Eighteen of the 24 largest Federal agencies have failed to establish guidance on service level agreements for their cloud providers – ignoring one of the five key requirements put in place by the White House.
In its 2019 Cloud Smart Strategy, the Office of Management and Budget established five key requirements for agencies related to procuring secure, cost-effective cloud services.
According to a report out today by the Government Accountability Office (GAO), as of July 2024, the 24 CFO Act agencies set policies and guidance that addressed some of these requirements but not others.
For example, all the agencies had established guidance to ensure their chief information officer (CIO) oversees agency modernization efforts and almost all had guidance in place to improve their policies and guidance related to cloud services. But most hadn’t established guidance on service level agreements (SLA) – which define the levels of service and performance the agency expects its cloud providers to meet.
In addition, nearly one-third of agencies did not have guidance to ensure continuous visibility in high value assets – systems that process high-value information or serve a critical function in maintaining the security of the civilian enterprise.
“Agency officials provided different reasons as to why guidance had not been developed for the requirements,” the report reads. “For example, six agencies reported that they had used SLAs provided by the cloud service providers. One agency reported that it had included language in its blanket purchase agreement and two agencies reported they were in the process of finalizing guidance.”
“Regarding high value asset guidance, one agency reported that it had included language in their contracts to meet the requirement but had not developed corresponding guidance,” GAO said. “One agency reported that it had relied on standard acquisition practices and had not developed separate processes for these assets.”
In addition, GAO said that agency officials reported that additional guidance – including standardized SLA language and high value asset contract language – would be helpful.
GAO was asked to examine agencies’ efforts to implement OMB’s Cloud Smart initiative by Rep. Gerry Connolly, D-Va., the ranking member of the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
GAO made one recommendation to the CIO Council to collect and share examples of guidance on cloud SLAs and contract language. GAO also made 46 recommendations to 18 agencies to develop or update guidance related to OMB’s Cloud Smart procurement requirements.
