Streamlining Procurement: Data Centre as a Service
- 02
- Apr
Data Centre as a Service (DCaaS) is the next tranche of work in the Data Centre Strategy. We have been putting a lot of thought into how we can simplify procurement of and reduce transaction costs for cloud and cloud-like services while ensuring that we still meet the necessary procurement requirements. Today’s post is the outcome of this work.
In November 2011, we invited industry to address our cross-agency reference group. Thirty-four companies took part and others provided written responses. The industry presentations helped explain the benefits of cloud computing for the Australian Government and demonstrated to us that cloud offerings are maturing. Our approach to sourcing these services needs to ensure that agencies can consume new services as they become available. We have determined that a standard panel approach will not meet this requirement. Instead, a new approach needs several important characteristics:
- Flexibility: New services and suppliers should be able to be added regularly and without another full approach to market. Agencies should be able to choose whether to use the service;
- Agility: The use of a standard, relatively short, head agreement (signed once upon joining the arrangement) and templated quotations, responses and work orders should allow agencies and suppliers to increase the speed of procurement;
- Balanced Risk: The services should be capped at $80,000 and/or 12 months to reduce the risk exposure and remove the need for complex contracting and related legal arrangements. For example, we are considering whether compulsory arbitration should be a feature of the dispute resolution mechanism to lower the risk of legal costs exceeding the value of the contract;
- Pre-Qualification: The use of a standard method for suppliers to join the arrangement, including simplified financial checking procedures and verifiable references, should give agencies confidence that they are dealing with reputable suppliers. A simple post-delivery assessment by agencies, collated centrally, should build the bona fides of regular suppliers and identify those that are proven to lack the appropriate capability.
- Ease of comparison: By allowing suppliers to characterise their services in a quantifiable manner, agencies should be able to choose the types of services they seek from a menu of suppliers.
The attached documentation provides detail about the proposed approach. Remember, we are seeking your comment on these matters. Your views are crucial in assisting us to develop an arrangement that suits the needs of both government and industry. To assist you, the lines in each document are numbered so comments can be easily referenced. You can post your comments on this blog or email the team (datacentres@finance.gov.au) by 30 April 2012.
- Draft DCaaS Project Sourcing Approach DOC (91KB)
- Draft DCaaS Project Sourcing Approach PDF (225KB)
- Draft DCaaS Project Head Agreement DOCX (98KB)
- Draft DCaaS Project Head Agreement PDF (319KB)
[Update 3/4/12: Sourcing Approach files updated to correct a dead footnote link on p3]
[Update 5/4/12: Sourcing Approach files updated to correct dollar amount in clause 36]
If you are wondering where to start, consider your views on these two issues:
- Would your company accept compulsory arbitration to resolve disputes for contracts under $80,000?
- Would you pay a nominal fee to join the arrangement, say no more than $250, in order to ensure government resources weren’t dissipated in processing applications from highly speculative suppliers?
As part of the consultation, we’ll be conducting a series of industry presentations on DCaaS – watch for details here and on AusTender. The DCaaS Application for Inclusion is planned for release on AusTender by the end of June 2012.
Finally, assuming comments are favourable, we’re also considering a similar approach for an ICT services multi-use list to replace the current arrangements (as discussed in the Portfolio Panels post).
I look forward to vigorous discussions.
John Sheridan
loading...
One of the biggest challenges is government departments and agencies being able to acutually consume the services as they become available. My experience in working with some large corporates is that significant changes are required to internal IT operating models and processes to allow these external services to be procured and consumed effectively. Areas impacted include service management and chargeback. Happy to dicuss some of these challenges further.
loading...
Thanks James
This is undoubtedly an issue. We know that several agencies (including AGIMO – data.gov.au is in the Amazon public cloud) already use cloud or cloud-like services. AGIMO has provided a series of best practice guides and DSD has released a guide to cloud security. While these guides will help, like the rest of the IT industry, more work is still necessary.
Regards
John
loading...
It’s pleasing to see discussion has begun on this post. This is a key means of engaging with stakeholders and we are keen to make the most of it.
A question emailed in to us was on the mooted registration fee and whether it would be a barrier to vendors seeking to join the list. We don’t think so. We want to discourage frivolous registrations. Each registration is likely to cost the Commonwealth some $500-1000 in fees and opportunity costs. Ensuring only serious applicants register is thus a useful goal.
We, and any number of conference organisers also, know that even a $5 registration fee makes people think twice about registering on the off chance they might attend. Without a commitment, even a nominal one, many such registrants don’t show up. It’s that mentality that we are seeking to address. It’s not about recovering costs.
I also don’t think it is a significant barrier, even for the smallest of businesses. It’s hard to envisage how a business with enough hardware to provide this type of service to government could be discouraged by such a fee.
I’d welcome more discussion on this matter.
loading...
A second question was about the need to identify from where the services are being provided – perhaps both the nationality of the service provider and the location of the facilities.
DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies to choose either a locally-owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australia. DSD notes that foreign-owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.
In these circumstances, I think it is useful to have all services available under the panel fully described – particularly where like services can be quantitatively compared. Many of the characteristics that could be used to describe a vendor’s services may not mandatory – but they will allow agencies to understand what is being offered for the public’s money and how price and risk can be balanced.
What do you think about this issue?
loading...
John
Hi. Macquarie Telecom views the inclusion of the Service Origin (both nationality of the provider and location where the service is provided) in the standard Service Catalogue information set as a critical requirement for the success of the DCaaS initiative.
We see this on a number of levels:
(1) First, data classification of Government information is, as you have noted, a key determinant on where that information may reside – including that in certain circumstances it must remain on-shore. This reflects DSD’s remit in relation to information security.
(2) AGIMO’s Best Practice Guide on ” Privacy and Cloud Computing for Australian Government Agencies” has also noted the obligations Agencies have with respect to the proper protection of personal information of citizens. The information on the Service Catalogue is relevant to an Agency’s consideration of what is the best service for its needs, how it will ensure compliance with the Privacy ...
... Law in relation to personal information, and whether Australian law will automatically apply to that service.
(3) Extra-territoriality of foreign laws is also highly relevant to the take-up of DCaaS. Laws, such as the US Patriot Act, are recognised as having reach inside Australia to foreign companies operating in Australia. This is reflected in your blog and acknowledged by DSD and AGIMO practice guidance. The legal status of the vendor and whether they are operating in another jurisdication is relevant to proper decision-making.
(4) There is also, perhaps more indirectly, a consideration of whether the Government’s procurement is fostering the development of the IT industry within Australia – this is particularly relevant to the supply of services by SMEs. We do see the sourcing methodology AGIMO is using as helping to promote more opportunities for Australian (and NZ) SMEs.
Macquarie Telecom is an Australian company providing services in Australia in Australian owned, T4 certified data centres (included on the Data Centre Facilities Panel). We certify that Australian Government data will remain in Australia.
Along with a number of like minded providers, we support the OzHub initiative. OzHub members guarantee that in relation to the services that they provide in Australia the data will remain on-shore. This is independently audited. [For further information follow the link http://ozhub.com.au.
As such, we do believe that having this information publicly available on the Service Catalogue should be a mandatory element of the operation of DCaaS MUL.
I hope this helps to spur your conversation starter along!
Regards
Derek
loading...
Thanks Derek,
I think this is an issue of ‘horses for courses’. We anticipate that many of the characteristics that will be used to describe services provided under this proposal will allow services to be differentiated.
For example, one agency might have a critical service that needs 99.999% reliability while another only needs 99%. Paying for only what you need is important in terms of value for money – so knowing what is being provided informs the procurement decision. We don’t want to be specifying what is required – because bespoke services are more expensive. Allowing vendors to describe their services quantifiably is the preferred direction.
That said, there is nothing wrong with overseas data centre services if that is appropriate. data.gov.au has a front end outsourced to an Australian provider, which, in turn, uses a data centre in Sydney. The data itself is in an overseas based public cloud – because it doesn’t require a higher degree of security.
Regards
John
loading...
I notice in the Project Sourcing Approach Q54 – about standards, I’m interested in you clarifying what you’re after with the following statement -
“DCaaS vendors should describe their approach to information security in terms of the guidance found in the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM).”
The PSPF is necessarily high level and the ISM is necessarily low level. What level are you wanting the vendors to go to in order to satisfy questions around their products and InfoSec?
loading...
Thanks for your question Damian. I am not sure that I would characterise the PSPF and the ISM in the manner in which you have. The ISM certainly provides more detailed guidance than the PSPF but the latter still contains relevant points, particularly in the INFOSEC requirements found on pages 24 through 29. In the ISM, if you select the Industry Engagement and Outsourcing filter on the page to which I have linked, you will find some quite definitive advice at not too low a level.
Eventually though, I anticipate we will be asking potential vendors to provide simple yes/no answers to a series of questions framed from the guidance of the PSPF and ISM. This will allow agencies to determine which levels of security are available from which vendors.
Regards
John
loading...
“services should be capped at $80,000 and/or 12 months to reduce the risk exposure and remove the need for complex contracting and related legal arrangements. ”
Regarding the above, I am not sure that changing from a panel or standing offer to a MUL will remove the need for complex contracting and related legal arrangements.
I suspect that it will mean that agencies will split orders into sub-80k chunks (I know they are not supposed to do this).
Or alternatively, line smaller agencies, whom I thought the DCAAS was aimed, may need to overcome the complex contracting and legal arrangements which seem to have prompted a change in approach from AGIMO.
Am I missing something here?
loading...
Hi Michael
Let me try and explain it better. Procurements below $80k are not ‘covered procurement’ in the context of the Commonwealth Procurement Guidelines (para 8.4a). This means that they do not need to be procured through an open RFT. Instead, agency Chief Executive Instructions apply. Normally, these require three written quotes and the delegate makes a value for money decision on these.
In the absence of a multi-use list or similar arrangement, agencies need to do market research in order to find companies from which to source quotes. This is time consuming and resource intensive. The list approach establishes a list of vendors whose circumstances have been confirmed (through a company check) and whose capabilities are well described (through the list process). Normally, agencies would still need to negotiate a contract with the chosen vendor for each job. Both sides need legal advice and additional time is consumed.
This proposal establishes a single contract (head agreement) with the Commonwealth (represented by AGIMO) once for each vendor. Agencies source services through a (template based) statement of requirement. Vendors respond through a (template based) quotation form. Finally, agencies procure services from the chosen vendor by signing a (template based) official order under the head agreement. Lawyers aren’t necessary. Because the vendors’ services (including the SLAs they offer) are established as part of the process to join the panel, these don’t need to be negotiated either – it’s like choosing from a menu. In this way, we think the transaction costs will be reduced for agencies and vendors both.
I think our strong audit processes show that generally agencies don’t deliberately flaunt the CPGs by breaking up procurements. In any event, the sort of services sought through this proposal (cloud and cloud like for small agencies) are probably not going to exceed $80k. One gets an awful lot of cloud computing for $80k these days.
In summary, this should be a lot easier for small agenices and also suitable for some larger agencies, depending on the service being sought.
I hope this explains our thinking further. Thanks for your interest.
Regards
John
loading...
We’ve had two more questions through other channels today. The first was about references. We propose that vendors seeking to join the list will need two references. They’ll need to be recent, relevant and from customers broadly comparable with the needs of government. That said, we’d welcome your views on this subject too. Is there a better way to gain confidence in the abilities of potential suppliers?
The second was in regard to whether the services would need to be delivered from a data centre on the Data Centre Facilities Panel.
Providers may choose to locate their services at a data centre on the Panel, but this is not going to be a requirement. This is because the services that would be available through this proposal are limited to $80k and 12 months. This length of commitment is very different to a lease through the Facilities Panel which is normally of 10 years duration and 500m2.
If you have any other questions, please let me know – here on the blog, at the email address shown above or you can even tweet a question to me (@sherro58).
Regards
John
loading...
John
I read with interest your clarification of AGIMO’s thinking in not making it a requirement that DCaaS is provided from a data centre on the Data Centre Facilities Panel (DCFP).
An obvious benefit of the proposed sourcing strategy is that it provides a ready framework for Government to take advantage of the eficiencies and flexibilities that cloud type solutions offer. Macquarie Telecom supports this and we acknowledge that term is clearly one of those advantages.
We do, however, think that there are other considerations that might prompt government to revert to its initial stance on DCaaS as being provided within data centres on the DCFP. The two areas that stand out to us are:
(1) energy efficiency/carbon emission reductions (as contemplated by the “ICT Sustainability Plan 2010 – 2015″ and the Data Centre Strategy’s $1 Billion in avoided costs) – which Data Centres on the DCPF are required to regularly report ...
... to AGIMO on – this would seem to link to the assessment by Government of the avoided costs saved by the relevant DCaaS offering; and
(2) security (particularly in relation to any classified data) – the DCaaS contemplates different security levels for the service, but this seems to be more focused on electronic security. There still remains the issue of physical security to an independently auditable standard such as ASIO T4 (Intruder Resistant).
For the purpose of transparency with other readers of the blog, I note that Macquarie Telecom does have approved facilities on the DCFP.
Regards
Derek
loading...
Hi again Derek
I don’t think we have ever said that DCaaS could only be provided through data centres on the Facilities Panel. A vendor who had such a facility might also be able to turn their hand to DCaaS but the two models are very different. Three months worth of test and development for a new project is a very different proposition to a five year lease for a production environment. Similarly, the requirements for hosting a public facing blog site are likely to have a lesser focus on security than some other scenarios.
Sustainability, particularly in the face of rising electricity prices, is likely to be an enduring priority for government. I think PUE will be a characteristic vendors will be asked to quantify so more efficient vendors will be able to show their wares. This openness and comparability will be a key feature of DCaaS.
loading...
Whilst a nominal registration fee isn’t particularly onerous, would the need to provide 2 relevant & appropriate references do away with the need for even a low fee? Would that be more in-line with other IT-related panels in the Gov’t Sector where there is a similar proliferation of offers?
Separately to this, having organisations go to the effort (& cost) of registering, how would AGIMO proactively encourage Gov’t Departments / Agencies to buy from the DCaaS panel/arrangement rather than external to the panel?
loading...
Hi Gary
Thanks for participating in the debate. You make an interesting point. I guess that if we checked references first, that would allow us to decide whether to proceed with the rest of the registration process. In turn, that would save resources if the references didn’t deliver what was required. However, some resources would still be expended to check the references. We’ll keep the idea in mind as we finalise the proposal.
On your other questions, AGIMO’s coordinated procurement arrangements have proven to be valid saving mechanisms for agencies. We think agencies will thus be motivated to try the service and, if it does turn out to be cheaper and easier to use, they’ll continue to do so and spread the word. We would continue to encourage use of the arrangement through all the various channels we use now – the CIO Committee and Forum, the Senior Procurement Officers’ Reference Group, the regular procurement forums, this blog, etc.
Regards
John
loading...
John
Macquarie Telecom supports the general sourcing framework that AGIMO is proposing to use for phase 1 of the DCaaS.
We are vigorous proponents for government adopting cloud or similar services. There are numerous reports that identify the potential benefits and, in our view, government generally and the Commonwealth Government in particular, has a critical role in the adoption of cloud in Australia and encouraging continued innovation by the Australian ICT industry.
It has taken some time, but it is encouraging to see that there is now a framework that when implemented can readily facilitate the purchase of IaaS, PaaS, and SaaS offerings as and when they become available. We do think that the ability to readily add new services and features will be key to the success of the MUL mechanism.
We note that in discussions with industry, government and the corporate market, there is a general interest ...
... in obtaining a service that can be (independently) certified once and use by many. To this end, I wonder if AGIMO might consider extending the scheme to allow for an “Australianised” version of the US Government FEDRAMP initiative (to certify that the offering meets certain specified criteria)?
While this may result in comparatively expensive certification costs for vendors, a clear benefit is that it might more readily facilitate both government and the private sector (particularly regulated industries) being able to rely on the one certification of that cloud environment rather than incurring those costs on a case by case basis.
Regards
Derek
loading...
We’ve been watching FedRAMP with interest. It has some obvious parallels with the iRAP security assessment program. A similar model may well have applicability for DCaaS in some circumstances. However, there may be other ways of achieving equivalent results. I wonder if other readers have ideas about this?
loading...
Derek, as an operator of a data centre on AGIMOs data centre facilities panel and a provider of managed and cloud services, your proposal suits your business very well. But how would it suit a small provider supplying an IaaS service for an unclassified static government website?
Your proposal would predominantly suit large providers seeking to win large contracts with government. From what I have read of the DCaaS proposal, it levels the playing field for all providers of cloud services.
Way to try skewing it for the big guys.
Regards
Jack
loading...
There are a number of Foreign owned and locally owned players already providing services to the Government without issue, from both Data Centres on the existing panel and Data Centres not on those panels. I am amused, especially as a representative of an Australian company, about the arguments made which seem to support agendas.
The IaaS, PaaS and SaaS aspects, which are not the only elements proposed to be met through the DCaaS sourcing, are just another way of procuring IT through Cloud services. Where reputable providers with an Australian presence have been used in the past I am unaware of any off shore issues. Hence I am comfortable with the proposed sourcing strategy meeting the security and procurement policy requirements of government whilst allowing the flexibility to agencies needed. After all my company doesn’t need policy to make us more competitive, we can do that on ...
... our own merits, including competing with foreign owned and utilising panel data centres. I expect government will monitor the security elements over time.
As a SME we don’t see the issue of a registration fee to assist in recovering costs, providing its not too onerous. I am assuming the ongoing administration of the list/panel is not going to ensure fees are charged ongoing to be a member.
I would note that limiting contracts to 12 months/less than $80,000 would present some challenges if there wasn’t the opportunity to roll them over without going back out to panel market, as it may take 6 months for some solutions just to be established and accepted by the agency into production.
Whilst this is a down the track issue potentially, AGIMO at the industry briefing discussed the requirement to interact or integrate with Gateway providers under the Gateway consolidation activity currently being undertaken by government. I would suggest that AGIMO looks to consider if this needs to be reflected in the proposed contract and where the responsibility and liability for services would rest where DCaaS are provided within a security zone greater than Unclassified.
Jason McClure
Sliced Tech
loading...
Thanks Jason
On your first question – ongoing fees to be on the panel aren’t envisaged. The costs of maintaining the panel in outer years would probably be based on a very modest fee for agencies using the panel – enough to support a couple of FTE per year to manage it. We experimented with subscription fees during our earlier exploration of the Whole of Government ICT Services Panel policy and they weren’t received well.
The limits are about managing risk. There won’t be anything to stop an agency (if their Chief Executive Instructions allow it) from getting quotes again and choosing the same supplier but we aren’t contemplating extensions in a purely technical sense.
Your last point is also interesting. I am going to need to think about it some more. Are you envisaging DCaaS services being provided inside an agency’s firewall boundary?
Regards
John
loading...
Hi John,
I do feel there is a requirement to allow the flexibility to provide services within the agency’s security domain, as we have discussed a requirement for these types of services with agencies already. Hence we stood up our own DSD certified gateways to enable the hosting and connection of Cloud services to the internal environment.
We also have been in discussions with agencies to leverage our on premise offerings or providing IaaS and PaaS as a private Cloud environment remotely.
Whilst this may only need to be dealt with by an individual agency at architectural/solution level; for AGIMO it may have some implications for gateway rationalisation across government, especially if there are less providers of gateway services and/or government wants the choice of cloud providers to include those that are more than the current outsourcers.
Regards,
Jason
loading...
Thanks Jason,
We originally considered a “data centre operations as a service” category in DCaaS which would match (at least to some extent) the idea of on-premises services. We will examine including this in the final proposal.
Regards
John
(PS: I deleted the two duplicate copies of your comment.
loading...
With reference to the theme of Jason’s germane post, the ability to leverage the existing security domain inside the Internet gateway(s) for delivery of services may have significant advantages for government.
Benefits may include; reduced dependence on the availability and performance of Internet gateways, increased utilisation of existing agency ICT resources, improved time to market of service enhancements, simplified strategic service development, leveraging offerings from smaller and innovative suppliers.
loading...
Hi Martin
Thanks for your comment. I think the interesting thing about this possibility is how it would be done practically. It seems to me that it isn’t the sort of service we are exploring through this proposal. Something inside the wire and on government infrastructure doesn’t feel like “as a service” to me. Have I misuderstood your meaning?
Cheers
John
loading...
Michael Harte, CIO of CBA in his speech at the February ITNews conference expressed his desire for the cloud. He saw the cloud as a means to create a competitive advantage by creating contestability. His concerns were around maintaining public trust, consumer privacy and most of all data security.He mentioned the World Economic forum as saying that personal data is the new oil of the Internet, new currency of the digital world. I see these same messages resonating with Federal Government and applaud the steps being made to leverage the cloud.
http://www.itnews.com.au/Topic/291828,itnews-executive-summit-sydney.aspx
loading...
DCaaS Sourcing Approach Feedback
Line 51: In its current form it reinforces the perimeter based security model. I would like to recommend including “Payment models” options that support the securing of the actual electronic data, “new oil” in the cloud.
This would mean including in the payment model a “per-device” and a “per authorised user”. Such additions encourage supporting data-at-rest security as being implemented in Singapore in response to pending legislation and addressing shortcoming in the perimeter based security model as tabled at the US Senate Armed Services Committee .
Singapore MICA
http://app.mica.gov.sg/Default.aspx?tabid=488
US Senate Armed Services Committee
http://www.theregister.co.uk/2012/03/24/congress_dod_pwned/
The outcome of this change would encourage cloud providers to utilise data storage infrastructure capable of encrypting data. This technology is available today by some of the world largest ICT vendors though not consistently offered by all ICT vendors.
The benefit to Government is the locality of where data is stored becomes less ...
... problematic and therefore competitive advantage through contestability can be achieved. With respect to the PSPF and ISM policies opportunity would then exist to possibly trigger a review that could support government cloud initiatives while maintaining a measured risk approach.
loading...
I agree that encryption in the cloud is likely to be a growing trend. I expect that the availability of encryption will be a characteristic about which information is sought from vendors.
loading...
DCaaS Sourcing Approach Feedback
Line 74: I recommend sourcing feedback from the various user groups of the agency such as operations, executive, risk, security, procurement and legals.
This will provide more rounded feedback on how well the model is working. Perhaps define “agency user” as including the above suggestions.
loading...
It will be important to achieve a balance between sufficient feedback and an onerous process that agencies will be inclined to avoid. I’m inclined towards a simple process with which it is easy to comply.
loading...
DCaaS Sourcing Approach Feedback
Line 130 – 134: To meet qualitative analysis for participation the applicant should be able to demonstrate capacity with the Commonwealth as defined OR with a State or Territory Government body OR a Commercial Industry (where services are of a simular nature or can demonstrate the ability to scale up tot he requirements of the DCaaS customer under this agreement.
loading...
I agree, in principle. We’ll work this in.
loading...
DCaaS Sourcing Approach Feedback
Line 152: Agencies will be able to list ‘wanted’ services..should be for public consumption instead of being exclusive to MUL members therefore stimulating innovation and driving contestability of services.
loading...
I think this is a reasonable point. We should be able to include it.
loading...
DCaaS Sourcing Approach Feedback
Line 213 – 218: the statement says, “if pricing is lowered by a supplier for a particular service, the new price will apply to all new work orders”
This requires clarification because Line 209-212 implies agencies can negotiate unique rates with the supplier BUT also these arrangements may be prices below the list price BUT according to the Line 216 -218 that negotiated rate would then apply to all future work orders. Line 145-146 also says the periodic adjustment of prices, with price INCREASES or reductions will apply to new work orders.
As work orders have no minimum time frame agencies will be seeking to regularly watch the listed price which provides the vendors minimal certainty on future revenue forecast. The Commonwealth may also incur a lot of increased cost due to project management and legal’ s resulting from agency churn between providers while this industry is still ...
... evolving.
Recommend that prices need to be submitted to AGIMO upon successful negotiation of each work order and a variation % is permitted around the publicly available list price. a minimum term of 3 -6 months be set. This would still encourage competition while still supporting the contestability benefit sought by the Commonwealth.
loading...
I’ve touched on this below in response to the comments from Tim. We’ll need to consider how to achieve the principle of the same price for similar services.
loading...
DCaaS Sourcing Approach Feedback
Line 266 – 267: If agencies report their cost avoidance will they be able to keep these savings to spend on other IT projects?
Recommend they are able to keep the savings that exceeds efficiency dividends they presently are required to make.
This will support industry innovation as the available financial pool may shrink but not significantly enough that it discourages participation.
loading...
Hi Chris
You have been busy!
Let me deal with the easiest one first – there is no cost recovery mechanism in the Data Centre Strategy at all. Technically, avoiding cost means not having to ask for more money. Savings mean spending less than is already allocated. Consequently, avoided costs can’t be recovered.
That said, only one of all the ICT coordinated procurement measures returns savings to the Budget (Internet Based Network Connections). Agencies keep all other savings.
Regards
John
loading...
[...] foreshadowed, I’d like to invite representatives from industry to attend a briefing session on the Data Centre [...]
I would be interested in the views of AGIMO and potential MUL participants on the inclusion of certification to the global IT Service Management standard, ISO/IEC20000.
This standard was adopted by Australia in 2007 and Australians have had significant influence on its development.
Any supplier who has ISO/IEC 20000 certification can easily show that they have a robust and auditable set of service management processes. This would make AGIMO’s due diligence task far easier.
ISO/IEC20000 is actually one page shorter than than the global quality standard ISO9001.
As a general comment, I believe that a significant national uptake of this standard would dramatically decrease the cost and risk to organisations of implementing a cloud strategy using Australian vendors, and if a Government mandate is what is needed to ‘start the ball rolling’ then this would only be good for Australian business and national productivity.
It may be a bridge too far for AGIMO to ...
... mandate ISO/IEC20000 certification at this stage, but perhaps a requirement to see certification plans would be a good first step.
Looking forward to hearing views on this.
loading...
Thanks Claire
ISO/IEC 20000 certification could well be a characteristic about which we ask potential vendors for information but I don’t see it being a major discriminator at this stage given the relatively low level of adoption across Australia. Asking for vendors’ plans to achieve certification is unlikely to be all that informative as such plans would then need to be monitored and assessed, etc. We’re trying to avoid such qualitative assessments in this procurement in order to keep it simple.
Regards
John
loading...
Asking vendors about certification or plans to achieve certification would be a step in the right direction, even if it was not used as a major discriminator at this stage of the standard’s adoption in Australia. It would certainly raise awareness of the benefits of ISO/IEC20000 to both vendor and client. That in itself will lead to a greater uptake, which can only be good for the Australian IT industry.
loading...
Hi John
With reference to your reply to my previous comment (no reply link on your post, perhaps a limitation to nested comments on the blog) I think you have captured my meaning nicely.
There are a number of services suitable for multi-agency use that would require DSD security certification. Completing the certification process and building the necessary secure infrastructure outside the wire is time consuming and costly to potential providers, adding to service delivery costs, proliferating external secure gateways and, perhaps, moderating the engagement of smaller, innovative suppliers.
Enabling, as you mention in your response to Jason, a “data centre operations as a service” category in DCaaS may interest larger agencies and permit suppliers and the larger agencies to collaborate, share intellectual property, and speed time to market of secured services that can be provisioned to the smaller FMA agencies using an “as a service” approach.
loading...
Thanks Martin
Yes – it is a nested comment issue.
We are also considering using a similar procurement approach for the new ICT Services Multi-Use List. This may be a better fit for the type of services that you are suggesting. We’ll keep your idea in mind.
Cheers
John
loading...
As a global provider of cloud services Dell welcomes the opportunity to provide feedback on the general sourcing framework that AGIMO is proposing to use for Phase 1 of the DCaaS offering. Dell has had the opportunity to review the comments of other interested parties on the AGIMO Blog and, broadly speaking, agrees with those comments.
Dell offers the following additional comments.
DCaaS Project Sourcing Approach document
Lines 28-29 – The DCaaS offering overlaps with services available to agencies under the Data Centre Facilities (DCF) panel, albeit that the latter are not cloud services. What (if any) impact does AGIMO anticipate the new offering will have on demand by smaller FMA agencies for hosting services under the DCF panel? Dell’s understanding is that AGIMO had originally envisaged these agencies’ hosting services requirements being aggregated via AGIMO? The availability of the DCaaS offering would arguably negate the need for such ...
... an arrangement. Further, the fact that the DCaaS offering does not have to be provided out of a facility that is included on the DCF panel undermines one of the key underpinnings of that panel – namely, increased energy efficiency and the savings to be achieved by agencies as a result of that efficiency.
Line 32 – The anticipated scope of services available for supply/purchase under the DCaaS offering is unclear. Will it include set-up services such as planning, consulting, application assessment, system and application consolidation and data migration, as well as any other preparatory services required to ensure that an agency is prepared to move into a DCaaS service offering? If so, Dell believes that that $80,000 cap on work order value may become a material impediment to the supply of services under the DCaaS offering. If these set-up and preparatory services are not included under the DCaaS offering, what purchasing arrangement will apply to these services?
Lines 37-41 – It is not clear whether the initial (12 month) review may result in the MUL being terminated prior to the expiry of the proposed 24-month term of the MUL (the statement at line 65 adds to the lack of certainty). If this is a possible outcome, it is not clear from the DCaaS Project Sourcing Approach document or the DCaaS Deed what (if any) effect this would have on Contracts that had not yet run their full term. Dell recommends that Contracts should survive any premature termination of the MUL.
Lines 53-56 – If the purpose of the service catalogue is to enable agencies to compare, amongst other things, the price of suppliers’ service offerings, how will AGIMO ensure that service descriptions are normalised to enable agencies to undertake a like-for-like comparison of those offerings? Absent such nomalisation, how does AGIMO envisage that agencies will be able to make a valid comparison of competing service offerings?
Line 113 – The reference to “(which may include pricing)” suggests that suppliers may elect not to include pricing in their service catalogue. Lines 144, 206 and 207 suggests otherwise. Dell requests clarification of this ambiguity.
Lines 141 and 144 – Dell believes that the publication of pricing lists will not of itself have the effect of creating ongoing competitive tension. Given that pricing lists will be available to the public (and therefore competitors), no supplier is likely to publish its most competitive price for a particular service offering. There is the added difficulty of ensuring that service descriptions are normalised to enable agencies to undertake a like-for-like comparison of service offerings (and thus pricing).
Line 145 – Under what circumstances does AGIMO envisage that prices in the service catalogue would be subject to increase, given that lines 214-215 stipulate that suppliers cannot increase prices during the term of the MUL?
Line 154 – The template work order attached as Schedule 2 to the DCaaS Deed contemplates that each work orders will contain “Special Conditions” that apply in addition to the terms of the DCaaS Deed (including the Contract Terms in Schedule 3 of the Deed). Given that the DCaaS Deed provides overarching terms that are not specific to cloud services, each supplier will almost certainly have its own (detailed) cloud services-specific terms that it will wish to include in the work order. Will these terms need to be published on the service catalogue? What (if any) scope will agencies have to require suppliers to negotiate these terms, bearing in mind the “low cost” nature of the offering and the potentially very limited duration of a work order?
Line 157 – What categories of service levels does AGIMO envisage will be offered to agencies? What metrics does AGIMO envisage will be used to measure performance against those service levels? What impact does AGIMO envisage the requirement for service levels will have on pricing and how will this be captured in the service catalogue in a manner that allows for a like-for-like comparison of service offerings?
Line 160 – What is the purpose of AGIMO’s review of work orders prior to execution? What are the possible outcomes of that review – e.g. will AGIMO have the discretion to direct the relevant agency not to enter into the work order? What processes will AGIMO have in place to ensure that its review occurs in a timely manner and that this requirement does not create a backlog of work orders awaiting execution?
Lines 205-208 – How will a supplier’s 3rd party costs (such as electricity, software, network and bandwidth) be accounted for in a supplier’s pricing for the DCaaS offering? See also lines 214-215 below.
Line 207 – What services will fall into the category of “additional services”? Will these include the set-up and preparatory services referred to by Dell in relation to line 32 (see above)?
Line 208 – Will innovative pricing arrangements be subject to the same pricing rules?
Lines 211-212 – If a supplier negotiates a price with a particular agency that is below the list price, will the supplier be required to lower its pricing in the service catalogue?
Lines 214-215 – If a supplier’s 3rd party costs are potentially subject to increase during the term of the MUL then the supplier should have the ability to increase its prices in the service catalogue to reflect any increase in those costs.
Lines 261-264 – Dell questions the relevance of public liability insurance cover to the supply of cloud services, given that the supply of those services will not require suppliers to enter an agency’s premises. Dell notes that the insurance requirements as spelt out in these lines are not consistent with the requirements imposed under clause 10.1 of the Contract Terms in Schedule 3 of the DCaaS Deed.
Lines 266-267 – What (if any) effect does AGIMO envisage this requirement will have on suppliers? What (if any) assistance will agencies require from suppliers in order to fulfill this requirement?
Lines 274-276 – It is not clear to whom agencies will have to demonstrate that services are “still value for money” or how “value for money” will be measured. Will agencies be required to take into account the costs of switching to a new supplier? Dell is concerned that this process overall will be unnecessarily cumbersome and have the potential to outweigh the advantages that a MUL structure has over a panel arrangement.
Lines 295-296 – The outcome of the decision on whether DCaaS services will need to comply with security or data standards will have an impact on the pricing of that offering. How does AGIMO envisage that the price list address security standards?
Dell notes that the DCaaS Project Sourcing Approach document does not address the issue of DR standards. What are AGIMO’s expectations on this aspect of the DCaaS offering?
DCaaS Deed – Contract Terms
Clause 9 – The limitation of liability should include exclusion of consequential and indirect loss, loss of profits and other similar losses of a purely economic nature.
Clause 11 – Allowing an agency to “reject” a service without reference to any specific criteria introduces an unacceptable level of commercial uncertainty for any supplier, particularly given that such a rejection will not be subject to the compensation requirements under clause 15.4. Dell recommends that an agency’s right to reject a service be limited to circumstances where it can demonstrate that agreed acceptance criteria have not been met and that the supplier be afforded an opportunity to address the lack of conformity.
Clause 18 – The scope of the information required to be handed over by the supplier under paragraph (a) is much too broad. The information provided to the agency should be limited to information reasonably required by it for the purpose of engaging a new supplier. The assistance provided under paragraph (b) should be chargeable to the agency unless termination is for the supplier’s default.
loading...
Hi Tim
Thanks for your extensive review of the documents. As I have said elsewhere, this level of contribution indicates that the use of Gov 2 tools can enhance government policy development.
The team has reviewed your points and I offer the following feedback:
I’ll respond to each one by referring to the line number of clause number.
DCaaS Project Sourcing Approach document
Lines 28-29 – The mandatory nature of the DCF and other whole of government panels are not affected by the creation of the MUL.
AGIMO is working with smaller agencies to build consortiums to lease through the Data Centre Facilities Panel. This will continue.
As I said in an earlier comment “Providers may choose to locate their services at a data centre on the Panel, but this is not going to be a requirement. This is because the services that would be available through this proposal are limited to $80k and 12 months. This length of commitment is very different to a lease through the Facilities Panel which is normally of 10 years duration and 500m2.”
Line 32 – The cost of the entire work order is to be no more than $80K. Vendors need to keep that in mind when submitting the services they would like to list in the MUL.
Lines 37-41 – The MUL will run for at least two years. The contracts will survive any premature termination of the MUL.
Lines 53-56 – There will be information required for each service listed on the MUL. The information must be of sufficient detail to allow agencies to make a value for money decision. We’ll be providing a draft of the services form and spreadsheet for listing of the services for comment. I’ll look forward to your feedback.
Line 113 – Pricing information for services will be required.
Lines 141 and 144 – I’ve asked for votes on disclosure of pricing and sought for votes. I’m assuming you will vote no (thumbs down).
Line 145 – The sourcing approach is in draft, so there are a few issues – thanks for highlighting this inconsistency. When a contract is entered into for a service, pricing won’t increase during the term of the specific contract with an agency. If a supplier needs to adjust their pricing listed in the MUL, they can do so – of course, I am expecting pricing to come down rather than up.
Line 154 – As I’ve commented earlier “Because the vendors’ services (including the SLAs they offer) are established as part of the process to join the panel, these don’t need to be negotiated either – it’s like choosing from a menu”. So the terms and conditions for a service are also needed for an agency to assess whether or not the service meets their requirements.
Line 157 – The services should be those typically hosted within a data centre. This could be storage, email, website, services, document management, database platform, etc. The more attractive a service is, the more likely an agency will buy. It’s up to vendors to differentiate their services in the MUL. I expect the services that meet agency requirements for support and quality at an appropriate price will be the most likely to receive work. Quality could be assessed by adoption of standards and service levels.
Line 160 – AGIMO is required to review work orders to ensure the services are in-line with the offering in the MUL. We have noticed through management of WoG panels that sometimes there is confusion on appropriate forms and legal requirements. We will also be tracking the amount of work going through the MUL – this will allow us to see the effectiveness of the MUL. The vendors can assist by making the process quick by providing the contracts being as accurate as possible. We will keep a track of response times, so if there is a backlog we will consider alternative approaches.
Lines 205-208 – Third party costs, electricity and others, need to be included in the contract.
Line 207 – Additional services are likely to include setup and decommission costs. They could include export of data or transport of data to agency.
Line 208 – That depends. Sometimes pricing innovation might be subject to particular circumstances or intellectual property rights. We’d need to consider this further.
Lines 211-212 – It’s really a question of the applicability of a price to all agencies. For example, in the AGTA, the requirement is for similar services to be priced identically. There is room for discussion on the degree of similarity.
Lines 214-215 – This is a matter for a balanced approach. Would you be prepared to list the third party costs on which a price was based and then provide transparently the details of any increase? Perhaps, we should have a pass through cost for some third party components?
Lines 261-264 – Thank you for pointing this out, the Sourcing Approach will be re-drafted to make it consistent with the Deed.
Lines 266-267 – As indicated in the sourcing approach, the area of cost avoidance needs more work. I am interested in what industry has to contribute – how can they help?
Lines 274-276 – The official agreeing to the purchase, the agency delegate, needs to be satisfied that the item being purchased (which in this case is a service) offers value for money to the government. This is a requirement for every purchase, be it a pen, computer, desk, building, etc. Because these are not ‘covered procurements’ under the CPGs, agency CEIs will most likely be the governing rules.
That said, the idea behind this requirement is to prevent contracts from being rolled over without re-evaluation – increasing the risk and decreasing competition. The point about churn costs is well made though. These would need to be considered. However, one of the promises of the cloud is for standardisation and transferability of services. If this promise is fulfilled, churn costs should be minimised.
Lines 295-296 – This is addressed in Lines 53-56 and Line 157. I anticipate that vendors will describe whether their offering meets a particular standard and price it accordingly. It may be possible for a vendor to price the same basic service differently according to the level of security, reliability or some other characteristic.
Regarding Disaster Recovery standards. A service offering disaster recovery may be a deciding factor for an agency on selecting a service, but it may not – it depends on an agency’s requirements.
DCaaS Deed – Contract Terms
Clause 9 – We’ll consider this point further.
Clause 11 – I’m inclined to agree. We’ll consider this further too.
Clause 18 – I’m inclined to accept the notion of reasonableness in this regard. The intention of the clause is that contracts be ‘non-sticky’, meaning that an agency can quickly, cleanly and easily transfer from one contract to another. While , the estimated cost of providing the assistance should be taken into account when calculating the total cost of the services, we wouldn’t want this to inadvertently increase costs and complexity.
Thanks again for your contribution.
Regards
John
loading...
We continue to be very grateful for the effort our correspondents are making in responding to this subject, both here and by email and other means. It’s reassured me that this is indeed a useful way of canvassing views from stakeholders about these issues.
It is also worthy of note that most of you have been willing to use real names and company identifications. This is an important vote of confidence in the approach. It’s not that we mind receiving anonymous comments but serious discussion is improved if people can be identified.
Please keep up the good work!
Another issue raised outside the blog is about the concept of publicly releasing the prices being offered by vendors. Several correspondents have suggested that such information should be available to government customers but not the general public. This is an interesting issue. Some USA government prices are available publicly (from http://www.gsa.gov and http://www.apps.gov) but others are not. Sometimes these are maximum prices – if you negotiate a large buy, you get a better discount.
The UK Government Cloud Store does have pricing available for all to see.
We’re not wedded to a particular view at this stage. We’d like to hear from you about the issue. Comment are eagerly sought.
As a test, I’d invite you to use the voting buttons on this particular comment to show your opinion. If you think pricing should be available publicly, vote ‘thumbs up’, if not use ‘thumbs down’. I’m not promising to abide by the final vote but I would like an indication of views. (NB: you can only vote once from a single machine – I found out by trying to ‘like’ my own posts!)
Regards
John
loading...
Thanks John for creating this blog and watching it so diligently. Several thoughts I’ll throw out there for general consideration:
1. We do think that Government Agencies can and should be quite challenging in what they demand from the market. Microsoft-as-a-Service, at least, is a very mature, stable, secure and efficient model at scale. Wonderful outcomes are being achieved in the commercial sector, and with thought and attention to the additional needs of government, the best providers will quickly rise to the top.
2. The value proposition to take up services from the MUL will be heightened when Government Agencies consider the reduction in their total cost ownership (TCO) for the service. Encouragement of TCO to be considered as one of the service measures will provide tangibility and support of DCaaS objective to “reducing agency procurement overheads and reducing the costs of the procured services”. Do you see TCO ...
... being introduced as a measure at some point?
3. Scale is key. If no one achieves scale then the ability to provide reduced cost of services to Government Agencies is impacted. Potentially Government Agencies may not realise the benefits being gained elsewhere in the economy. Wondering your view on this if the barriers to entry (of the MUL) is set too low? An emphasis on proven ability to deliver (rather than brochure-ware) will be a key. I’m sure the astute buyer will appreciate this added assurance! We do however see plenty of organisations saying they have the ability without any hope of delivering. We are concerned that amateurs don’t taint the whole model. Accreditation and referencing will be critical in any approach.
4. How do you see Government Agencies being incentivised to move from the “dedicated” server model?. Dedicated infrastructure has its time and place of course but savings will be limited without the advantage of scale and leverage. The majority of smaller FMA/CAC agencies potentially have compatible functional and security needs and a modern secure Private Cloud is eminently adequate for their needs and frankly the only way they will realise meaningful IT saving. We see this every day with commercial organisations. How do we help Government Agencies think that way?
5. Also, an educated approach to concentration of services is important in efficiency. A Government Agency with too many providers, hosting services in different places, in different ways on different platforms will probably have more cost and risk in integrating them than they faced in the first place!
6. Like point 2, let the industry be more up-front about taking on the challenges of the public sector efficiency dividend. What better chance, in terms of IT costs and productivity, does a smaller agency have of getting there, than to avail itself of this new model?
We are greatly encouraged by the DCaaS MUL opportunity and are keen to get behind it as the model is deployed and matures.
Ross Dewar – Managing Director
Emantra Pty Ltd
loading...
Thanks Ross, you raise some interesting points. Let me try and respond usefully to a few of them.
To quote from Tony Jones on Q and A, I’ll take point 1 as a comment.
Regarding point 2, TCO must be taken into account in order for an agency delegate to ensure value for money is being achieved. It doesn’t need to be included specifically.
On point 3, the need to provide referees and our intention to develop an assessment profile by users of a service should mitigate against the risks of choosing inexperienced providers. Of course, the $80k threshold reduces the amount at risk as does the preference for payment in arrears. This type of services may well be an opportunity for new suppliers to enter the market so we don’t want to unnecessarily restrict competition.
Point 4 is, of course, one of the reasons we are exploring this approach. A single private cloud for an agency might not be the only effective solution. Hybrid clouds and the use of public cloud for non-sensitive information, such as publicly facing websites, also have applicability and may offer greater savings than private clouds.
Point 5 – that depends – and will be a matter for agencies to decide.
Point 6 – see point 1.
Thanks for your contribution.
Regards
John
loading...
AIIA Comments on DCaaS Draft
MUL
While a step forward towards the broader adoption of cloud services by government, it is unlikely that the MUL will help to facilitate any form of larger, whole of government initiative in the short term.
Further, the MUL could do more to the highlight the benefits to smaller agencies of acquiring cloud solutions to save on overheads. If the broader goal of DCaaS is to contribute to saving $1 billion in data centre costs over the next 25 years then it would be worthwhile doing more to help facilitate moving small agencies towards cloud.
At this early stage in government’s engagement with cloud service providers, the MUL approach is an acceptable first step that does not require months of certifications and tenders in order to gain visibility with the agencies. However, there is a need for government to recognise that in order to achieve its cost saving ...
... goals, it will need to be more proactive.
The $80k limit
While the $80K cap is something of a limitation, $80k/year/contract will typically buy a good quantity of cloud services – especially for smaller agencies. It would be beneficial to allow contracts to be rolled over for additional years, so agencies do not have to request tenders every year. Further, there is nothing to prevent agencies making larger purchases outside the MUL framework. It would be beneficial to review the MUL framework in 2013 to potential open it up for larger contracts and projects.
The global ‘public’ cloud and data location
The requirement in the Service Catalogue to give the Origin of Service information will be challenging for global, public cloud providers (para 7): “Origin of Service: Name of city and country from which the service is provided.”
The future vision for the cloud is the global, ‘public’ cloud which uses highly scalable, secure and reliable multi-tenant infrastructure. In this context, it is important to bear in mind two key aspects of the public cloud:
1. The internet, and the cloud, are global in nature – the existing international legal framework is already able to address any challenges that may arise.
2. Cloud service providers have a strong commercial incentive to protect the privacy and security of user data. The cloud, and the internet for that matter, are inherently global infrastructure and architecture. They were not designed with specific countries or boundaries in mind. The value proposition of the cloud is that it is global – this makes it resilient, secure and cheap.
Given this global nature, the physical location of data and services can be considered in the decision making process of acquiring cloud services, but should not be seen as a fundamental factor determining whether to use cloud services or not.
Distributed networks and the public cloud support the ongoing evolution of cloud technologies and ensure highly secure and cost effective services for users.
Impact on existing Government contracts and pricing
Based on a reading of section 40 and section 51 of the Project Sourcing Approach and further the definitions of ‘Agencies’ and ‘Conditions of Participation’ and clause 14.4 of the DCaaS Deed, there may be an inadvertent potential impact on members’ other Government contracts and pricing; proposing contract provisions in each Government contract to neutralise this is potentially an onerous path. Perhaps a solution might be for AGIMO to include provision in its contract eliminating this, for clarity for all parties?
Variation of prices and terms
This will be a public panel for Federal Government Department/Agency usage with small (< $80K) requirements that can be satisfied with an 'As a Service' utility capability. Given section 34 and section 35 of the Project Sourcing Approach and as further given effect to by clause 12.3 and clause 12.4 of the DCaaS Deed, any price adjustments have a deleterious and limiting affect. In the case of reduction, whether deliberate or inadvertent, it essentially sets a new price point for future transactions. In the case of a price rise, which may be brought about by sudden exchange rate fluctuation, there is no apparent mechanism to adjust the pricing accordingly. For these reasons, it could be interpreted as an unreasonable influence on free market activity. Given the public nature and size of this panel with all vendors using public pricing it would seem that letting normal market forces act would be a more preferable approach. We recommend these conditions be excluded from the contract.
‘Public’ pricing
Members are concerned about the approach to publicly listing pricing schedules, which is likely to result in an RRP-type approach to declared rates, and ultimately in higher prices paid by government customers. Such an approach also has ramifications for the business cases of developing specific government cloud offerings, since the prices of such services are likely to be compared with that of commercial and public cloud services with little regard to the specific characteristics of the service.
We would advocate a price disclosure regime consistent with the Whole of Government Panels, where government customers can see the prices offered by suppliers, but those prices are not available to the general public.
Loretta Johnson
General Manager, Policy and Government Relations, AIIA
loading...
Loretta/John
Hi. Macquarie Telecom recognises that AIIA is a broad church and the collective view does not necessarily reflect all individual member views. We support a number of the comments made (particularly those around variation of price and terms), but Macquarie Telecom does not fully agree with all those views.
We do not accept that cloud and internet only has a global future. A recent KPMG Report (sponsored by Government and AIIA) has determined that there are large GDP benefits to the adoption of cloud. There is also a growing argument that Australia can be a hub for cloud and that this can support Australian innovation and jobs. (We note your own comments this week supporting this John).
The AIIA’s statement that there is an existing international legal framework to address challenges is simply incorrect. There is no overarching law of cyberspace and no ready recourse ...
... for conflicts of laws in situations such as the conflict between, for example, the US Patriot Act and Australian Privacy laws. AGIMO’s own guidance papers on cloud reflect this.
A recent survey conducted for OzHub (www.ozhub.com.au) by AusPoll gave some insight into consumer views on cloud and where data (including personal information) is held. Over 80% of respondents did not know where their data was held. We think that industry should be upfront on this issue. That way informed decisions can be made (and in a government context risks – including security considerations – addressed). As such we support the inclusion in the Catalogue of a requirement to specify the Origin of the Service. Transparency is a better outcome for all.
There is clearly no “one” view on these issues
Regards
Derek
loading...
As a long-time Canberra-based IT consultant, I just want to make an observation, which I’m not sure has yet been taken into account fully as AGIMO develops its Sourcing Approach and legals.
The NIST definition referenced notes the central feature of cloud services is the self-service nature of the offering. Flowing from this (and specifically noted by NIST), there is a shift in responsibility relative to third party fully managed services – especially in PaaS and IaaS scenarios – from the provider to the consumer: eg, in IaaS, “… The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls)”; in PaaS, “…The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed ...
... applications and possibly configuration settings for the application-hosting environment.” (The NIST Definition of Cloud Computing p2-3)
As it currently stands, the Sourcing Approach does not seem to reflect and explain adequately this shift in responsibility, especially for prospective Agency customers. If AGIMO agrees with the observation, the shift and its effects deserves some greater emphasis.
Also, subject to AGIMO’s agreement with the above, this means some elements of the proposed legal relationship as expressed in the draft Head Agreement should also be reviewed. It flows from the NIST definition that cloud providers — especially public IaaS and PaaS — need to protect themselves from the activities of customers, and customers need to be aware of the risks they bear. Most cloud providers make this known via “acceptable use policies”, which are reflected in their customer agreements. Without going into too much detail, the shift in responsibility and control to customers means provisions regarding indemnities, liability, licensing and protection of intellectual property need to reflect the actual positions and interests of both parties. To do otherwise leaves the Government exposed to the risk that a court might determine some of these elements to be unenforceable.
Possible examples (hypothetical, of course) are where an agency’s (self-managed) server instance becomes a vector for malware due to (self-managed) firewall mis-configuration. Or, say, an agency such as the Classification Review Board decided to use a self-managed host to store and manage unclassified material for review, with mis-configured access control.
I may be reading the documentation incorrectly, but it strikes me there continues to be an assumption the supplier has the same level of control and responsibility as with a fully-managed service. Yes, ultimately, the supplier can “pull the plug” — possibly bringing the whole service/host down or offline — but that’s a decision not taken lightly or without consequences in terms of other customers.
loading...
Thanks for opportunity to comment
Please see below our comments:
1. Head Agreement (Deed)
• 12.3 to 12.4 inclusive. In an example where a Provider has performed services as contemplated in the agreement, they could for example have built a new SharePoint server inside their Infrastructure and charged a price for this. Whilst we would have no objection in offering the same service to another Customer as contemplated in 12.4 a) the nature of such a task means it is rarely the same because each Customers requirements and circumstances are different. Therefore amending the Service catalogue as contemplated in 12.4 b) may not necessarily provide a price guide for the Customer because, whilst the fundamental task may be similar the detail may mean a different magnitude of associated cost. Not-withstanding the above we have no objection of the service provided being published.
2. Sourcing Approach
• Line 51 Associated table. Table row title Payment Model. We assume that payment ...
... flexibility will allow for resources to be billed as used in a contemporary “as a service” models? For example Processing in GHz, Memory in GB and Storage in GB.
• Line 152 “Agencies will be able to list wanted services” Will these be broadcast to Providers to respond to? For example by e-mail containing a link to the portal.
Thank you for the opportunity to comment. We can’t speak for other potential Providers but we believe the approach you have taken is complimentary with the services you envisage being provided.
loading...
John
Hi. Macquarie Telecom has some further comments in relation to the Deed and Work Order:
1. Carbon tax doesn’t feature anywhere in either the Deed or Work order. We are aware of standard wording the Commonwealth has accepted previously on this. (Negotiation of charges could hamper businesses as there is no pass through of gov’t, regulatory increases such as carbon tax and it will complicate the operation of the MUL and actual Work Orders) – see also 12.1 in schedule 3
2. In schedule 3 “Contract Terms” the need to get prior approval before replacing specific personnel and before subcontracting could be limiting – we also question whether for the services under consideration and the low cap this clause is appropriate to DCaaS.
3. The indemnity and liability clauses are reasonable except for the reference to ‘default’ which is undefined in 8.1(a). We are liable for any loss arising from ...
... a ‘default’ – absent a definition that could be very broadly interpreted.
4. Macquarie Telecom in principle would support inclusion of a requirement for compulsory arbitration. We do not think court processes are appropriate for the MUL arrangements (other than as some form of last resort). We note that no draft wording has been provided. If the Deed is not to be further negotiated, we would ask that industry be given the chance to review this before the document is finalised.
5. In the Deed, clause 9.2 typo reference to clause 0 should be to 9.1
6. In clause 15 (termination) 15.1(c) and (f) are duplicates.
7. Schedule 2 (Work Order) and Schedule 3 (Contract Terms) do not currently contain any statement of where the services will be provided, whether data can be exported from Australia, and what security obligations apply to the provider. Our suggestion would be that unless expressly stated in the Work Order, the general presumption should be (a) the provider must comply with the requirements of the ISM in relation to the services; and (b) Australian government data must remain in Australia.
Hope this assists with your considerations.
Regards
Derek
loading...
Thank you for the opportunity to provide comment on FIN 11/APP034-A DCaaS Draft Project Approach and Head Agreement. We have reviewed the Draft Project Approach and have no technical comments at this stage. The model discussed appears straight forward and recognise that Commercial sector experience can provide value to the needs of Federal Government.
We have also reviewed the Draft Head Agreement and can provide the following preliminary comments:
1. We have a generally positive response to the documents as they are more suitable for cloud offerings than other standard government contracts (eg SourceIT);
2. This response does not replace a more detailed, clause-level response, which we will provide at the appropriate time (during the tender process);
3. High level comments:
a. Our service description, which we presume will be submitted as part of the service catalogue process, will form part of the contract. This can be achieved by having the service description form part of ...
... the Work Order. It would be prudent to have a statement of order of priority in the event of inconsistency.
b. Protection for matters such as confidential information should be mutual so that the clause also protects the supplier’s confidential information;
c. Is the scope of the privacy provision in clause 15 of the head agreement related to the general activities between the parties under the head agreement or does it cover the services themselves? If it is the former, then the clause is OK however, given the limited amount of personal information which would be exchanged at the level of the head contract arrangements, the protection could possibly be obtained through the Confidentiality clause.
If the protection is sought for the service itself, then the clause is too broadly worded, especially for IaaS and PaaS services. The interpretation of the clause is not clear without the context of the Customer’s business and what data will be kept in the service. To the extent that the data does not contain personal information, the clause will always to be easy to comply with, however if the data does contain personal information the Customer will have to assess whether the service is appropriate (taking into consideration such matters as the location of the data). The service provider won’t know what data is being loaded – only the Customer will. It would be more appropriate to require the service description to set out matters which the Customer can use to assess the suitability of the service for the customer’s needs. The way the clause is currently worded, it is likely that only those services which are wholly located in Australia could be part of the panel.
We note that those data centres located in Australia are quite well placed to give assurances regarding the Privacy Act. We also note that a SaaS service has different considerations, because the SaaS service provider is better placed to know what sort of data will be loaded and apply those facts to the law to determine whether the service is likely to comply with the Privacy Act.
d. Clause 12.3 (negotiation of Charges) of the Head Agreement refers to set charges in the Service Catalogue. We note that charges from third party software licensors such as Microsoft will be on a usage basis, and therefore not capped. This is consistent with the clause, so long as the ‘usage basis’ is set out in the Service Catalogue, but worth bringing to your attention in the interest of transparency.
e. The service provider should have some industry standard termination rights, for example for material breach/ non-payment/ persistent late payment.
f. The survival clause at clause 25 of the Head Agreement should be limited to five years, so that the service provider does not have to keep records for longer than usually required in the course of business.
g. IP (clause 7 of the Contract Terms)
i. The IP position is generally acceptable, however there could be more detail and clarity around pre-existing IP to provide comfort that in practice, for an IaaS service there is very little (no?) IP which is created specifically for the Customer. Further, the service will incorporate third party IP for the equipment and software used in building the service, and this pre-existing IP will not be passed to the customer. Therefore in practice no (or little) IP will rest with the customer. Perhaps it is better to state what Material is expected to be provided in association with the service (does the Customer expect a customised manual?) so that it is clear what it is that the Customer is able to make copies. As the clause stands the Customer wouldn’t have a right to make copies of the standard manual, but chances are the service provider would be fine to let the customer do so.
ii. With regard to the licence set out in the contract terms, the customer obtains a right to use the IP simply by subscribing to the service, so does not need a licence to use the service. The right to ‘use’ is not a protected right under Australian law or international copyright treaties, so it is a confusing thing to licence. With regard to the other rights in the licence, as there is no (or little) ‘Material’ which will be created for the Customer, a licence to modify, adapt etc is at risk of being an empty licence. Any licence should however be revocable (in the event of non-payment or termination).
h. Indemnity/ Liability
i. Any agreement to unlimited liability (including in an indemnity) is subject to parent company approval. Our general comments on the liability regime are:
1. Liability for general service issues is found in the service level agreement and service credit arrangement set out in the relevant service description. Therefore the indemnity in 8.1(a) would not be agreed to, however we may agree to the IP indemnity with a generous cap. The indemnity would be provided only to the Customer.
2. Our organisation would agree to unlimited liability for personal injury caused by our negligence and will agree to a generous cap for general property damage and third party IP claims. Consequential loss is excluded. Otherwise the remedies for liability will be in accordance with the SLA/ service credit arrangement set out in the service description and an aggregate liability cap equal to 12 month’s fees. For clarity, loss of data and loss of access to data, will be as set out in the service description.
ii. Acceptance of services. Clause 11 of the Contract terms is a form of trial. In general we believe a trial is a sensible approach to public cloud offerings, but have not given consideration to the length/ terms of the arrangement set out in this clause. If however a private cloud is developed for a Customer, we recommend a more detailed acceptance arrangement, and non-acceptance would have to be based on failure to meet the acceptance arrangements.
i. Termination for convenience. A notice period should be articulated in the Contract Terms, and payments should also include unavoidable costs (eg for expenditure committed to and not able to be cancelled), as well as incurred costs.
j. Knowledge transfer will be on a time and materials basis. Making people available cannot be at the sole discretion of the Customer. Apart for an unreasonable fettering of the service provider’s right to determine its own business priorities, the specified person might be unavailable due to illness, annual leave or other reason. But we understand that the ability to transition out is important and will provide reasonable assistance. In general the Customer can self-manage this simply by taking the data out of the IaaS before the expiry date of the arrangement.
k. Force majeure clause. There should be a force majeure clause, rather than leaving the issue to common law principles.
loading...
[...] been delighted with the discussion following my previous posting on the Data Centre as a Service (DCaaS) initiative. We have reviewed all the contributions and [...]