The Government Accountability Office (GAO) released a report on Thursday detailing the 10 key practices agencies should follow in creating service level agreements (SLA) with cloud service providers:
- Specify roles and responsibilities.
- Define key terms.
- Define clear measures for performance.
- Specify how and when the agency has access to its own data and networks.
- Specify how the cloud service provider will monitor performance and when the agency will confirm that performance.
- Provide for disaster recovery planning and testing.
- Describe performance exception criteria.
- Specify how providers are measured for protecting data.
- Determine how the provider will notify the agency of a security breach.
- Specify the consequences for non-compliance with SLA performance measures.
GAO performed the study to help agencies save time and money on IT investments, by determining the scope of that investment up front.
To find the 10 key practices, GAO analyzed research, studies, and guidance developed by Federal and private entities. They then reviewed 21 cloud service contracts from the Departments of Defense, Health and Human Services, Homeland Security, Treasury, and Veterans Affairs to determine why and how those agencies were implementing SLA practices.
They found that about a third of those contracts already fulfilled the 10 practices. In the report, they recommend that OMB include all 10 of these practices in their cloud recommendations to agencies.