United States Government Accountability Office
Highlights of GAO-16-325, a report to
congressional requesters
April 2016
CLOUD COMPUTING
Agencies Need to Incorporate Key Practices to
Ensure Effective Performance
Why GAO Did This Study
Cloud computing is a means for
delivering computing services via IT
networks. When executed effectively,
cloud-based services can allow
agencies to pay for only the IT services
used, thus paying less for more
services. An important element of
acquiring cloud services is a service
level agreement that specifies, among
other things, what services a cloud
provider is to perform and at what
level.
GAO was asked to examine federal
agencies’ use of SLAs. GAO’s
objectives were to (1) identify key
practices in cloud computing SLAs and
(2) determine the extent to which
federal agencies have incorporated
such practices into their SLAs. GAO
analyzed research, studies, and
guidance developed by federal and
private entities to develop a list of key
practices to be included in SLAs. GAO
validated its list with the entities,
including OMB, and analyzed 21 cloud
service contracts and related
documentation of five agencies (with
the largest fiscal year 2015 IT budgets)
against the key practices to identify
any variances, their causes, and
impacts.
What GAO Recommends
GAO recommends that OMB include
all ten key practices in future guidance
to agencies and that Defense, Health
and Human Services, Homeland
Security, Treasury, and Veterans
Affairs implement SLA guidance and
incorporate applicable key practices
into their SLAs. In commenting on a
draft of this report, OMB and one
agency had no comment, the
remaining four agencies concurred
with GAO’s recommendations.
What GAO Found
Federal and private sector guidance highlights the importance of federal
agencies using a service level agreement (SLA) in a contract when acquiring
information technology (IT) services through a cloud computing services
provider. An SLA defines the level of service and performance expected from a
provider, how that performance will be measured, and what enforcement
mechanisms will be used to ensure the specified performance levels are
achieved. GAO identified ten key practices to be included in an SLA, such as
identifying the roles and responsibilities of major stakeholders, defining
performance objectives, and specifying security metrics. The key practices, if
properly implemented, can help agencies ensure services are performed
effectively, efficiently, and securely. Under the direction of the Office of
Management and Budget (OMB), guidance issued to agencies in February 2012
included seven of the ten key practices described in this report that could help
agencies ensure the effectiveness of their cloud services contracts.
GAO determined that the five agencies and the 21 cloud service contracts it
reviewed had included a majority of the ten key practices. Specifically, of the 21
cloud service contracts reviewed from the Departments of Defense, Health and
Human Services, Homeland Security, Treasury, and Veterans Affairs, 7 had
fulfilled all 10 of the key practices, as illustrated in the figure. The remaining 13
contracts had incorporated 5 or more of the 10 key practices and 1 had not
included any practices.
Figure 1: Number of Cloud Service Contracts That Met All 10 Key Practices
Agency officials gave several reasons for why they did not include all elements of
the key practices into their cloud service contracts, including that guidance
directing the use of such practices had not been created when the cloud services
were acquired. Unless agencies fully implement SLA key practices into their
SLAs, they may not be able to adequately measure the performance of the
services, and, therefore, may not be able to effectively hold the contractors
accountable when performance falls short.
View GAO-16-325. For more information,
contact
David A. Powner at (202) 512-
.