrating shall be an integral part of the business activities of the service made a part of this contract. Workloads to the Cloud provider to ensure there is no inappropriate or unauthorized use e. At no time shall any data or processes — which either of public jurisdiction information at any time. To this end, the belong to or are intended for the use of a public jurisdiction Conclusion service provider shall safeguard the confidentiality, integrity and or its officers, agents or employees — be copied, disclosed availability of public jurisdiction information within its control or retained by the service provider or any party related to Workgroup Members and comply with the following conditions: the service provider for subsequent use in any transaction and Contributors a. The service provider shall implement and maintain that does not include the public jurisdiction. appropriate administrative, technical and organizational Appendix 1 security measures to safeguard against unauthorized 4. Data Location: The service provider shall provide its Model Terms and Conditions Templates access, disclosure or theft of personal data and non services to the public jurisdiction and its end users solely Software-as-a-Service public data within its control. Such security measures from data centers in the U.S. Storage of public jurisdiction Platform-as-a-Service shall be in accordance with recognized industry practice data at rest shall be located solely in data centers in the Infrastructure-as-a-Service and not less stringent than the measures the service U.S. The service provider shall not allow its personnel or provider applies to its own personal data and non contractors to store public jurisdiction data on portable Appendix 2 public data of similar kind. devices, including personal computers, except for devices SLA Metrics b. All data obtained by the service provider within its that are used and kept only at its U.S. data centers. The control in the performance of this contract shall become service provider shall permit its personnel and contractors to Appendix 3 and remain the property of the public jurisdiction. access public jurisdiction data remotely only as required to Key Contact Information c. Unless otherwise stipulated, personal data and non provide technical support. The service provider may provide public data shall be encrypted at rest and in transit technical user support on a 24/7 basis using a Follow the Sun Appendix 4 with controlled access. The statement of work (SOW) model, unless otherwise prohibited in this contract. Guiding Principles and contract document will specify which party is responsible for encryption and access control of the 5. Security Incident or Data Breach Notification:The Appendix 5 public jurisdiction data for the service model under service provider shall inform the public jurisdiction of any Procurement Approaches contract. If the statement of work and the contract are security incident or data breach within the possession and silent, then the public jurisdiction is responsible for control of the service provider and related to service provided Appendix 6 encryption and access control. under this contract. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 45 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security a. Incident Response: The service provider may need to identified contact by telephone in accordance with the Encryption communicate with outside parties regarding a security agreed upon security plan or security procedures if it Audits Operations incident, which may include contacting law enforcement, reasonably believes there has been a security incident. Hybrid Cloud Environments fielding media inquiries and seeking external expertise as b. The service provider, unless stipulated otherwise, shall Preparation for Migrating mutually agreed upon, defined by law or contained in the promptly notify the appropriate public jurisdiction Workloads to the Cloud contract. Discussing security incidents with the public identified contact within 24 hours or sooner by jurisdiction should be handled on an urgent as-needed telephone, unless shorter time is required by applicable Conclusion basis, as part of service provider communication and law, if it confirms that there is or reasonably believes mitigation processes as mutually agreed, defined by law there has been a data breach. The service provider Workgroup Members or contained in the contract. shall (1) cooperate with the public jurisdiction as and Contributors b. Security Incident Reporting Requirements: Unless reasonably requested by the public jurisdiction to otherwise stipulated, the service provider shall investigate and resolve the data breach; (2) promptly Appendix 1 immediately report a security incident related to its implement necessary remedial measures, if necessary; Model Terms and Conditions Templates service under the contract to the appropriate public and (3) document responsive actions taken related to Software-as-a-Service jurisdiction identified contact as defined in the SLA. the data breach, including any post-incident review of Platform-as-a-Service c. Breach Reporting Requirements: If the service provider events and actions taken to make changes in business Infrastructure-as-a-Service has actual knowledge of a confirmed data breach that practices in providing the services, if necessary. affects the security of any public jurisdiction content that c. Unless otherwise stipulated, if a data breach is a direct Appendix 2 is subject to applicable data breach notification law, the result of the service provider’s breach of its contract SLA Metrics service provider shall (1) promptly notify the appropriate obligation to encrypt personal data or otherwise prevent public jurisdiction identified contact within 24 hours its release, the service provider shall bear the costs Appendix 3 or sooner, unless shorter time is required by applicable associated with (1) the investigation and resolution of the Key Contact Information law, and (2) take commercially reasonable measures to data breach; (2) notifications to individuals, regulators address the data breach in a timely manner. or others required by state law; (3) a credit monitoring Appendix 4 service required by state (or federal) law; (4) a website Guiding Principles 6. Breach Responsibilities: This section only applies when a or a toll-free number and call center for affected data breach occurs with respect to personal data within the individuals required by state law; all not to exceed the Appendix 5 possession or control of the service provider and related to average per record per person cost calculated for data Procurement Approaches the service provided under this contract. breaches in the United States (currently $201 per record/ a. The service provider, unless stipulated otherwise, shall person) in the most recent Cost of Data Breach Study: Appendix 6 immediately notify the appropriate public jurisdiction Global Analysis published by the Ponemon Institute19 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 46 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security at the time of the data breach; and (v) complete all provider shall have no obligation to maintain or provide Encryption any public jurisdiction data and shall thereafter, unless Audits corrective actions as reasonably determined by service Operations provider based on root cause; all [(1) through (5)] legally prohibited, delete all public jurisdiction data in Hybrid Cloud Environments subject to this contract’s limitation of liability. its systems or otherwise in its possession or under its Preparation for Migrating control. In the event of termination for cause, the service Workloads to the Cloud 7. Notification of Legal Requests: The service provider shall provider will impose no fees for access and retrieval of contact the public jurisdiction upon receipt of any electronic digital content to the customer. Conclusion discovery, litigation holds, discovery searches and expert d. After termination of the contract and the prescribed testimonies related to the public jurisdiction’s data under this retention period, the provider shall securely dispose of Workgroup Members contract, or which in any way might reasonably require access all digital content in all of its forms, such as disk, CD/ and Contributors to the data of the public jurisdiction. The service provider shall DVD, backup tape and paper. The public jurisdiction’s not respond to subpoenas, service of process and other legal digital content shall be permanently deleted and shall not Appendix 1 requests related to the public jurisdiction without first notifying be recoverable, according to NIST-approved methods. Model Terms and Conditions Templates the public jurisdiction, unless prohibited by law from providing Certificates of destruction shall be provided to the public Software-as-a-Service such notice. jurisdiction. Platform-as-a-Service Infrastructure-as-a-Service 8. Termination and Suspension of Service: 9. Background Checks: The service provider shall conduct a. In the event of an early termination of the contract, the criminal background checks and not utilize any staff, Appendix 2 service provider shall allow for the public jurisdiction to including subcontractors, to fulfill the obligations of the SLA Metrics retrieve its digital content and provide for the subsequent contract who have been convicted of any crime of dishonesty, secure disposal of public jurisdiction digital content. including but not limited to criminal fraud, or otherwise Appendix 3 b. During any period of suspension, the service provider convicted of any felony or any misdemeanor offense Key Contact Information shall not take any action to intentionally erase any public for which incarceration for up to 1 year is an authorized jurisdiction digital content. penalty. The service provider shall promote and maintain Appendix 4 c. In the event of early termination of any services or an awareness of the importance of securing the public Guiding Principles agreement in entirety, the service provider shall not take jurisdiction’s information among the service provider’s any action to intentionally erase any public jurisdiction employees and agents. Appendix 5 data for a period of: 1) 45 days after the effective date Procurement Approaches of termination, if the termination is for convenience; or 10. Access to Security Logs and Reports: 2) 60 days after the effective date of termination, if the a. The service provider shall provide reports to the public Appendix 6 termination is for cause. After such period, the service jurisdiction in a format as specified in the SOW. If not Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 47 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security otherwise specified in the SOW, reports will include and performance. A major upgrade is a replacement of Encryption latency statistics, user access, user access IP address, hardware, software or firmware with a newer or better version, Audits Operations user access history and security logs for all public in order to bring the system up to date or to improve its Hybrid Cloud Environments jurisdiction files related to this contract. characteristics. It usually includes a new version number. Preparation for Migrating b. The service provider and the public jurisdiction Workloads to the Cloud recognize that security responsibilities are shared. The 14. Security: The service provider shall disclose its non- service provider is responsible for providing a secure proprietary security processes and technical limitations to Conclusion infrastructure. The public jurisdiction is responsible for the public jurisdiction such that adequate protection and its secure guest operating system, firewalls and other flexibility can be attained between the public jurisdiction and Workgroup Members logs captured within the guest operating system. Specific the service provider. For example: virus checking and port and Contributors shared responsibilities are identified within the SOW. sniffing – the public jurisdiction and the service provider shall understand each other’s roles and responsibilities. Appendix 1 11. Contract Audit: The service provider shall allow the Model Terms and Conditions Templates public jurisdiction to audit conformance to the contract 15. Non-Disclosure and Separation of Duties: The service Software-as-a-Service terms. The public jurisdiction may perform this audit or provider shall enforce separation of job duties, require Platform-as-a-Service contract with a third party at its discretion and at the public commercially reasonable non-disclosure agreements and Infrastructure-as-a-Service jurisdiction’s expense. limit staff knowledge of customer data to that which is absolutely necessary to perform job duties. Appendix 2 12. Data Center Audit: The service provider shall perform SLA Metrics an independent audit of its data centers at least annually and 16. Import and Export of Data: The public jurisdiction shall at its own expense, and provide a redacted version of the have the ability to import or export data in piecemeal or in Appendix 3 audit report upon request. The service provider may remove entirety at its discretion without interference from the service Key Contact Information its proprietary information from the redacted version. For provider. This includes the ability for the public jurisdiction to example, a Service Organization Control (SOC) 2 audit report import or export data to/from other service providers. Appendix 4 would be sufficient. Guiding Principles 17. Responsibilities and Uptime Guarantee: The service 13. Change Control and Advance Notice: The service provider shall be responsible for the acquisition and operation Appendix 5 provider shall give advance notice (to be determined of all hardware, software and network support related to Procurement Approaches at contract time and included in the SLA) to the public the services being provided. The technical and professional jurisdiction of any upgrades (e.g., major upgrades, minor activities required for establishing, managing and maintaining Appendix 6 upgrades, system changes) that may impact service availability the environment is the responsibility of the service provider. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 48 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security The system shall be available 24/7/365 (with agreed-upon 21. Compliance with Accessibility Standards: The service Encryption provider shall comply with and adhere to Accessibility Audits maintenance downtime), and provide service to customers Operations as defined in the SLA. Standards of Section 508 Amendment to the Rehabilitation Hybrid Cloud Environments Act of 1973. Preparation for Migrating 18. Sub-Contractor Disclosure: The service provider shall Workloads to the Cloud identify all strategic business partners related to services 22. Web Services: The service provider shall use Web provided under this contract, including but not limited to services exclusively to interface with the public jurisdiction’s Conclusion all subcontractors or other entities or individuals who may data in near real time when possible. be a party to a joint venture or similar agreement with the Workgroup Members service provider, and who will be involved in any application 23. Encryption of Data at Rest: The service provider shall and Contributors development and/or operations. ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2, Security Appendix 1 19. Right to Remove Individuals: The public jurisdiction Requirements for Cryptographic Modules for all Sensitive Model Terms and Conditions Templates shall have the right at any time to require the service provider personal data, unless the service provider presents a Software-as-a-Service remove from interaction with public jurisdiction any service justifiable position approved by the public jurisdiction that Platform-as-a-Service provider representative who the public jurisdiction believes sensitive personal data must be stored on a service provider Infrastructure-as-a-Service is detrimental to its working relationship with the service portable device in order to accomplish work as defined in the provider. The public jurisdiction shall provide the service scope of work. Appendix 2 provider with notice of its determination and the reasons SLA Metrics it requests the removal. If the public jurisdiction signifies 24. Subscription Terms: Contractor grants to a Purchasing that a potential security violation exists with respect to the Entity a license to: (i) access and use the Service for its Appendix 3 request, the service provider shall immediately remove such business purposes; (ii) for PaaS, use underlying software as Key Contact Information individual. The service provider shall not assign the person to embodied or used in the Service; and (iii) view, copy, upload any aspect of the contract or future work orders without the and download (where applicable), and use Contractor’s Appendix 4 public jurisdiction’s consent. documentation. Guiding Principles 20. Business Continuity and Disaster Recovery: The Appendix 5 service provider shall provide a business continuity and Procurement Approaches disaster recovery plan upon request and ensure the public jurisdiction’s recovery time objective (RTO) of XXX hours/ Appendix 6 days is met. (XXX shall be negotiated by both parties.) Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 49 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security computing resources where the consumer is able to Encryption Infrastructure-as-a-Service deploy and run arbitrary software, which can include Audits Operations 1. Definitions: operating systems and applications. The consumer does Hybrid Cloud Environments a. “Authorized Persons” means the service provider’s not manage or control the underlying cloud infrastructure Preparation for Migrating employees, contractors, subcontractors or other agents but has control over operating systems, storage, Workloads to the Cloud who need to access the public jurisdiction’s personal deployed application; and possibly limited control of data to enable the service provider to perform the select networking components (e.g., host firewalls). Conclusion services required. e. “Non-Public Data” means data, other than personal Workgroup Members b. “Data Breach” means the unauthorized access by data, that is not subject to distribution to the public and Contributors a non-authorized person/s that results in the use, as public information. It is deemed to be sensitive disclosure or theft of a public jurisdiction’s unencrypted and confidential by the public jurisdiction because Appendix 1 personal data. it contains information that is exempt by statute, Model Terms and Conditions Templates ordinance or administrative rule from access by the Software-as-a-Service c. “Individually Identifiable Health Information” means general public as public information. Platform-as-a-Service Information that is a subset of health information, Infrastructure-as-a-Service including demographic information collected from an f. “Personal Data” means data that includes information individual, and (1) is created or received by a health relating to a person that identifies the person by name Appendix 2 care provider, health plan, employer or health care and has any of the following personally identifiable SLA Metrics clearinghouse; and (2) relates to the past, present or information (PII): government-issued identification future physical or mental health or condition of an numbers (e.g., Social Security, driver’s license, Appendix 3 individual; the provision of health care to an individual; passport); financial account information, including Key Contact Information or the past, present or future payment for the provision account number, credit or debit card numbers; or of health care to an individual; and (a) that identifies protected health information (PHI) relating to a person. Appendix 4 the individual; or (b) with respect to which there is a Guiding Principles reasonable basis to believe the information can be used g. “Protected Health Information” (PHI) means to identify the individual.20 individually identifiable health information transmitted Appendix 5 by electronic media, maintained in electronic media, Procurement Approaches d. “Infrastructure-as-a-Service” (IaaS) means the or transmitted or maintained in any other form or capability provided to the consumer is to provision medium. PHI excludes education records covered by Appendix 6 processing, storage, networks and other fundamental the Family Educational Rights and Privacy Act (FERPA), Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 50 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security as amended, 20 U.S.C. 1232g, records described at 20 l. “Service Level Agreement” (SLA) means that part Encryption of the written agreement between both the public Audits U.S.C. 1232g(a)(4)(B)(iv) and employment records held 21 Operations by a covered entity in its role as employer. jurisdiction and the service provider that is subject to Hybrid Cloud Environments the terms and conditions in this document and that Preparation for Migrating h. “Public Jurisdiction” means any government or unless otherwise agreed to includes (1) the technical Workloads to the Cloud government agency that uses these terms and service level performance promises, (i.e. metrics for conditions. The term is a placeholder for the performance and intervals for measure), (2) the amount Conclusion government or government agency. of time required for notice by the provider to the public jurisdiction for notification of upcoming changes, Workgroup Members i. “Public Jurisdiction Data” means all data created or in (3) identification of contact persons, (4) security and Contributors any way originating with the public jurisdiction, and all notice requirements, (5) timeframes for response to data that is the output of computer processing of or other operational problems and failures, and (6) any remedies Appendix 1 electronic manipulation of any data that was created by or for performance failures. Model Terms and Conditions Templates in any way originated with the public jurisdiction, whether Software-as-a-Service such data or output is stored on the public jurisdiction’s m. “Service Provider” means the contractor and its Platform-as-a-Service hardware, the service provider’s hardware or exists in any employees, subcontractors, agents and affiliates who Infrastructure-as-a-Service system owned, maintained or otherwise controlled by the are providing the services agreed to under the contract. public jurisdiction or by the service provider. Appendix 2 n. “Statement of Work” means a written statement in a SLA Metrics j. “Public Jurisdiction Identified Contact” means the person solicitation document or contract that describes the or persons designated in writing by the public jurisdiction public jurisdiction’s service needs and expectations. Appendix 3 to receive security incident or breach notification. Key Contact Information 2. Data Ownership: The public jurisdiction will own all right, k. “Security Incident” means the potentially unauthorized title and interest in its public jurisdiction data that is related Appendix 4 access by non-authorized persons to personal data to the services provided by this contract. The service provider Guiding Principles or non-public data the service provider believes could shall not access public jurisdiction user accounts or public reasonably result in the use, disclosure or theft of a jurisdiction data, except (1) in the course of data center Appendix 5 public jurisdiction’s unencrypted personal data or operations, (2) in response to service or technical issues, (3) Procurement Approaches non-public data within the possession or control of the as required by the express terms of this contract or (4) at the service provider. A security incident may or may not public jurisdiction’s written request. Appendix 6 turn into a data breach. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 51 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security 3. Data Protection: Protection of personal privacy and data e. At no time shall any data or processes — which either Encryption shall be an integral part of the business activities of the service belong to or are intended for the use of public jurisdiction Audits Operations provider to ensure there is no inappropriate or unauthorized or its officers, agents or employees — be copied, Hybrid Cloud Environments use of public jurisdiction information at any time. To this disclosed or retained by the service provider or any party Preparation for Migrating end, the service provider shall safeguard the confidentiality, related to the service provider for subsequent use in any Workloads to the Cloud integrity and availability of public jurisdiction information transaction that does not include the public jurisdiction. within its control and comply with the following conditions: Conclusion a. The service provider shall implement and maintain 4. Data Location: The service provider shall provide its appropriate administrative, technical and organizational services to the public jurisdiction and its end users solely Workgroup Members security measures to safeguard against unauthorized from data centers in the U.S. Storage of public jurisdiction and Contributors access, disclosure or theft of personal data and non-public data at rest shall be located solely in data centers in the data within its control. Such security measures shall be in U.S. The service provider shall not allow its personnel or Appendix 1 accordance with recognized industry practice and not less contractors to store public jurisdiction data on portable Model Terms and Conditions Templates stringent than the measures the service provider applies to devices, including personal computers, except for devices Software-as-a-Service its own personal data and non-public data of similar kind. that are used and kept only at its U.S. data centers. The Platform-as-a-Service b. All data obtained by the service provider within its service provider shall permit its personnel and contractors to Infrastructure-as-a-Service control in the performance of this contract shall become access public jurisdiction data remotely only as required to and remain the property of the public jurisdiction. provide technical support. The service provider may provide Appendix 2 c. Unless otherwise stipulated, personal data and non technical user support on a 24/7 basis using a Follow the Sun SLA Metrics public data shall be encrypted at rest and in transit with model, unless otherwise prohibited in this contract. controlled access. The statement of work (SOW) will Appendix 3 specify which party is responsible for encryption and 5. Security Incident or Data Breach Notification: The Key Contact Information access control of the public jurisdiction data for the service provider shall inform the public jurisdiction of any service model under contract. If the statement of work security incident or data breach related to public jurisdiction Appendix 4 and the contract are silent, then the public jurisdiction data within the possession or control of the service provider Guiding Principles is responsible for encryption and access control. and related to the service provided under this contract. d. Unless otherwise stipulated, it is the public a. Security Incident Reporting Requirements: Unless Appendix 5 jurisdiction’s responsibility to identify data it deems otherwise stipulated, the service provider shall report, Procurement Approaches as non-public data to the service provider. The level of as soon as it is discovered, a security incident related to protection and encryption for all non-public data shall its service under the contract to the appropriate public Appendix 6 be identified and made a part of this contract. jurisdiction identified contact as defined in the SLA. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 52 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security b. Breach Reporting Requirements: If the service provider events and actions taken to make changes in business Encryption practices in providing the services, if necessary. Audits has actual knowledge of a confirmed data breach that Operations affects the security of any public jurisdiction content that e. Unless otherwise stipulated, if a data breach is a direct Hybrid Cloud Environments is subject to applicable data breach notification law, the result of the service provider’s breach of its contract Preparation for Migrating service provider shall (1) promptly notify the appropriate obligation to encrypt personal data or otherwise prevent Workloads to the Cloud public jurisdiction identified contact within 24 hours its release, the service provider shall bear the costs or sooner, unless shorter time is required by applicable associated with (1) the investigation and resolution of the Conclusion law, and (2) take commercially reasonable measures to data breach; (2) notifications to individuals, regulators address the data breach in a timely manner. or others required by state law; (3) a credit monitoring Workgroup Members service required by state (or federal) law; (4) a website and Contributors 6. Breach Responsibilities: This section only applies when or a toll-free number and call center for affected a data breach occurs with respect to personal data within individuals required by state law; all not to exceed the Appendix 1 the possession or control of a service provider and related to average per record per person cost calculated for data Model Terms and Conditions Templates service provided under this contract. breaches in the United States (currently $201 per record/ Software-as-a-Service c. The service provider, unless stipulated otherwise, shall person) in the most recent Cost of Data Breach Study: Platform-as-a-Service immediately notify the appropriate public jurisdiction Global Analysis published by the Ponemon Institute22 Infrastructure-as-a-Service identified contact by telephone in accordance with the at the time of the data breach; and (5) complete all agreed upon security plan or security procedures if it corrective actions as reasonably determined by the Appendix 2 reasonably believes there has been a security incident. service provider based on root cause; all [(1) through SLA Metrics d. The service provider, unless stipulated otherwise, shall (5)] subject to this contract’s limitation of liability. promptly notify the appropriate public jurisdiction Appendix 3 identified contact within 24 hours or sooner by 7. Notification of Legal Requests: The service provider Key Contact Information telephone, unless shorter time is required by applicable shall contact the public jurisdiction upon receipt of any law, if it confirms that there is or reasonably believes electronic discovery, litigation holds, discovery searches and Appendix 4 that there has been a data breach. The service provider expert testimonies related to the public jurisdiction’s data Guiding Principles shall (1) cooperate with the public jurisdiction as under this contract, or which in any way might reasonably reasonably requested by the public jurisdiction to require access to the data of the public jurisdiction. The Appendix 5 investigate and resolve the data breach; (2) promptly service provider shall not respond to subpoenas, service Procurement Approaches implement necessary remedial measures, if necessary; of process and other legal requests related to the public and (3) document responsive actions taken related to jurisdiction without first notifying the public jurisdiction, Appendix 6 the data breach, including any post-incident review of unless prohibited by law from providing such notice. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 53 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security 8. Termination and Suspension of Service: 9. Background Checks: The service provider shall conduct Encryption a. In the event of an early termination of the contract, criminal background checks and not utilize any staff, including Audits Operations the service provider shall allow for the public subcontractors, to fulfill the obligations of the contract who have Hybrid Cloud Environments jurisdiction to retrieve its digital content and provide been convicted of any crime of dishonesty, including but not Preparation for Migrating for the subsequent secure disposal of public jurisdiction limited to criminal fraud, or otherwise convicted of any felony Workloads to the Cloud digital content. or any misdemeanor offense for which incarceration for up to 1 b. During any period of suspension, the service provider year is an authorized penalty. The service provider shall promote Conclusion shall not take any action to intentionally erase any and maintain an awareness of the importance of securing the public jurisdiction digital content. public jurisdiction’s information among the service provider’s Workgroup Members c. In the event of early termination of any services or employees and agents. and Contributors agreement in entirety, the service provider shall not take any action to intentionally erase any public jurisdiction 10. Access to Security Logs and Reports: Appendix 1 data for a period of 1) 45 days after the effective date a. The service provider shall provide reports to the public Model Terms and Conditions Templates of termination, if the termination is for convenience; jurisdiction directly related to the infrastructure the service Software-as-a-Service or 2) 60 days after the effective date of termination, if provider controls upon which the public jurisdiction account Platform-as-a-Service the termination is for cause. After such day period, the resides. Unless otherwise agreed to in the SLA, the service Infrastructure-as-a-Service service provider shall have no obligation to maintain or provider shall provide the public jurisdiction a history or all provide any public jurisdiction data and shall thereafter, API calls for the public jurisdiction account that includes Appendix 2 unless legally prohibited, delete all public jurisdiction the identity of the API caller, the time of the API call, the SLA Metrics data in its systems or otherwise in its possession or source IP address of the API caller, the request parameters under its control. In the event of either termination and the response elements returned by the service provider. Appendix 3 for cause, the service provider will impose no fees for The report will be sufficient to enable the public jurisdiction Key Contact Information access and retrieval of digital content to the customer. to perform security analysis, resource change tracking and d. After termination of the contract and the prescribed compliance auditing. Appendix 4 retention period, the provider shall securely dispose of b. The service provider and the public jurisdiction Guiding Principles all digital content in all of its forms, such as disk, CD/ recognize that security responsibilities are shared. The DVD, backup tape and paper. The public jurisdiction’s service provider is responsible for providing a secure Appendix 5 digital content shall be permanently deleted and infrastructure. The public jurisdiction is responsible for Procurement Approaches shall not be recoverable, according to NIST-approved its secure guest operating system, firewalls and other methods. Certificates of destruction shall be provided logs captured within the guest operating system. Specific Appendix 6 to the public jurisdiction. shared responsibilities are identified within the SLA. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 54 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security 11. Contract Audit: The service provider shall allow the 15. Non-Disclosure and Separation of Duties: The service Encryption public jurisdiction to audit conformance to the contract provider shall enforce separation of job duties, require Audits Operations terms. The public jurisdiction may perform this audit or commercially reasonable non-disclosure agreements and Hybrid Cloud Environments contract with a third party at its discretion and at the public limit staff knowledge of customer data to that which is Preparation for Migrating jurisdiction’s expense. absolutely necessary to perform job duties. Workloads to the Cloud 12: Data Center Audit: The service provider shall perform 16. Import and Export of Data: The public jurisdiction shall Conclusion an independent audit of its data centers at least annually and have the ability to import or export data in piecemeal or in at its own expense, and provide a redacted version of the entirety at its discretion without interference from the service Workgroup Members audit report upon request. The service provider may remove provider. This includes the ability for the public jurisdiction to and Contributors its proprietary information from the redacted version. For import or export data to/from other service providers. example, a Service Organization Control (SOC) 2 audit report Appendix 1 would be sufficient. 17. Responsibilities and Uptime Guarantee: The service Model Terms and Conditions Templates provider shall be responsible for the acquisition and operation of Software-as-a-Service 13. Change Control and Advance Notice: The service all hardware, software and network support related to the services Platform-as-a-Service provider shall give advance written notice (to be determined being provided. The technical and professional activities required Infrastructure-as-a-Service at contract time and included in the SLA) to the public for establishing, managing and maintaining the environment is the jurisdiction of any upgrades (e.g., major upgrades, minor responsibility of the service provider. The system shall be available Appendix 2 upgrades, system changes) that may impact service availability 24/7/365 (with agreed-upon maintenance downtime), and SLA Metrics and performance. A major upgrade is a replacement of provide service to customers as defined in the SLA. hardware, software or firmware with a newer or better version Appendix 3 in order to bring the system up to date or to improve its 18. Sub-Contractor Disclosure: The service provider Key Contact Information characteristics. It usually includes a new version number. shall identify all of its strategic business partners related to services provided under this contract, including but not Appendix 4 14. Security: The service provider shall disclose its non- limited to all subcontractors or other entities or individuals Guiding Principles proprietary security processes and technical limitations to who may be a party to a joint venture or similar agreement the public jurisdiction such that adequate protection and with the service provider, and who shall be involved in any Appendix 5 flexibility can be attained between the public jurisdiction and application development and/or operations. Procurement Approaches the service provider. For example: virus checking and port sniffing — the public jurisdiction and the service provider 19. Right to Remove Individuals: The public jurisdiction Appendix 6 shall understand each other’s roles and responsibilities. shall have the right at any time to require the service provider Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 55 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security remove from interaction with public jurisdiction any service Encryption provider representative who the public jurisdiction believes Audits Operations is detrimental to its working relationship with the service Hybrid Cloud Environments provider. The public jurisdiction shall provide the service Preparation for Migrating provider with notice of its determination, and the reasons Workloads to the Cloud it requests the removal. If the public jurisdiction signifies that a potential security violation exists with respect to the Conclusion request, the service provider shall immediately remove such individual. The service provider shall not assign the person to Workgroup Members any aspect of the contract or future work orders without the and Contributors public jurisdiction’s consent.
Appendix 1 20. Business Continuity and Disaster Recovery: The Model Terms and Conditions Templates service provider shall provide a business continuity and Software-as-a-Service disaster recovery plan upon request and ensure the public Platform-as-a-Service jurisdiction’s recovery time objective (RTO) of XXX hours/ Infrastructure-as-a-Service days is met. (XXX shall be negotiated by both parties.)
Appendix 2 21. Subscription Terms: Contractor grants to a Purchasing SLA Metrics Entity a license to: (i) access and use the Service for its business purposes; (ii) for IaaS, use underlying software Appendix 3 as embodied or used in the Service; and (iii) view, copy, Key Contact Information upload and download (where applicable), and use Contractor’s documentation. Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 56 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 2 Breach Notification Personnel Security handles. While most parts of the terms and conditions should Encryption Service Level Agreement (SLA) be highly standardized, this short document is the place where Audits Operations This is a subsection of the terms and conditions; it is contract-specific service level agreement content is addressed. Hybrid Cloud Environments separated out as a subsection so that its content is treated more It is recommended that it occupy a section or page separate Preparation for Migrating specifically to the particular business issues that the service from the other sections. Workloads to the Cloud Model SLA Conclusion
1. Percentage uptime guarantee . 99.90% Workgroup Members and Contributors 2. Intervals measured Every 15 minutes during guaranteed periods.
Appendix 1 3. Time periods used for measuring uptime Monthly, starting each first of month at 12:01am Central Time Model Terms and Conditions Templates Software-as-a-Service 4. Committed periods during which uptime is guaranteed Seven days/week, 2:00am-12:00 midnight; Saturday Platform-as-a-Service 5. Exception periods, during which uptime is not Examples include: Infrastructure-as-a-Service guaranteed, in addition to agreed maintenance window. 1. Planned Maintenance 2. *Acts of God Appendix 2 3. Suspension of Service due to legal reasons SLA Metrics 4. Internet access outside control of provider
Appendix 3 6. Maximun response time (for query & update 98 percent within 4 seconds Key Contact Information functions), goal percentage
7. Maximum support response time *Tier 1 Support issues: 2 hours Appendix 4 *Tier 2 issues: 4-6 hours Guiding Principles *Tier 3 issues: 12+ hours
*Tiers should be defined in SLA and may reflect a scale of
Appendix 5 standard issues to ‘Code Red’ service failures Procurement Approaches 8. Penalty or service credit calculation for recovery point 5% off a future month service for each consecutive block of Appendix 6 objective failure interruption 12 hours of failure to meet recovery point objective Glossary 9. **Penalty or service credit calculation for service 5% off a future month service for each block of 3 consecutive Appendix 7 interruption (at 15-minute intervals) failures to respond within 10 seconds Clause Comparison Matrix
Endnotes • Executive Summary 57 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 3 Breach Notification Personnel Security Encryption Key Contact Information Audits Operations This is a recommended document to include as a subsection Hybrid Cloud Environments to the terms and conditions. This document should be Preparation for Migrating updateable and parties should make a point of reviewing active Workloads to the Cloud points of contact on an annual basis.
Conclusion Model Key Contact Information 1. Customer contacts (primary & secondary) Workgroup Members for operational and security emergencies and Contributors 2. Customer contacts (primary & secondary) for contractual matters Appendix 1 3. Service provider contacts (primary & secondary) Model Terms and Conditions Templates for operational and security emergencies Software-as-a-Service 4. Service provider contacts (primary & secondary) Platform-as-a-Service for contractual matters Infrastructure-as-a-Service
Appendix 2 SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 58 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 4 Breach Notification Personnel Security 4. Not all service providers are created equal. The Encryption Guiding Principles type of service to be acquired will determine which Audits Operations Contracting for XaaS can be confusing. There are business model will be most advantageous. Public Hybrid Cloud Environments different service models using different provider models entities and service providers must work together to Preparation for Migrating that create a variety of options to consider. It can be ensure they both clearly understand the requirements Workloads to the Cloud difficult to determine the most appropriate service and share a common understanding of the service model model. Whether it’s a public cloud XaaS solution or in order to create appropriate contractual terms. Conclusion private cloud model, a public jurisdiction must also consider a number of internal factors in order to make 5. Data, data, understand the data. Public jurisdictions Workgroup Members the best choice. These guiding principles can help as must understand and apply an appropriate security and Contributors you consider procurement and contracts for XaaS. classification to their data. Consider the service provider’s commitment to secure and protect the data based on the Appendix 1 1. We can have our cake and eat it too … if we can live service model. If the service model is not right, don’t use it. Model Terms and Conditions Templates with one flavor. XaaS providers offer value and benefits Software-as-a-Service to the public due to scale and a standard business model. 6. It takes a partnership. Successful results between Platform-as-a-Service Consequently, unique requirements are counter to the government and XaaS providers depend on a clear Infrastructure-as-a-Service model and should be discouraged where possible. understanding of the roles and responsibilities of each based on the nature of the service model. Appendix 2 2. The law is the law. Public jurisdictions cannot enter SLA Metrics into agreements that violate their laws. Providers and 7. All good things must come to an end. Disengagement public jurisdictions must understand and respect statutory from the service relationship must be considered prior to the Appendix 3 constraints. If the law truly prohibits a jurisdiction from execution of the contract based on the specific service offering. Key Contact Information accepting a particular service provider term or condition, then that term for condition must change or the parties 8. Pick the right dance partner. How well you dance depends Appendix 4 should not engage in a contractual relationship. on your partner. Picking a partner that is appropriate to your Guiding Principles business needs is critical to successful results. Financial viability, 3. Want the business? Do what it takes. Public maturity, agility, innovation, dependability and proven track Appendix 5 jurisdictions have unique requirements. If a service record for similar clients are all factors to consider. Procurement Approaches provider wants this business, it should understand the public environment and offer standard terms and 9. It’s risky business. T&Cs are really about understanding Appendix 6 conditions to which public jurisdictions can agree. how the public entity and the service provider share and Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 59 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security manage risk in their relationship. Success requires a realistic Encryption assessment of the risks, a common understanding and a Audits Operations willingness to consider a variety of alternatives to effectively Hybrid Cloud Environments manage those risks. Preparation for Migrating Workloads to the Cloud 10. Get by with a little help from your friends. Educate and engage other government policy makers to understand Conclusion the benefits XaaS providers bring to government and include them early in the process when assessing if Workgroup Members traditional contracting, control or auditing practices are and Contributors the most effective way to protect the public’s interest.
Appendix 1 11. Trust, but verify. Controls should be commensurate Model Terms and Conditions Templates with service provider model, type of data and risk. Software-as-a-Service Platform-as-a-Service Infrastructure-as-a-Service
Appendix 2 SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 60 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 5 Breach Notification Personnel Security Encryption Procurement Approaches Procurement methods are at their core a decision process Audits Operations Like IT service terms and conditions, sourcing methods with objective analytics upon which to base the decision. Hybrid Cloud Environments have struggled to keep pace with rapidly evolving business Decisions should be transparent and competitive, and meet Preparation for Migrating technology alternatives driven by cloud service models. the public jurisdiction’s business needs. If procurement Workloads to the Cloud Traditional public procurement processes, designed to protect processes do not support the acquisition of today’s modern the public’s interest, are challenged to find the proper balance services, changes are needed in the practice, rules or statutes. Conclusion between certainty and the flexibility necessary in today’s market. Here are some approaches or best practices that have Workgroup Members Traditional procurement methods with strict invitation to improved public procurement results while protecting the and Contributors bid response rules require the proposer to comply with all the public’s interest. For some jurisdictions, specific statutes or requirements of the solicitation or be rejected. These become ordinances may prevent adoption, but there are still useful Appendix 1 a “take it or leave it” proposition for service providers. When takeaways from the examples that can help any jurisdiction Model Terms and Conditions Templates this kind of sourcing method is used with subscription-based improve their outcomes for XaaS procurements. Software-as-a-Service XaaS offerings, which by definition cannot be customized, Platform-as-a-Service procurements fail. Take Advantage of Negotiations Infrastructure-as-a-Service Evolving business models require the RFP process to be Often, traditional models attempt to prescribe solutions. flexible to allow for negotiations or discussions to receive Appendix 2 It is important for a state or local government to understand clarification. Some state laws support the process of negotiating SLA Metrics business needs, but XaaS providers frequently limit terms and conditions in this fashion. California’s PCC6611 and customization. Prescriptive solutions might be right for some Oregon’s ORS 279B.060 are good examples of laws that enable Appendix 3 purchases, but not for XaaS. These new service models — a variety of discussion methods. By including the ability to clarify Key Contact Information driven by ever-changing technology innovation — do not terms and conditions throughout discussions or negotiations, include the purchase of either technology or software. XaaS the jurisdiction avoids the problem of rejecting providers that Appendix 4 models include the purchase of services that can be configured actually might be able to meet the jurisdiction’s needs. One Guiding Principles to meet the customer’s needs, but not customized. typical process is for the jurisdiction to identify certain terms in advance that it is willing to discuss and negotiate before award. Appendix 5 Traditional procurement practices that prevent these new By negotiating acceptable terms with the proposer in advance, Procurement Approaches service models from fairly competing deprive governments and the jurisdiction ensures it is getting the best fit for the award and their taxpayers of modern, effective tools for managing their resolves differences that otherwise might result in the rejection Appendix 6 increasing digital demands. of an effective proposal. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 61 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security There are several ways discussions or negotiations Move Away from Requirements-Based Procurement Encryption may occur. In some cases, the jurisdiction — through the Traditional IT system solicitations often rely upon business Audits Operations development of its business case and market research — requirements developed through a series of work sessions that Hybrid Cloud Environments has a good idea of the terms and conditions likely to require document how the agency currently conducts its business. Preparation for Migrating negotiation. The jurisdiction can identify those in its RFPs. The Getting these requirements perfectly right is a difficult Workloads to the Cloud jurisdiction can then avoid being forced to reject proposals as process in the best of circumstances. If successful, these nonresponsive that it may otherwise find attractive. business requirement sessions document the historic business Conclusion process that may, in itself, be antiquated and inefficient. If Another way some jurisdictions determine when those requirements are then made a part of the RFP to be Workgroup Members negotiations may be required is through the issuance of a draft replicated by the service provider, the only solution may be and Contributors RFP. Feedback from potential proposers can help identify terms a custom-made solution. This model does not work well for that will not work within the market. This gives the jurisdiction XaaS procurements. Public agencies must understand their Appendix 1 the ability to see which terms are problematic and provides business objectives and performance needs, but should not be Model Terms and Conditions Templates the jurisdiction with the option to negotiate. Some RFPs so prescriptive in their solicitation that they dictate the system Software-as-a-Service require potential proposers to officially protest specifications design and functionality. Instead, the jurisdiction should Platform-as-a-Service they believe are unduly restrictive. This method, while be shopping for the best business fit. Rather than evaluate Infrastructure-as-a-Service appearing somewhat contentious, can allow the jurisdiction proposals on hundreds or even thousands of prescriptive to identify terms and conditions that will be a problem for requirements that may not lead to successful service, public Appendix 2 suppliers and amend the RFP before proposals are submitted. jurisdictions should include evaluation criteria based on how SLA Metrics If the jurisdiction does not have the authority to negotiate well the service meets or enhances their business objectives, specific items, that can be plainly made known and help the whether it achieves their performance needs and its ability Appendix 3 jurisdiction avoid rejecting otherwise attractive offers. to fine-tune business rules through configuration. Public Key Contact Information jurisdictions can make big gains in quality and effectiveness While Oregon and California may choose to reject a of service in this way through XaaS applications. Appendix 4 proposal, their laws do not mandate the rejection of a proposal Guiding Principles because the proposer takes exception to terms and conditions. Keep Negotiations Moving Forward It is possible to negotiate terms before final contract award A great concern for the parties in any negotiation is how Appendix 5 with providers when the law does not require a specific term or long it will take to reach final agreement. Delays are the Procurement Approaches condition. Jurisdictions should change their policies, standards enemy of everyone who has a stake in the award of an XaaS and rules to allow for greater use of negotiations in the contract. Stalled procurements are often caused by long Appendix 6 competitive selection process. and drawn-out negotiations. Identifying and using generally Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 62 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security agreeable standard terms and conditions at the beginning of needed to solve, it allowed them to focus on the things the Encryption the procurement helps limit negotiations to just those terms commonwealth was best at and left the range of potential Audits Operations that are unique and must be tailored to the specific service. It solutions up to the service provider. This approach helps avoid Hybrid Cloud Environments is helpful if all parties do their homework to understand their overly prescriptive specifications and encourages innovation Preparation for Migrating needs, as well as their partner’s needs, before negotiations and a broader range of solutions on the part of proposers. Workloads to the Cloud begin. Successful contracts depend on successful partnerships. Negotiation strategies that find workable solutions that make Minimize Mandatory Requirements Conclusion both parties successful produce the best results over the life of Delaware’s Cloud First Policy is supported by a procurement the contract. process that includes SaaS terms and conditions in the RFP Workgroup Members as a standard for acceptance. While there is no flexibility and Contributors Create a Timeline for Negotiations on mandatory terms and conditions, the state’s preferred Setting a realistic timeline for completion of negotiations can terms and conditions are made a part of the RFP. Proposers Appendix 1 help keep negotiations on track and the procurement moving offering other terms and conditions in lieu of the preferred Model Terms and Conditions Templates forward. Recently, the Commonwealth of Massachusetts used are reviewed for acceptance by both Delaware Information Software-as-a-Service a tightly defined timeline as an effective tool to keep its award Technology (DIT) and the agency contracting for the service. Platform-as-a-Service process moving forward. If negotiations were not completed The State Procurement Office will only make an award after Infrastructure-as-a-Service on time, they reserved the right to move to the next proposer. authorization by DIT. The contractor certifies compliance with In a recent SaaS procurement, that is exactly what happened. the Delaware terms or with approved changes or substitutions Appendix 2 This requires both sides to act responsibly by fulfilling their and is expected to maintain that compliance through the life of SLA Metrics obligations in a negotiation. It also requires tracking and the contract. documenting progress, and the assignment of responsibilities Appendix 3 for task completions during negotiations. RFPs that include mandatory terms that are not negotiable Key Contact Information are essentially a “take it or leave it” proposition for providers. Start with a Business Problem-Based Solicitation If these terms are not acceptable, they can cause an otherwise Appendix 4 The requirements section of a procurement document acceptable proposal to be rejected. Jurisdictions should Guiding Principles should always include a background statement that, among carefully consider the consequences of using mandatory terms other things, defines the business problem to be solved. unless it is a requirement of law. Jurisdictions should be certain Appendix 5 When the Commonwealth of Massachusetts procured its about the need for a mandatory requirement or term because Procurement Approaches SaaS procurement system, it started with a business problem- future negotiations are preempted by their classification as based solicitation. By spending time clearly understanding mandatory. The use of mandatory requirements or terms Appendix 6 and articulating the business problem the commonwealth should be kept to an absolute minimum. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 63 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Establish Model Terms as Standards Several recent reports and publications underscore Encryption The model terms and conditions could be used as a standard the importance of open and effective communication Audits Operations with which service providers certify compliance as a part of between service providers and the jurisdiction. The need Hybrid Cloud Environments the RFP process. If there is agreement on standards, then a for increased quality and quantity of communication Preparation for Migrating selection process can evaluate all potential providers based on has been called for at all levels of government. The Workloads to the Cloud reasonable criteria calculated to acceptably manage identified Federal Government’s Office of Management and Budget risks and achieve the business needs of client agencies. (OMB) issued two memos on this topic headed as “Myth Conclusion Busting.”23 The IJIS institute called out the importance Develop National Minimum Standards of communication in improving innovation in public Workgroup Members The creation of a nationally recognized standard, derived contracting in its December 2013 report.24 The California and Contributors from best practices in XaaS operations — including data Technology Authority is changing procurement practices handling, data security, confidentiality, availability, etc. — to remove communication barriers as it implements Appendix 1 could streamline the procurement of XaaS in state and local recommendations of a taskforce formed by the governor Model Terms and Conditions Templates governments that use a stricter and customized assessment and controller to improve technology procurement.25 Software-as-a-Service of responsiveness. It would allow public jurisdictions to Jurisdictions should examine and revise procurement Platform-as-a-Service evaluate unique proposal offerings against the adopted processes, policies and rules wherever possible to eliminate Infrastructure-as-a-Service national standard. By relying on the proposal’s certification of barriers to effective communication. compliance against the standard, the procuring organization Appendix 2 could use minimum compliance against the standard as the Conduct Market Research SLA Metrics baseline for evaluation of the proposal. Additional functionality Jurisdictions that conduct effective market research and beyond the standard could also be used for a more meaningful share their background information and business needs in Appendix 3 analysis of “value-added options” or “best value” in an RFP. open forums with providers before issuing a solution increase Key Contact Information Requiring the service provider to continue compliance with the their chance for a successful procurement. Dialogue with standard over the life of the contract also has the benefit of service providers can help the jurisdiction understand various Appendix 4 keeping the service current. approaches in the market and how service models work. It Guiding Principles can also help test assumptions. Other effective methods of Improve Communication market exploration before issuing a formal solicitation may Appendix 5 Any effective procurement process for new and evolving include issuing a draft RFP to encourage provider comments Procurement Approaches business models such as XaaS require a good deal of and responses and holding one–on-one meetings with communication before the issuance of a solicitation, during interested providers. The more a jurisdiction understands what Appendix 6 the solicitation and evaluation, and in contract execution. is available in the market and how those solutions might work Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 64 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security for its business needs, the better positioned it is to develop This could be coupled with a certification process that Encryption invites service providers to pre-certify their agreement to Audits an effective business case and create an effective sourcing Operations strategy. The more service providers understand the needs abide by key standards like the model terms and conditions Hybrid Cloud Environments of the jurisdiction, the better prepared they are to offer the described in this document. Policies, rules and statutes should Preparation for Migrating optimal solutions. permit demonstration-based awards. Workloads to the Cloud This exploratory process can also help the provider and Implement a Multiple Round Selection Process Conclusion jurisdiction understand when a provider’s offering is not a The use of multi-step processes, which narrow the field of good match for the jurisdiction’s business needs. In these total responses to a “short list” of final proposals most likely Workgroup Members cases, effective communication can help both parties be smart to result in award, can help a jurisdiction be more specific and Contributors about what will and will not work in advance prior to their in the second round selection process. During a second undertaking the burden of a formal procurement process. round, the use of pilots, demonstrations or supplemental Appendix 1 Procurement policies and rules should promote the increased negotiations may result in gaining better clarity as to the fit Model Terms and Conditions Templates use of market research to include public discussion forums, of the proposed services to the jurisdiction’s business Software-as-a-Service online research, service provider meetings and the sharing needs. It also has the added benefit for the jurisdiction of Platform-as-a-Service of background information. maintaining a competitive environment. Infrastructure-as-a-Service Use Demonstrations Permit Multiple Awards Appendix 2 Often, RFPs include product demonstration scoring. RFP or other sourcing methods may be designed to award SLA Metrics This allows the jurisdiction to evaluate the fit, and to to either a single provider or multiple providers. The sourcing some degree, user acceptance of provider solutions. document must describe if a single award, multiple awards or Appendix 3 Demonstrations should be encouraged whenever possible. some combination will be made. The ability to negotiate final Key Contact Information Washington State and California26 have successfully awards with each provider is critical. The solicitation must be used request for demonstration (RFD) sourcing methods clear regarding how awards are determined. Appendix 4 to award technology contracts. The scoring of the Guiding Principles demonstration determined the award. An RFP typically Depending on the need, it may be best for the jurisdiction includes some consideration of costs. With RFD awards, to identify classes of services it needs and award indefinite Appendix 5 the jurisdiction could also consider cost as a part of the delivery/indefinite quantity (IDIQ) contracts to a pool of Procurement Approaches evaluation process. This can be an effective way for end potential suppliers. Agencies within the jurisdiction may then users to test XaaS offerings and for the award decision to select suppliers from the pool. Effective use of multiple awards Appendix 6 reflect the best fit for the jurisdiction’s business needs. for XaaS applications can be very popular with customer Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 65 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security agencies. It gives them choice and allows them to select from Public jurisdictions that support and encourage innovation Encryption service provider applications that best meet their needs. With in procurement processes can benefit from more effective Audits Operations rapidly emerging service models, it is a good idea to include procurement outcomes. Successful solutions should be Hybrid Cloud Environments the ability to reopen the award process annually to add new replicated and shared. Unsuccessful approaches should Preparation for Migrating providers. Multiple awards that result in contracts for most be evaluated from a lessons learned perspective and then Workloads to the Cloud proposers in the class, rather than just the most competitive, are discarded. By incubating and sharing successful procurement less controversial, but also may not result in the best pricing. A models, governments can improve their collective ability to Conclusion jurisdiction must consider those tradeoffs in relationship to its successfully acquire the services they need. acquisition strategy and business case. Texas’ recent award of Workgroup Members a suite of cloud contracts is an excellent example. Jurisdiction The Importance of Cooperative Contracting Opportunities and Contributors policies, rules and statutes should permit multiple awards. In the summer of 2012, formal awards were made to cloud- based XaaS providers that responded to a four-state (Colorado, Appendix 1 Create Alternative Sourcing Processes Montana, Oregon and Utah) cooperative purchase conducted Model Terms and Conditions Templates Some states have the statutory authority to create new by the Western States Contracting Alliance (WSCA) for GIS Software-as-a-Service sourcing models that do not follow statutory requirements for cloud services and public cloud services. This first-ever IT Platform-as-a-Service competitive sealed proposals or invitations to bid. Known as services procurement through the WSCA–NASPO Cooperative Infrastructure-as-a-Service “special procurement,” the American Bar Association (ABA) Purchasing Organization model proved successful with awards Model Procurement Code sets out a competitive sourcing to four providers. Appendix 2 method that in limited circumstances may be used, “… where SLA Metrics the application of all requirements of competitive bidding The U.S. Communities Purchasing Alliance jointly sponsored or competitive proposals is deemed to be contrary to the by the National Association of Counties, Association of Appendix 3 public interest.”27 Several states, including Alaska, Montana School Business Officials, National Institute of Government Key Contact Information and Oregon have passed similar laws. The flexibility afforded Purchasing, the National League of Cities and the U.S. under these statutes allows for the design of accountable and Conference of Mayors offers state and local governments the Appendix 4 innovative sourcing approaches that are not constrained by opportunity to participate and purchase from cloud service Guiding Principles traditional source methods. Public jurisdictions should have the contracts. U.S. General Services Administration Schedule ability in rule and statute to permit the development of effective 70 Technology Contracts are also available to state and local Appendix 5 sourcing methods when traditional methods will not work. governments through the cooperative purchasing program. Procurement Approaches New procurement sourcing models must be developed if One of the best opportunities for effective public acquisition Appendix 6 governments are to take advantage of new service models. of XaaS contracts is with multi-jurisdictional cooperative Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 66 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security procurement. There is no doubt that IT service contracting agreement with Texas to purchase from the contracts. This Encryption by public jurisdictions will continue to grow, but one-off gives Oklahoma agencies a significant range of choices from Audits Operations contracting processes that complicate service provider the Texas contracts and is a great example of collaboration Hybrid Cloud Environments responses can limit it. between states. Preparation for Migrating Workloads to the Cloud Smaller jurisdictions potentially stand to benefit from State laws or local ordinance may prevent a state from XaaS solutions, yet they can be challenged by lack of “piggy backing” on another jurisdiction’s contract, unless Conclusion resources to put effective sourcing solutions together and they were included in the solicitation at the beginning. Before come to agreement on terms and conditions. By leveraging buying from another jurisdiction’s contract, it’s a good idea Workgroup Members multi-jurisdiction teams in the development and award of a to check local laws to see what is permissible. and Contributors menu of XaaS contracts, smaller jurisdictions can efficiently acquire provider solutions that meet their needs and protect As a vehicle for XaaS contracts, multi-jurisdictional Appendix 1 their interests. cooperative purchasing is an efficient and effective Model Terms and Conditions Templates procurement method. It resolves a number of issues in Software-as-a-Service Cooperative purchases can provide a supplier benefit by ways that benefit both the participating jurisdiction and Platform-as-a-Service aligning disparate jurisdiction purchasers around a common providers. Multi-jurisdictional cooperative purchasing: Infrastructure-as-a-Service set of terms and conditions and a single master contract • Addresses an unmet need for a more organized and award rather than different ones in each jurisdiction. Multi- effective way to aggregate multiple states’ demands for Appendix 2 jurisdiction procurements succeed because providers have common IT services and commodities. Individual state SLA Metrics a standard acquisition process, terms and conditions, and IT service purchases do not leverage the opportunity ordering mechanism to navigate rather than different ones of volume buying or contracting efficiencies that Appendix 3 in each jurisdiction. That frees up providers to assist the come from multi-jurisdiction procurements. Key Contact Information jurisdiction in selecting the best fit. • Aligns with XaaS models. Both cooperative purchasing and XaaS models benefit from consolidated volumes Appendix 4 Another option is to participate with another jurisdiction in a and common approaches to terms and conditions. Guiding Principles joint cooperative purchase. A recent example at the state level In this way, one line of code can serve many. underscores the value and benefit. In 2014, the State of Texas • Creates a contractual mechanism for standard Appendix 5 awarded master IDIQ contracts for IaaS, PaaS, cloud broker requirements and terms and conditions that Procurement Approaches and cloud assessment. These contracts are not only available help define realistic and practical expectations for state agencies and local governments within Texas, between public entities and service providers. Appendix 6 but recently the State of Oklahoma signed a joint powers • Enables purchases from the cooperative’s contract. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 67 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security Public jurisdictions want the ability to purchase from each Encryption other’s contracts, but few have the statutory authority Audits Operations to do so without an upfront, coordinated effort. Most Hybrid Cloud Environments states now have authority to participate in cooperative Preparation for Migrating procurements. Cooperative state procurements are typically Workloads to the Cloud made available for political subdivisions within the state. • Provides negotiation leverage for cloud-based solutions Conclusion through practical and aligned public requirements and aggregated customer volume. Workgroup Members and Contributors Cooperative purchasing avoids duplication of effort. It leads to greater volume aggregation and typically drives Appendix 1 more favorable pricing. With the continued evolution of cloud Model Terms and Conditions Templates computing, the aggregation of market demand should provide Software-as-a-Service leverage beyond what an individual jurisdiction could hope Platform-as-a-Service to achieve on its own and lead to benefits during this time of Infrastructure-as-a-Service market realignment for both state and local governments and service providers. Appendix 2 SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 68 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 6 Breach Notification Personnel Security an individual, and (1) is created or received by a health care Encryption Glossary provider, health plan, employer or health care clearinghouse; Audits Operations “Anything as a Service” (XaaS) refers to cloud-based and (2) relates to the past, present or future physical or mental Hybrid Cloud Environments services delivered to customers over the Internet. Typically, health or condition of an individual; the provision of health Preparation for Migrating the services are purchased on a subscription model. The care to an individual; or the past, present or future payment Workloads to the Cloud most common service models used in government today are for the provision of health care to an individual; and (a) that Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) identifies the individual; or (b) with respect to which there is Conclusion and Infrastructure-as-a-Service (IaaS), but others are available a reasonable basis to believe the information can be used to such as Communications-as-a-Service (CaaS). The service identify the individual.28 Workgroup Members offering will be extensive. and Contributors “Infrastructure-as-a-Service” (IaaS) as used in this “Authorized Persons” as used in this document means the document is defined as the capability provided to the Appendix 1 service provider’s employees, contractors, subcontractors or other consumer to provision processing, storage, networks and other Model Terms and Conditions Templates agents who need to access the public jurisdiction’s personal data fundamental computing resources where the consumer is Software-as-a-Service to enable the service provider to perform the services. able to deploy and run arbitrary software, which can include Platform-as-a-Service operating systems and applications. The consumer does not Infrastructure-as-a-Service “Data Breach” as used in this document means the manage or control the underlying cloud infrastructure but has unauthorized access by non-authorized person/s that result control over operating systems, storage, deployed applications Appendix 2 in the use, disclosure or theft of a public jurisdiction’s and possibly limited control of select networking components SLA Metrics unencrypted personal data. (e.g., host firewalls).
Appendix 3 “Hybrid cloud” is a cloud computing environment “Personal Data” means data that includes information Key Contact Information which uses a mixture of on-premises, private cloud and relating to a person that identifies the person by name and has third-party cloud services with orchestration between any of the following personally identifiable information (PII): Appendix 4 the two platforms. Hybrid cloud environments require government-issued identification numbers (e.g. Social Security, Guiding Principles a governance model that encompasses all of the driver’s license, passport); financial account information, environments used in any particular deployment. including account number, credit or debit card numbers; or Appendix 5 protected health information (PHI) relating to a person. Procurement Approaches “Individually Identifiable Health Information”as used in this document means information that is a subset of health “Platform-as-a-Service” (PaaS) as used in this document Appendix 6 information, including demographic information collected from is defined as the capability provided to the consumer to Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 69 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security deploy onto the cloud infrastructure consumer-created “Public Jurisdiction” as used in this document means any Encryption or acquired applications created using programming government or government agency that uses these terms Audits Operations languages and tools supported by the provider. This and conditions. Hybrid Cloud Environments capability does not necessarily preclude the use of Preparation for Migrating compatible programming languages, libraries, services “Public Jurisdiction Data” as used in this document Workloads to the Cloud and tools from other sources. The consumer does not means all data created or in any way originating manage or control the underlying cloud infrastructure, with the public jurisdiction, and all data that is the Conclusion including network, servers, operating systems or storage, output of computer processing of or other electronic but has control over the deployed applications and possibly manipulation of any data that was created by or in any Workgroup Members application hosting environment configurations.29 way originated with the public jurisdiction, whether and Contributors such data or output is stored on the public jurisdiction’s “Protected Health Information” (PHI) as used in this hardware; the service provider’s hardware or exists in Appendix 1 document is individually identifiable health information any system owned, maintained or otherwise controlled Model Terms and Conditions Templates transmitted by electronic media, maintained in electronic by the public jurisdiction or by the service provider. Software-as-a-Service media, or transmitted or maintained in any other form Platform-as-a-Service or medium. PHI excludes education records covered by “Security Incident” means the potentially unauthorized Infrastructure-as-a-Service the Family Educational Rights and Privacy Act (FERPA), access by non-authorized persons to personal data as amended, 20 U.S.C. 1232g, records described at 20 or non-public data that could reasonably result in Appendix 2 U.S.C. 1232g(a)(4)(B)(iv) and employment records the use, disclosure or theft of a public jurisdiction’s SLA Metrics held by a covered entity in its role as employer.30 unencrypted personal data or non-public data within the possession or control of a service provider. A security Appendix 3 “Personally Identifiable Information” (PII) No one incident may or may not turn into a data breach. Key Contact Information definition applies to all states. Generally, PII refers to a combination of data elements (e.g. Social Security number, “Service Level Agreement” (SLA) means that part of Appendix 4 driver’s license or other government-issued identification the written agreement between both the public jurisdiction Guiding Principles number, passport number, financial account number, or credit and the service provider that is subject to the terms and or debit card number in combination with security codes) conditions in this document that unless otherwise agreed Appendix 5 that, when linked to the individual’s first name or first initial to includes (1) the technical service level performance Procurement Approaches and their last name, and not encrypted or otherwise could promises (i.e., metrics for performance and intervals for lead to the loss, theft or unauthorized use of the individual’s measure), (2) description of service quality, (3) identification Appendix 6 personal information. of roles and responsibilities, (4) security responsibilities and Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 70 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data Breach Notification Personnel Security notice requirements, (5) how disputes are discovered and Encryption addressed and (6) any remedies for performance failures. Audits Operations Hybrid Cloud Environments “Service Provider” means the contractor, their employees, Preparation for Migrating subcontractors, agents and affiliates who are providing the Workloads to the Cloud services agreed to under the contract. “Software-as-a-Service” (SaaS) means the capability Conclusion provided to the consumer to use the provider’s applications running on a cloud infrastructure. The applications are Workgroup Members accessible from various client devices through a thin client and Contributors interface such as a Web browser (e.g., Web-based email) or a program interface. The consumer does not manage or control Appendix 1 the underlying cloud infrastructure, including network, servers, Model Terms and Conditions Templates operating systems, storage or even individual application Software-as-a-Service capabilities, with the possible exception of limited user-specific Platform-as-a-Service application configuration settings.31 Infrastructure-as-a-Service “Statement of Work” (SOW) is a written statement in a Appendix 2 solicitation document or contract that describes the public SLA Metrics jurisdiction’s service needs and expectations.
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 71 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data APPENDIX 7 Breach Notification Personnel Security Encryption Clause Comparison Matrix Audits Operations Plain Language SaaS PaaS IaaS Hybrid Cloud Environments Preparation for Migrating 1. Definition 1. Software-as-a-Service (SaaS) 1. Platform-as-a-Service (PaaS) 1. Infrastructure-as-a-Service (IaaS) of terms. Defines as used in this document is defined as the as used in this document is defined as the as used in this document is defined as the Workloads to the Cloud the service model capability provided to the consumer to use capability provided to the consumer to deploy capability provided to the consumer to and terms used. the provider’s applications running on a cloud onto the cloud infrastructure consumer- provision processing, storage, networks and infrastructure. The applications are accessible created or acquired applications created other fundamental computing resources Conclusion from various client devices through a thin using programming languages and tools where the consumer is able to deploy and run client interface such as a Web browser (e.g., supported by the provider. This capability arbitrary software, which can include operating Web-based email) or a program interface. does not necessarily preclude the use of systems and applications. The consumer does The consumer does not manage or control compatible programming languages, libraries, not manage or control the underlying cloud Workgroup Members the underlying cloud infrastructure, including services and tools from other sources. The infrastructure but has control over operating and Contributors network, servers, operating systems, storage consumer does not manage or control the systems, storage, deployed applications and or even individual application capabilities, underlying cloud infrastructure, including possibly limited control of select networking with the possible exception of limited user- network, servers, operating systems or components (e.g., host firewalls). specific application configuration settings. storage, but has control over the deployed Appendix 1 applications and possibly application Model Terms and Conditions Templates hosting environment configurations. Software-as-a-Service Platform-as-a-Service 2. The public 2. Data Ownership: The public jurisdiction 2. Data Ownership: The public jurisdiction 2. Data Ownership: The public jurisdiction Infrastructure-as-a-Service jurisdiction owns will own all right, title and interest in its data will own all right, title and interest in its will own all right, title and interest in its all of its data. The that is related to the services provided by this public jurisdiction data that is related to public jurisdiction data that is related to service provider will contract. The service provider shall not access the services provided by this contract. the services provided by this contract. not access the data public jurisdiction user accounts or public The service provider shall not access The service provider shall not access Appendix 2 except as needed jurisdiction data, except (1) in the course of public jurisdiction user accounts, or public public jurisdiction user accounts, or public to do the work of data center operations, (2) in response to jurisdiction data, except (1) in the course of jurisdiction data, except (1) in the course of SLA Metrics the contract. service or technical issues, (3) as required data center operations, (2) in response to data center operations, (2) in response to by the express terms of this contract, or (4) service or technical issues, (3) as required service or technical issues, (3) as required at the public jurisdiction’s written request. by the express terms of this contract, or (4) by the express terms of this contract, or (4) Appendix 3 at the public jurisdiction’s written request. at the public jurisdiction’s written request. Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 72 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 3. The public 3. Data Protection: Protection of personal 3. Data Protection: Protection of personal 3. Data Protection: Protection of personal jurisdiction owns all privacy and data shall be an integral part privacy and data shall be an integral privacy and data shall be an integral Personnel personal information. of the business activities of the service part of the business activities of the part of the business activities of the The service provider provider to ensure there is no inappropriate service provider to ensure there is no service provider to ensure there is no Security will protect it and will or unauthorized use of public jurisdiction inappropriate or unauthorized use of inappropriate or unauthorized use of Encryption not use the data for information at any time. To this end, public jurisdiction information at any time. public jurisdiction information at any time. anything not related the service provider shall safeguard the To this end, the service provider shall To this end, the service provider shall Audits to the customer. The confidentiality, integrity and availability safeguard the confidentiality, integrity safeguard the confidentiality, integrity Operations service provider will of public jurisdiction information and and availability of public jurisdiction and availability of public jurisdiction encrypt personal comply with the following conditions: information within its control and information within its control and Hybrid Cloud Environments data and non-public a. The service provider shall implement comply with the following conditions: comply with the following conditions: Preparation for Migrating data both at rest and maintain appropriate administrative, a. The service provider shall implement a. The service provider shall implement and in transit. technical and organizational security and maintain appropriate administrative, and maintain appropriate administrative, Workloads to the Cloud measures to safeguard against unauthorized technical and organizational security technical and organizational security access, disclosure or theft of personal measures to safeguard against unauthorized measures to safeguard against unauthorized data and non-public data. Such security access, disclosure or theft of personal data access, disclosure or theft of personal data measures shall be in accordance with and non-public data within its control. Such and non-public data within its control. Such Conclusion recognized industry practice and not less security measures shall be in accordance security measures shall be in accordance stringent than the measures the service with recognized industry practice and with recognized industry practice and provider applies to its own personal data not less stringent than the measures the not less stringent than the measures the Workgroup Members and non-public data of similar kind. service provider applies to its own personal service provider applies to its own personal data and non-public data of similar kind. data and non-public data of similar kind. and Contributors b. All data obtained by the service provider in the performance of this b. All data obtained by the service provider b. All data obtained by the service provider contract shall become and remain within its control in the performance of within its control in the performance of property of the public jurisdiction. this contract shall become and remain this contract shall become and remain Appendix 1 property of the public jurisdiction. property of the public jurisdiction. Model Terms and Conditions Templates c. All personal data shall be encrypted at rest and in transit with controlled access. c. Unless otherwise stipulated, personal data c. Unless otherwise stipulated, personal data Software-as-a-Service Unless otherwise stipulated, the service and non-public data shall be encrypted at and non-public data shall be encrypted at Platform-as-a-Service provider is responsible for encryption rest and in transit with controlled access. rest and in transit with controlled access. of the personal data. Any stipulation of The service level agreement (SLA) and The service level agreement (SLA) and Infrastructure-as-a-Service responsibilities will identify specific roles contract document will specify which party contract document will specify which party and responsibilities and shall be included is responsible for encryption and access is responsible for encryption and access in the service level agreement (SLA), or control of the public jurisdiction data for control of the public jurisdiction data for otherwise made a part of this contract. the service model under contract. If the the service model under contract. If the Appendix 2 statement of work and the contract are silent, statement of work and the contract are silent, SLA Metrics d. Unless otherwise stipulated, the service then the public jurisdiction is responsible then the public jurisdiction is responsible provider shall encrypt all non-public for encryption and access control. for encryption and access control. data at rest and in transit. The public jurisdiction shall identify data it deems as d. Unless otherwise stipulated, it is the d. Unless otherwise stipulated, it is the Appendix 3 non-public data to the service provider. public jurisdiction’s responsibility to identify public jurisdiction’s responsibility to identify The level of protection and encryption data it deems as non-public data to the data it deems as non-public data to the Key Contact Information for all non-public data shall be identified service provider. The level of protection and service provider. The level of protection and and made a part of this contract. encryption for all non-public data shall be encryption for all non-public data shall be identified and made a part of this contract. identified and made a part of this contract. e. At no time shall any data or processes – Appendix 4 that either belong to or are intended for the e. At no time shall any data or processes e. At no time shall any data or processes – Guiding Principles use of a public jurisdiction or its officers, – which either belong to or are intended which either belong to or are intended for agents or employees – be copied, disclosed for the use of a public jurisdiction or its the use of public jurisdiction or its officers, or retained by the service provider or any officers, agents or employees – be copied, agents or employees — be copied, disclosed party related to the service provider for disclosed, or retained by the service provider or retained by the service provider or any Appendix 5 subsequent use in any transaction that or any party related to the service provider party related to the service provider for Procurement Approaches does not include the public jurisdiction. for subsequent use in any transaction that subsequent use in any transaction that does not include the public jurisdiction. does not include the public jurisdiction. f. The service provider shall not use any information collected in connection with the Appendix 6 service issued from this proposal for any Glossary purpose other than fulfilling the service.
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 73 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 4. The service 4. Data Location: The service provider shall 4. Data Location: The service provider shall 4. Data Location: The service provider shall provider will not provide its services to the public jurisdiction provide its services to the public jurisdiction provide its services to the public jurisdiction Personnel store any of the and its end users solely from data centers in and its end users solely from data centers in and its end users solely from data centers in public jurisdiction’s the U.S. Storage of public jurisdiction data at the U.S. Storage of public jurisdiction data at the U.S. Storage of public jurisdiction data at Security non-public data rest shall be located solely in data centers in rest shall be located solely in data centers in rest shall be located solely in data centers in Encryption outside the U.S. the U.S. The service provider shall not allow the U.S. The service provider shall not allow the U.S. The service provider shall not allow its personnel or contractors to store public its personnel or contractors to store public its personnel or contractors to store public Audits jurisdiction data on portable devices, including jurisdiction data on portable devices, including jurisdiction data on portable devices, including Operations personal computers, except for devices personal computers, except for devices personal computers, except for devices that are used and kept only at its U.S. data that are used and kept only at its U.S. data that are used and kept only at its U.S. data Hybrid Cloud Environments centers. The service provider shall permit its centers. The service provider shall permit its centers. The service provider shall permit its Preparation for Migrating personnel and contractors to access public personnel and contractors to access public personnel and contractors to access public jurisdiction data remotely only as required jurisdiction data remotely only as required jurisdiction data remotely only as required Workloads to the Cloud to provide technical support. The service to provide technical support. The service to provide technical support. The service provider may provide technical user support provider may provide technical user support provider may provide technical user support on a 24/7 basis using a Follow the Sun model, on a 24/7 basis using a Follow the Sun model, on a 24/7 basis using a Follow the Sun model, Conclusion unless otherwise prohibited in this contract. unless otherwise prohibited in this contract. unless otherwise prohibited in this contract.
Workgroup Members 5. The service provider 5. Security Incident or Data Breach 5. Security Incident or Data Breach 5. Security Incident or Data Breach will notify the public Notification: The service provider shall Notification: The service provider shall inform Notification: The service provider shall and Contributors jurisdiction of a inform the public jurisdiction of any the public jurisdiction of any security incident inform the public jurisdiction of any security security breach. In security incident or data breach. or data breach within the possession and incident or data breach related to public the case of a SaaS a. Incident Response: The service provider control of the service provider and related jurisdiction data within the possession or Appendix 1 or PaaS, the service may need to communicate with outside to service provided under this contract. control of the service provider and related to provider will notify the parties regarding a security incident, which a. Incident Response: The service provider the service provided under this contract. Model Terms and Conditions Templates public jurisdiction of may include contacting law enforcement, may need to communicate with outside a. Security Incident Reporting Requirements: Software-as-a-Service a security incident. fielding media inquiries and seeking parties regarding a security incident, which Unless otherwise stipulated, the service external expertise as mutually agreed upon, may include contacting law enforcement, provider shall immediately report a security Platform-as-a-Service defined by law or contained in the contract. fielding media inquiries and seeking incident related to its service under the Infrastructure-as-a-Service Discussing security incidents with the external expertise as mutually agreed upon, contract to the appropriate public jurisdiction public jurisdiction should be handled on an defined by law or contained in the contract. identified contact as defined in the SLA. urgent as-needed basis, as part of service Discussing security incidents with the provider communication and mitigation public jurisdiction should be handled on an b. Breach Reporting Requirements: If the Appendix 2 processes as mutually agreed upon, defined urgent as-needed basis, as part of service service provider has actual knowledge of a confirmed data breach that affects the SLA Metrics by law or contained in the contract. provider communication and mitigation processes as mutually agreed, defined security of any public jurisdiction content b. Security Incident Reporting Requirements: by law or contained in the contract. that is subject to applicable data breach The service provider shall report a notification law, the service provider shall Appendix 3 security incident to the appropriate b. Security Incident Reporting Requirements: (1) promptly notify the appropriate public public jurisdiction identified contact Unless otherwise stipulated, the service jurisdiction identified contact within 24 Key Contact Information immediately as defined in the SLA. provider shall immediately report a security hours or sooner, unless shorter time is incident related to its service under the required by applicable law, and (2) take c. Breach Reporting Requirements: If the contract to the appropriate public jurisdiction commercially reasonable measures to service provider has actual knowledge of identified contact as defined in the SLA. address the data breach in a timely manner. Appendix 4 a confirmed data breach that affects the Guiding Principles security of any public jurisdiction content c. Breach Reporting Requirements: If the that is subject to applicable data breach service provider has actual knowledge of notification law, the service provider shall a confirmed data breach that affects the (1) promptly notify the appropriate public security of any public jurisdiction content Appendix 5 jurisdiction identified contact within 24 that is subject to applicable data breach Procurement Approaches hours or sooner, unless shorter time is notification law, the service provider shall required by applicable law, and (2) take (1) promptly notify the appropriate public commercially reasonable measures to jurisdiction identified contact within 24 address the data breach in a timely manner. hours or sooner, unless shorter time is Appendix 6 required by applicable law, and (2) take Glossary commercially reasonable measures to address the data breach in a timely manner. Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 74 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 6. If a service provider 6. Breach Responsibilities: This section 6. Breach Responsibilities: This section only 6. Breach Responsibilities: This section only is responsible for only applies when a data breach occurs applies when a data breach occurs with applies when a data breach occurs with Personnel a breach, they will with respect to personal data within the respect to personal data within the possession respect to personal data within the possession pay the cost of the possession or control of service provider. or control of the service provider and related or control of a service provider and related Security breach investigation, a. The service provider, unless stipulated to the service provided under this contract. to service provided under this contract. Encryption resolution, otherwise, shall immediately notify the a. The service provider, unless stipulated a. The service provider, unless stipulated notification, credit appropriate public jurisdiction identified otherwise, shall immediately notify the otherwise, shall immediately notify the Audits monitoring and call contact by telephone in accordance with appropriate public jurisdiction identified appropriate public jurisdiction identified Operations centers up to a set the agreed upon security plan or security contact by telephone in accordance with contact by telephone in accordance with amount per record/ procedures if it reasonably believes the agreed upon security plan or security the agreed upon security plan or security Hybrid Cloud Environments per person. The there has been a security incident. procedures if it reasonably believes procedures if it reasonably believes Preparation for Migrating service provider there has been a security incident. there has been a security incident. will take corrective b. The service provider, unless stipulated Workloads to the Cloud action subject to any otherwise, shall promptly notify the b. The service provider, unless stipulated b. The service provider, unless stipulated limitation of liability appropriate public jurisdiction identified otherwise, shall promptly notify the otherwise, shall promptly notify the in the contract. contact within 24 hours or sooner by appropriate public jurisdiction identified appropriate public jurisdiction identified telephone, unless shorter time is required contact within 24 hours or sooner by contact within 24 hours or sooner by Conclusion by applicable law, if it confirms that there is, telephone, unless shorter time is required telephone, unless shorter time is required or reasonably believes that there has been by applicable law, if it confirms that there is by applicable law, if it confirms that there is a data breach. The service provider shall or reasonably believes that there has been or reasonably believes that there has been Workgroup Members (1) cooperate with the public jurisdiction a data breach. The service provider shall a data breach. The service provider shall as reasonably requested by the public (1) cooperate with the public jurisdiction (1) cooperate with the public jurisdiction and Contributors jurisdiction to investigate and resolve as reasonably requested by the public as reasonably requested by the public the data breach, (2) promptly implement jurisdiction to investigate and resolve jurisdiction to investigate and resolve necessary remedial measures, if necessary, the data breach; (2) promptly implement the data breach; (2) promptly implement and (3) document responsive actions taken necessary remedial measures, if necessary; necessary remedial measures, if necessary; Appendix 1 related to the data breach, including any and (3) document responsive actions taken and (3) document responsive actions taken Model Terms and Conditions Templates post-incident review of events and actions related to the data breach, including any related to the data breach, including any taken to make changes in business practices post-incident review of events and actions post-incident review of events and actions Software-as-a-Service in providing the services, if necessary. taken to make changes in business practices taken to make changes in business practices Platform-as-a-Service in providing the services, if necessary. in providing the services, if necessary. c. Unless otherwise stipulated, if a data Infrastructure-as-a-Service breach is a direct result of the service c. Unless otherwise stipulated, if a data c. Unless otherwise stipulated, if a data provider’s breach of its contract obligation breach is a direct result of the service breach is a direct result of the service to encrypt personal data or otherwise provider’s breach of its contract obligation provider’s breach of its contract obligation prevent its release, the service provider to encrypt personal data or otherwise to encrypt personal data or otherwise Appendix 2 shall bear the costs associated with (1) the prevent its release, the service provider prevent its release, the service provider SLA Metrics investigation and resolution of the data shall bear the costs associated with (1) the shall bear the costs associated with (1) the breach; (2) notifications to individuals, investigation and resolution of the data investigation and resolution of the data regulators or others required by state law; breach; (2) notifications to individuals, breach; (2) notifications to individuals, (3) a credit monitoring service required by regulators or others required by state law; regulators or others required by state law; Appendix 3 state (or federal) law; (4) a website or a (3) a credit monitoring service required (3) a credit monitoring service required by Key Contact Information toll-free number and call center for affected by state (or federal) law; (4) a website state (or federal) law; (4) a website or a individuals required by state law – all not to or a toll-free number and call center for toll-free number and call center for affected exceed the average per record per person affected individuals required by state law; individuals required by state law; all not to cost calculated for data breaches in the all not to exceed the average per record per exceed the average per record per person Appendix 4 United States (currently $201 per record/ person cost calculated for data breaches cost calculated for data breaches in the Guiding Principles person) in the most recent Cost of Data in the United States (currently $201 per United States (currently $201 per record/ Breach Study: Global Analysis published record/person) in the most recent Cost person) in the most recent Cost of Data by the Ponemon Institute32 at the time of Data Breach Study: Global Analysis Breach Study: Global Analysis published of the data breach; and (5) complete published by the Ponemon Institute33 by the Ponemon Institute34 at the time Appendix 5 all corrective actions as reasonably at the time of the data breach; and (v) of the data breach; and (5) complete all Procurement Approaches determined by service provider based on complete all corrective actions as reasonably corrective actions as reasonably determined root cause; all [(1) through (5)] subject determined by service provider based on by the service provider based on root to this contract’s limitation of liability. root cause; all [(1) through (5)] subject cause; all [(1) through (5)] subject to Appendix 6 to this contract’s limitation of liability. this contract’s limitation of liability. Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 75 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 7. The service 7. Notification of Legal Requests: The service 7. Notification of Legal Requests: The service 7. Notification of Legal Requests: The service provider will notify provider shall contact the public jurisdiction provider shall contact the public jurisdiction provider shall contact the public jurisdiction Personnel the public jurisdiction upon receipt of any electronic discovery, upon receipt of any electronic discovery, upon receipt of any electronic discovery, Security of any legal requests litigation holds, discovery searches and expert litigation holds, discovery searches and expert litigation holds, discovery searches and expert that might require testimonies related to the public jurisdiction’s testimonies related to the public jurisdiction’s testimonies related to the public jurisdiction’s Encryption access to the public data under this contract, or which in any data under this contract, or which in any data under this contract, or which in any jurisdiction’s data. way might reasonably require access to the way might reasonably require access to the way might reasonably require access to the Audits data of the public jurisdiction. The service data of the public jurisdiction. The service data of the public jurisdiction. The service Operations provider shall not respond to subpoenas, provider shall not respond to subpoenas, provider shall not respond to subpoenas, service of process and other legal requests service of process and other legal requests service of process and other legal requests Hybrid Cloud Environments related to the public jurisdiction without related to the public jurisdiction without related to the public jurisdiction without Preparation for Migrating first notifying the public jurisdiction, unless first notifying the public jurisdiction, unless first notifying the public jurisdiction, unless prohibited by law from providing such notice. prohibited by law from providing such notice. prohibited by law from providing such notice. Workloads to the Cloud
8. The service provider 8. Termination and Suspension of Service: 8. Termination and Suspension of Service: 8. Termination and Suspension of Service: Conclusion will not erase the a. In the event of a termination of the contract, a. In the event of an early termination a. In the event of an early termination public jurisdiction’s the service provider shall implement an orderly of the contract, the service provider of the contract, the service provider data in the event return of public jurisdiction data in a CSV or shall allow for the public jurisdiction to shall allow for the public jurisdiction to of a suspension or another mutually agreeable format at a time retrieve its digital content and provide retrieve its digital content and provide Workgroup Members when the contract is agreed to by the parties and the subsequent for the subsequent secure disposal of for the subsequent secure disposal of and Contributors terminated. Specific secure disposal of public jurisdiction data. public jurisdiction digital content. public jurisdiction digital content. time periods are established where b. During any period of service suspension, the b. During any period of suspension, b. During any period of suspension, data will be preserved service provider shall not take any action to the service provider shall not take the service provider shall not take Appendix 1 by the service intentionally erase any public jurisdiction data. any action to intentionally erase any any action to intentionally erase any Model Terms and Conditions Templates provider based on c. In the event of termination of any services public jurisdiction digital content. public jurisdiction digital content. the circumstances or agreement in entirety, the service provider Software-as-a-Service of termination and c. In the event of early termination of any c. In the event of early termination of shall not take any action to intentionally erase services or agreement in entirety, the any services or agreement in entirety, Platform-as-a-Service the type of service any public jurisdiction data for a period of: provided. The service service provider shall not take any action to the service provider shall not take any • 10 days after the effective date of intentionally erase any public jurisdiction action to intentionally erase any public Infrastructure-as-a-Service provider will destroy termination, if the termination is in data using a NIST- data for a period of: 1) 45 days after jurisdiction data for a period of 1) 45 days accordance with the contract period the effective date of termination, if the after the effective date of termination, if approved method • 30 days after the effective date when requested by termination is for convenience; or 2) 60 days the termination is for convenience; or 2) 60 Appendix 2 of termination, if the termination after the effective date of termination, if the days after the effective date of termination, the public jurisdiction. is for convenience SLA Metrics termination is for cause. After such period, if the termination is for cause. After such • 60 days after the effective date of the service provider shall have no obligation day period, the service provider shall have no termination, if the termination is for cause to maintain or provide any public jurisdiction obligation to maintain or provide any public data and shall thereafter, unless legally jurisdiction data and shall thereafter, unless Appendix 3 After such period, the service provider prohibited, delete all public jurisdiction legally prohibited, delete all public jurisdiction shall have no obligation to maintain Key Contact Information data in its systems or otherwise in its data in its systems or otherwise in its or provide any public jurisdiction data possession or under its control. In the event possession or under its control. In the event and shall thereafter, unless legally of either termination for cause, the service of either termination for cause, the service prohibited, delete all public jurisdiction provider will impose no fees for access and provider will impose no fees for access and Appendix 4 data in its systems or otherwise in its retrieval of digital content to the customer. retrieval of digital content to the customer. possession or under its control. Guiding Principles d. After termination of the contract and d. After termination of the contract and d. The public jurisdiction shall be entitled to the prescribed retention period, the the prescribed retention period, the any post-termination assistance generally provider shall securely dispose of all digital provider shall securely dispose of all digital Appendix 5 made available with respect to the services, content in all of its forms, such as disk, content in all of its forms, such as disk, unless a unique data retrieval arrangement CD/DVD, backup tape and paper. The CD/DVD, backup tape and paper. The Procurement Approaches has been established as part of the SLA. public jurisdiction’s digital content shall public jurisdiction’s digital content shall e. The service provider shall securely dispose be permanently deleted and shall not be be permanently deleted and shall not be of all requested data in all of its forms, such as recoverable, according to NIST-approved recoverable, according to NIST- approved Appendix 6 disk, CD/DVD, backup tape and paper, when methods. Certificates of destruction shall methods. Certificates of destruction shall requested by the public jurisdiction. Data be provided to the public jurisdiction. be provided to the public jurisdiction. Glossary shall be permanently deleted and shall not be recoverable, according to NIST-approved methods. Certificates of destruction shall Appendix 7 be provided to the public jurisdiction. Clause Comparison Matrix
Endnotes • Executive Summary 76 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 9. The service 9. Background Checks: The service 9. Background Checks: The service 9. Background Checks: The service provider will perform provider shall conduct criminal background provider shall conduct criminal background provider shall conduct criminal background Personnel background checks checks and not utilize any staff, including checks and not utilize any staff, including checks and not utilize any staff, including on staff, including subcontractors, to fulfill the obligations subcontractors, to fulfill the obligations subcontractors, to fulfill the obligations Security subcontractors. The of the contract who have been convicted of the contract who have been convicted of the contract who have been convicted Encryption service provider will of any crime of dishonesty, including but of any crime of dishonesty, including but of any crime of dishonesty, including but not use staff who have not limited to criminal fraud, or otherwise not limited to criminal fraud, or otherwise not limited to criminal fraud, or otherwise Audits criminal convictions. convicted of any felony or misdemeanor convicted of any felony or any misdemeanor convicted of any felony or any misdemeanor Operations offense for which incarceration for up to 1 offense for which incarceration for up to 1 offense for which incarceration for up to 1 year is an authorized penalty. The service year is an authorized penalty. The service year is an authorized penalty. The service Hybrid Cloud Environments provider shall promote and maintain an provider shall promote and maintain an provider shall promote and maintain an Preparation for Migrating awareness of the importance of securing the awareness of the importance of securing the awareness of the importance of securing the public jurisdiction’s information among the public jurisdiction’s information among the public jurisdiction’s information among the Workloads to the Cloud service provider’s employees and agents. service provider’s employees and agents. service provider’s employees and agents.
Conclusion 10. The service 10. Access to Security Logs and Reports: 10. Access to Security Logs and Reports: 10. Access to Security Logs and Reports: provider will provide The service provider shall provide reports a. The service provider shall provide a. The service provider shall provide reports reports to the public to the public jurisdiction in a format as reports to the public jurisdiction in to the public jurisdiction directly related to jurisdiction for its specified in the SLA agreed to by both the a format as specified in the SLA and the infrastructure that the service provider Workgroup Members accounts in a format service provider and the public jurisdiction. agreed to by both the service provider controls upon which the public jurisdiction and Contributors agreed to in the SLA. Reports shall include latency statistics, and the public jurisdiction. Reports will account resides. Unless otherwise agreed to The reports include: user access, user access IP address, user include latency statistics, user access, in the SLA, the service provider shall provide latency statistic, access history and security logs for all public user access IP address, user access the public jurisdiction a history or all API user access, user jurisdiction files related to this contract. history and security logs for all public calls for the public jurisdiction account that Appendix 1 access IP addresses, jurisdiction files related to this contract. includes the identity of the API caller, the Model Terms and Conditions Templates user access history time of the API call, the source IP address and security logs. b. The service provider and the public of the API caller, the request parameters Software-as-a-Service jurisdiction recognize that security and the response elements returned by responsibilities are shared. The service Platform-as-a-Service the service provider. The report will be provider is responsible for providing sufficient to enable the public jurisdiction Infrastructure-as-a-Service a secure infrastructure. The public to perform security analysis, resource jurisdiction is responsible for its secure change tracking and compliance auditing. guest operating system, firewalls and other logs captured within the guest operating b. The service provider and the public Appendix 2 system. Specific shared responsibilities jurisdiction recognize that security SLA Metrics are identified within the SLA. responsibilities are shared. The service provider is responsible for providing a secure infrastructure. The public jurisdiction is responsible for its secure Appendix 3 guest operating system, firewalls and other Key Contact Information logs captured within the guest operating system. Specific shared responsibilities are identified within the SLA. Appendix 4 Guiding Principles 11. The public 11. Contract Audit: The service provider 11. Contract Audit: The service provider 11. Contract Audit: The service provider jurisdiction can shall audit conformance to the contract shall audit conformance to the contract shall audit conformance to the contract audit conformance terms. The public jurisdiction or a terms. The public jurisdiction or a terms. The public jurisdiction or a to contract terms. contractor of itschoice may perform contractor of its choice may perform contractor of its choice may perform Appendix 5 the audit. The cost of the audit is the the audit. The cost of the audit is the the audit. The cost of the audit is the Procurement Approaches responsibility of the public jurisdiction. responsibility of the public jurisdiction. responsibility of the public jurisdiction.
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 77 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 12. The service 12. Data Center Audit: The service provider 12. Data Center Audit: The service provider 12. Data Center Audit: The service provider provider will have an shall perform an independent SOC 2 Type 2 shall perform an independent SOC 2 Type 2 shall perform an independent SOC 2 Type 2 Personnel independent audit audit annually for all relevant data centers audit annually for all relevant data centers audit annually for all relevant data centers performed of its data at the service provider’s expense. The audit at the service provider’s expense. The audit at the service provider’s expense. The audit Security centers annually. must be made available to the jurisdiction if must be made available to the jurisdiction if must be made available to the jurisdiction if Encryption requested under unilateral NDA or after requested under unilateral NDA or after requested under unilateral NDA or after being redacted. being redacted. being redacted. Audits Operations Hybrid Cloud Environments 13. The service 13. Change Control and Advance Notice: 13. Change Control and Advance Notice: 13. Change Control and Advance Notice: provider will notify The service provider shall give advance notice The service provider shall give advance The service provider shall give advance Preparation for Migrating the public jurisdiction (to be determined at the contract time and notice (to be determined at contract time and notice (to be determined at contract time and of upgrades and included in the SLA) to the public jurisdiction included in the SLA) to the public jurisdiction included in the SLA) to the public jurisdiction Workloads to the Cloud maintenance. of any upgrades (e.g., major upgrades, minor of any upgrades (e.g., major upgrades, minor of any upgrades (e.g., major upgrades, minor upgrades, system changes) that may impact upgrades, system changes) that may impact upgrades, system changes) that may impact service availability and performance. A service availability and performance. A service availability and performance. A Conclusion major upgrade is a replacement of hardware, major upgrade is a replacement of hardware, major upgrade is a replacement of hardware, software or firmware with a newer or better software or firmware with a newer or better software or firmware with a newer or better version in order to bring the system up to version, in order to bring the system up to version in order to bring the system up to date or to improve its characteristics. It date or to improve its characteristics. It date or to improve its characteristics. It Workgroup Members usually includes a new version number. usually includes a new version number. usually includes a new version number. and Contributors
14. The service 14. Security: The service provider shall 14. Security: The service provider shall 14. Security: The service provider shall Appendix 1 provider will disclose disclose its non-proprietary security disclose its non-proprietary security disclose its non-proprietary security security processes and processes and technical limitations to processes and technical limitations to processes and technical limitations to Model Terms and Conditions Templates technical limitations. the public jurisdiction such that adequate the public jurisdiction such that adequate the public jurisdiction such that adequate Software-as-a-Service protection and flexibility can be attained protection and flexibility can be attained protection and flexibility can be attained between the public jurisdiction and the between the public jurisdiction and the between the public jurisdiction and the Platform-as-a-Service service provider. For example: virus checking service provider. For example: virus checking service provider. For example: virus checking and port sniffing – the public jurisdiction and port sniffing – the public jurisdiction and port sniffing — the public jurisdiction Infrastructure-as-a-Service and the service provider shall understand and the service provider shall understand and the service provider shall understand each other’s roles and responsibilities. each other’s roles and responsibilities. each other’s roles and responsibilities. Appendix 2 SLA Metrics 15. The service 15. Non-disclosure and Separation 15. Non-disclosure and Separation of Duties: 15. Non-disclosure and Separation of Duties: provider will limit staff of Duties: The service provider shall The service provider shall enforce separation The service provider shall enforce separation knowledge of data enforce separation of job duties, require of job duties, require commercially reasonable of job duties, require commercially reasonable and separate duties to commercially reasonable non-disclosure non-disclosure agreements and limit staff non-disclosure agreements and limit staff Appendix 3 protect the data. Non- agreements, and limit staff knowledge of knowledge of customer data to that which is knowledge of customer data to that which is Key Contact Information disclosure agreements public jurisdiction data to that which is absolutely necessary to perform job duties. absolutely necessary to perform job duties. are required of service absolutely necessary to perform job duties. provider staff. Appendix 4 Guiding Principles 16. The public 16. Import and Export of Data: The public 16. Import and Export of Data: The public 16. Import and Export of Data: The public jurisdiction can import jurisdiction shall have the ability to import jurisdiction shall have the ability to import jurisdiction shall have the ability to import or export its data or export data in piecemeal or in entirety at or export data in piecemeal or in entirety at or export data in piecemeal or in entirety at whenever needed. its discretion without interference from the its discretion without interference from the its discretion without interference from the Appendix 5 service provider. This includes the ability for service provider. This includes the ability for service provider. This includes the ability for Procurement Approaches the public jurisdiction to import or export the public jurisdiction to import or export the public jurisdiction to import or export data to/from other service providers. data to/from other service providers. data to/from other service providers. Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 78 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 17. The service 17. Responsibilities and Uptime Guarantee: 17. Responsibilities and Uptime Guarantee: 17. Responsibilities and Uptime Guarantee: provider is responsible The service provider shall be responsible The service provider shall be responsible The service provider shall be responsible Personnel for all hardware, for the acquisition and operation of all for the acquisition and operation of all for the acquisition and operation of all software, personnel hardware, software and network support hardware, software and network support hardware, software and network support Security and facilities needed related to the services being provided. The related to the services being provided. The related to the services being provided. The Encryption to deliver services. technical and professional activities required technical and professional activities required technical and professional activities required Service will be for establishing, managing, and maintaining for establishing, managing and maintaining for establishing, managing and maintaining Audits available 24/7. the environments are the responsibilities the environment is the responsibility of the environment is the responsibility of Operations of the service provider. The system shall the service provider. The system shall be the service provider. The system shall be be available 24/7/365 (with agreed-upon available 24/7/365 (with agreed-upon available 24/7/365 (with agreed-upon Hybrid Cloud Environments maintenance downtime), and provide service maintenance downtime), and provide service maintenance downtime), and provide service Preparation for Migrating to customers as defined in the SLA. to customers as defined in the SLA. to customers as defined in the SLA. Workloads to the Cloud 18. The service 18. Subcontractor Disclosure: The service 18. Subcontractor Disclosure: The service 18. Subcontractor Disclosure: The service provider will disclose provider shall identify all of its strategic provider shall identify all of its strategic provider shall identify all of its strategic Conclusion all subcontractors. business partners related to services provided business partners related to services provided business partners related to services provided under this contract, including but not limited under this contract, including but not limited under this contract, including but not limited to all subcontractors or other entities or to all subcontractors or other entities or to all subcontractors or other entities or individuals who may be a party to a joint individuals who may be a party to a joint individuals who may be a party to a joint Workgroup Members venture or similar agreement with the service venture or similar agreement with the service venture or similar agreement with the service and Contributors provider, and who shall be involved in any provider, and who will be involved in any provider, and who shall be involved in any application development and/or operations. application development and/or operations. application development and/or operations. Appendix 1 19. The public 19. Right to Remove Individuals: The public 19. Right to Remove Individuals: The public 19. Right to Remove Individuals: The public Model Terms and Conditions Templates jurisdiction may have jurisdiction shall have the right at any time jurisdiction shall have the right at any time jurisdiction shall have the right at any time Software-as-a-Service the service provider to require that the service provider remove to require that the service provider remove to require that the service provider remove remove staff. from interaction with public jurisdiction any from interaction with public jurisdiction any from interaction with public jurisdiction any Platform-as-a-Service service provider representative who the public service provider representative who the public service provider representative who the public jurisdiction believes is detrimental to its jurisdiction believes is detrimental to its jurisdiction believes is detrimental to its Infrastructure-as-a-Service working relationship with the service provider. working relationship with the service provider. working relationship with the service provider. The public jurisdiction shall provide the service The public jurisdiction shall provide the service The public jurisdiction shall provide the service provider with notice of its determination, and provider with notice of its determination and provider with notice of its determination, and Appendix 2 the reasons it requests the removal. If the the reasons it requests the removal. If the the reasons it requests the removal. If the public jurisdiction signifies that a potential public jurisdiction signifies that a potential public jurisdiction signifies that a potential SLA Metrics security violation exists with respect to the security violation exists with respect to the security violation exists with respect to the request, the service provider shall immediately request, the service provider shall immediately request, the service provider shall immediately remove such individual. The service provider remove such individual. The service provider remove such individual. The service provider Appendix 3 shall not assign the person to any aspect shall not assign the person to any aspect shall not assign the person to any aspect of the contract or future work orders of the contract or future work orders of the contract or future work orders Key Contact Information without the public jurisdiction’s consent. without the public jurisdiction’s consent. without the public jurisdiction’s consent.
Appendix 4 20. When asked by 20. Business Continuity and Disaster 20. Business Continuity and Disaster 20. Business Continuity and Disaster Guiding Principles the public jurisdiction, Recovery: The service provider shall provide Recovery: The service provider shall provide Recovery: The service provider shall provide the service provider a business continuity and disaster recovery a business continuity and disaster recovery a business continuity and disaster recovery will provide business plan upon request and ensure that the plan upon request and ensure that the plan upon request and ensure the public continuity and disaster public jurisdiction’s recovery time objective public jurisdiction’s recovery time objective jurisdiction’s recovery time objective Appendix 5 recovery plans. Both (RTO) of XXX hours/days is met. (XXX (RTO) of XXX hours/days is met. (XXX (RTO) of XXX hours/days is met. (XXX parties must agree shall be negotiated by both parties.) shall be negotiated by both parties.) shall be negotiated by both parties.) Procurement Approaches on recovery time objectives (RTO) in the contract. The Appendix 6 service provider will Glossary meet the RTOs.
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 79 Introduction
Specific Models and Understanding Cloud Procurement Service Models Plain Language SaaS PaaS IaaS Data Breach Notification 21. The service 21. Compliance with Accessibility 21. Compliance with Accessibility No corresponding clause — not relevant provider will comply Standards: The service provider shall Standards: The service provider shall to service model. Standards would be Personnel with accessibility comply with and adhere to Accessibility comply with and adhere to Accessibility selected by the public jurisdiction. requirements. Standards of Section 508 Amendment Standards of Section 508 Amendment Security to the Rehabilitation Act of 1973. to the Rehabilitation Act of 1973. Encryption Audits 22. The service 22. Web Services: The service provider 22. Web Services: The service provider No corresponding clause — not relevant Operations provider will use shall use Web services exclusively to shall use Web services exclusively to to service model. Standards would be Hybrid Cloud Environments Web services interface with the public jurisdiction’s interface with the public jurisdiction’s selected by the public jurisdiction. where possible to data in near real time when possible. data in near real time when possible. Preparation for Migrating interface with public Workloads to the Cloud jurisdiction data.
23. The service 23. Encryption of Data at Rest: The service 23. Encryption of Data at Rest: The service No corresponding clause — not relevant Conclusion provider will encrypt provider shall prevent its employees and provider shall prevent its employees and to service model. Standards would be data at rest and subcontractors from storing personal data on subcontractors from storing personal data on selected by the public jurisdiction. data that resides on portable devices, except within data centers portable devices, except within data centers Workgroup Members mobile devices. located in the United States. If personal located in the United States. If personal data must be stored on portable devices to data must be stored on portable devices to and Contributors accomplish the work, the service provider accomplish the work, the service provider must use hard drive encryption in accordance must use hard drive encryption in accordance withcryptography standards referenced withcryptography standards referenced Appendix 1 in FIPS 140-2, Security Requirements for in FIPS 140-2, Security Requirements for Cryptographic Modules. Cryptographic Modules. Model Terms and Conditions Templates Software-as-a-Service Platform-as-a-Service Infrastructure-as-a-Service
Appendix 2 SLA Metrics
Appendix 3 Key Contact Information
Appendix 4 Guiding Principles
Appendix 5 Procurement Approaches
Appendix 6 Glossary
Appendix 7 Clause Comparison Matrix
Endnotes • Executive Summary 80 Introduction
Specific Models and Understanding Cloud Procurement Service Models Data ENDNOTES Breach Notification Personnel Security 1. Special Publication 800-146, “Cloud Computing Synopsis and Recommendations,” 22. “2013 Cost of Data Breach Study: Global Analysis,” Ponemon Institute, May 2013. National Institute of Standards and Technology, September 2012 Encryption 23. “Myth-Busting: Addressing Misconceptions to Improve Communications with Audits 2. Ibid. Industry During the Acquisition Process,” Daniel I. Gordon, February 2, 2011, OMB, and “Myth Busting: Addressing Misconceptions and Further Improving 3. Ibid. Operations Communications During the Acquisition Process,” OMB, May 7, 2012. Hybrid Cloud Environments 4. State Security Breach Notifications Laws, National Conference of State 24. “Strategies for Procurement Innovation and Reform,” IJIS Institute, December 10, 2013. Preparation for Migrating Legislatures, website, April 11, 2014. 25. P24, “Recommendations to Improve Large Information Technology Procurements: 5. P2-1, “Guide to Protecting the Confidentiality of Personally Identifiable Information Workloads to the Cloud A Road Map for Success in California,” Task Force on Reengineering IT (PII),” Special Publication 800-122, National Institute of Standards and Procurement for Success, August 2013. Technology, April 2010. 26. P31-32, “Seeing Excellence: Learning from Great Procurement Teams,” Richard Conclusion 6. P5, “Data Security Breach Notification Laws,” Gina Stevens, Congressional Pennington, 2013. Research Service, April 10, 2012. 27. Section 3-207, The 2000 Model Procurement Code for State and Local 7. P11, “There is a New Sheriff in Town; The Auditor, Internal Controls and You,” Workgroup Members Governments, American Bar Association. Contract Management, September 2006, Richard Pennington J.D. and Contributors 28. HIPAA Privacy Rule, Definitions, U.S. Department of Health and Human Services, 8. P1, “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute National Institute of Health. Research Report, May 2014. 29. Special Publication 800-146, “Cloud Computing Synopsis and Recommendations,” Appendix 1 9. P2-3, NIST SP 800-111, “Guide to Storage Encryption Technology for End-User National Institute of Standards and Technology, May 2012. Model Terms and Conditions Templates Devices,” November 2007. 30. U.S. Department of Health and Human Services, National Institute of Health, Software-as-a-Service 10. FIPS 140-2 issued by the National Institute of Standards and Technology defines HIPAA Privacy Rule, Definitions. Platform-as-a-Service four levels of security. 31. Special Publication 800-146, “Cloud Computing Synopsis and Recommendations,” Infrastructure-as-a-Service 11. Special Publication 800-146, “Cloud Computing Synopsis and Recommendations” National Institute of Standards and Technology, May 2012. National Institute of Standards and Technology, May 2012. 32. “2013 Cost of Data Breach Study: Global Analysis,” Ponemon Institute, May 2013. Appendix 2 12. HIPAA Privacy Rule, Definitions, U.S. Department of Health and Human Services, National Institute of Health. 33. Ibid. SLA Metrics 13. U.S. Department of Health and Human Services, National Institute of Health, 34. Ibid. HIPAA Privacy Rule, Definitions. Appendix 3 14. Special Publication 800-146, “Cloud Computing Synopsis and Recommendations” Key Contact Information National Institute of Standards and Technology, May 2012. 15. “2013 Cost of Data Breach Study: Global Analysis,” Ponemon Institute, May 2013 Appendix 4 16. HIPAA Privacy Rule, Definitions, U.S. Department of Health and Human Services, Guiding Principles National Institute of Health. 17. Special Publication 800-146, “Cloud Computing Synopsis and Recommendations,” National Institute of Standards and Technology, May 2012. Appendix 5 18. U.S. Department of Health and Human Services, National Institute of Health, Procurement Approaches HIPAA Privacy Rule, Definitions. 19. “2013 Cost of Data Breach Study: Global Analysis,” Ponemon Institute, May 2013 Appendix 6 20. HIPAA Privacy Rule, Definitions, U.S. Department of Health and Human Services, Glossary National Institute of Health. 21. U.S. Department of Health and Human Services, National Institute of Health, Appendix 7 HIPAA Privacy Rule, Definitions. Clause Comparison Matrix
Endnotes •