Negotiating Contracts for Cloud-Based Software
By Gretchen Kwashnik - Published, January 17, 2012
The federal government's "cloud first" policy, as part of the Federal Chief Information Officer's "25 Point Implementation Plan to Reform Federal Information Technology Management," requires federal agencies to consider cloud computing before making new IT investments and to move at least three applications to the cloud by May 2012.
Requests for information, issued by the Department of the Navy in July 2011, indicated that the Next Generation Enterprise Network (NGEN) will transition to a cloud-based delivery model. In an August 2011 media roundtable, the Department of the Navy CIO, Mr. Terry Halvorsen, said cloud computing, along with thin-client and zero-client technologies, are some of the models that the DON can use to cut 25 percent from its business IT budget in the Future Years Defense Program financial plan.
With the department's goals to decrease IT costs, improve deployment speed and agility and operate more efficiently will come shifts in IT funding. For example, there are funding allocation differences between the traditional procurement of IT licenses, which are normally capital expenses that are depreciated over time, while the subscription procurement model for cloud services is normally an operational expense that is not depreciable.
The cloud concept encompasses a variety of service models: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). These service models can be delivered in a variety of ways, from a private cloud (operated solely for an organization whether hosted internally or by a third party over a virtual private network), a public cloud (operated by a third party over the Internet), or a hybrid cloud that combines private and public clouds to coordinate a solution.
In all instances, the difference from traditional procurement is that some or all IT resources (hardware, software and support services) are rented instead of purchased as perpetual software licenses, thus creating the hardware infrastructure to support software and data, and maintaining the selected solution.
SaaS, which is the most widely adopted service delivery model in these still-early stages of cloud computing, provides a timely example of negotiating "cloud first" contracts. From an overall contractual perspective, the SaaS cloud model does not vary greatly from traditional on-premise software licensing because the same quality of software and functionality is supplied by a software provider. However, a few of the key licensing differences are in the granting of a software license and payment terms.
Grant Software Licenses
With the cloud delivery model, software use is subscription-based and paid on a monthly or annual basis. In contrast, traditional software is normally purchased for perpetual use with one lump sum payment upfront. It is important to understand that sometimes traditional on-premise software can also be offered via a subscription model.
Perpetual Licensing: When purchasing the right to use a software license in perpetuity, the full license rights may depend on how payment terms are structured. Perpetual licensing is not an option for SaaS through a public cloud. Whether this perpetual licensing model will be available for private or hybrid clouds is yet to be seen; it may depend on the ability to move existing applications into a private cloud. However, there are software providers that are making it easier to set up such private cloud instances.
Subscription Licensing: This is the most common licensing model for public cloud solutions, and it allows use of the software service only while the subscription is current and valid. Subscription licensing may be possible for hybrid cloud solutions where terms can be negotiated in the following ways:
– Paying a maximum subscription licensing fee over a specific term of service. Thereafter, the subscriber would have the right to use the software in perpetuity or exercise the option to use it in perpetuity for an incremental pre-negotiated fee. When using this type of subscription payment plan, users must ensure that the correct type of appropriation is used for the investment.
– Separating the hosting fees from the software licensing fees so the two are not intermingled.
With traditional software licensing, you may be able to negotiate withholding a portion of the licensing fees until after the go-live or acceptance date of the software. Maintenance fees also may not be required until after the go-live date. Alternatively, cloud solutions bundle together hosting, software licensing and maintenance into one monthly or annual fee. Subscribers begin paying for the service as soon as they authorize the cloud provider to turn it on, even though the subscribers may not be using it yet.
To mitigate the financial risks in this practice, determine if the provider has a sandbox or proof-of-concept environment in which potential subscribers can become familiar with the software at little or no charge before signing a contract for a specific term and number of users. Any payment and financing terms must be in accordance with Federal Acquisition Regulation (FAR) Subpart 32.2, Commercial Item Purchase Financing.
SaaS Service Level Agreements
When using a SaaS provider, the focus is no longer on managing the technical software application, but rather the vendor relationship. This is where IT contract negotiation, contract management and supplier management skills come into play. All rights and responsibilities associated with the relationship should be included in an enforceable contract and effectively managed. The specific risks to be addressed in the contract with a provider will depend on the application, its business criticality, and the data that will be exchanged, stored and maintained by the provider.
Any cloud service level agreement (SLA) should contain specific, measurable and enforceable terms and conditions. If the SaaS provider fails to meet an obligation under the SLA, the agreement must have the "teeth" to mitigate a failure from happening again. For example, the SLA should contain specific remedies that apply when obligations are not met, including financial penalties or credits for future services. The best remedy may be a refund since the value of a credit against future services from a provider that has already failed does not guarantee reliable service.
A Word about Security
Any selected cloud solution must conform to federal security requirements, including Federal Information Processing Standard (FIPS) Publication 140-2, "Security Requirements for Cryptographic Modules," and the Federal Information Security Management Act (FISMA), and have an Authority to Operate (ATO) through the Federal CIO Council's Federal Risk and Authorization Management Program (FedRAMP). Cloud solutions can be validated for multi-agency use, which supports the standardized approach to cloud computing across the DoD advocated by the DoD CIO. A list of solutions already approved through FedRAMP can be found at www.gsa.gov. Solutions without an ATO will require working with the vendor through the FedRAMP program.
With federal initiatives like cloud first, green IT and continuous (security) monitoring, cloud solutions will play an increasingly greater role in DON and DoD IT strategies. To be successful, IT stakeholders must better understand how to procure and implement cloud-based offerings.
Gretchen Kwashnik provides contract support to the DoD Enterprise Software Initiative (ESI) and DON CIO.