All of Government Cloud Sourcing Strategy

Purpose

Audience

Background

What has changed in the strategic landscape

• Refreshed Cloud First policy — The refreshed Cloud First policy requires government agencies to use public cloud services while recognising the changing expectations of New Zealanders and the commitment to government priorities.
• New Zealand–based cloud providers — There has been continued growth in the New Zealand–based cloud infrastructure sector (for example, Catalyst Cloud, Datacom, Kyndryl and Spark).
• On–shore public cloud datacentres — There have been recent announcements that major global cloud providers (Amazon Web Services (AWS), Google Cloud, Microsoft) and several other specialist hyperscale data centre providers plan to create onshore cloud infrastructure.
• Māori expectations and interest — Discussions between officials and iwi Māori on the Public Service’s use of cloud has been an ongoing discussion. More recently, the Māori Data Governance Model has been publicly released by the Data Iwi Leaders Group (DILG) to provide guidance and advice with regards to Māori data sovereignty.
• Sustainability goals — The Carbon Neutral Government Programme (CNGP) aims to reduce emissions faster within the public sector. This includes government agencies setting emissions reduction targets and longer–term reduction plans.

Implications of the refreshed Cloud First policy

• consider accountability, ethics, transparency, and collaboration in relation to Māori data, when making decisions about using cloud services
• consider high–level sustainability principles in the public sector’s use of cloud
• move RESTRICTED information over time to New Zealand based data centres where suitable cloud services exist
• avoid investing in on–premises IT infrastructure unless certain conditions are met.

How the GCDO supports agencies to procure cloud services

Strategic direction

What the Cloud Sourcing Strategy is

• establish an IaaS and Cloud Services Marketplace channel for specified enterprise services (for example, infrastructure and platform services). It will have standard terms that provide for security assurance and primary procurement. This will be open to all cloud suppliers.
• negotiate standardised terms and price discounts with cloud suppliers that have existing framework agreements. The GCDO will negotiate standardised terms as the existing agreements expire. If required, there will be new Marketplace channels and contracts to make these available to agencies.
• take advantage of the Marketplace Professional Services channel. Support for agencies to transition to cloud services will continue to be available via the Professional and Consultancy Services channel and contract on the Marketplace.
• provide assurance and certification for public cloud datacentres. This will not directly enable government agencies to procure data centre services but will provide a level of assurance for cloud services hosted in these data centres.
• transition and enhance the Marketplace platform. The GCDO will continue to work on improving the user experience and operation of the Marketplace. This includes considering how to integrate the Marketplace with the Ministry of Business, Innovation and Employment’s (MBIE) digital procurement tool.
• transition the current Software as a Service (SaaS) channel to the new IaaS and Cloud Services channel, to remove any duplication of services and align with the new direction.

Guiding principles for the strategy

• support agencies to modernise and transition from traditional IT infrastructure to cloud services
• increase the number and diversity of cloud suppliers
• provide secondary procurement options for agencies
• create a common approach for agencies to procure commonly used cloud services
• rationalise the approach for security assurance and certification to ensure this is right-sized, while providing appropriate system–level assurance
• demonstrate a commitment to Te Tiriti and the Māori–Crown Partnership.

Current challenges addressed by the strategy

• New suppliers are locked out — the high cost of negotiating framework agreements has meant that cloud framework agreements have only been negotiated with a small number of cloud suppliers.
• Lack of primary procurement — framework agreements do not provide primary procurement for agencies, meaning agencies are burdened with procurement costs.
• Current (first-gen) infrastructure services are required, alongside modern (next-gen) cloud services. A review of other comparable countries suggests that agencies will need access to IaaS ‘legacy’ services, alongside native cloud services from multiple cloud vendors (that is, a hybrid and multi-cloud approach).
• Agencies are generally supportive of the concept of a ‘marketplace’ but claim the current Marketplace user experience is poor, with some key functionality missing (for example, comparing services and pricing from multiple suppliers).
• Agencies need more guidance from the GCDO and other System Leaders, particularly on cloud transformation, Māori data sovereignty, and security assurance and certification.
• Māori expectations and interests in cloud are not considered. The current framework agreements do not give due consideration to Te Tiriti and Māori–Crown partnership.

Implementation

What this means for agencies and suppliers

• a single, consolidated Marketplace channel for accessing IaaS services and a wider range of cloud services
• simplified procurement for cloud services by introducing secondary procurement options
• consistent commercial terms for cloud suppliers with flexibility for suppliers to introduce government pricing models
• better alignment of cloud services with the all–of–government security assurance and certification model — including recognition of international security standards
• more clarity about the different levels of security and certification required for cloud services
• an uplift in security maturity across supplier and agencies, with improved security system settings
• an improved risk, resilience and security position for agencies using cloud services
• requirements for agencies and suppliers to give effect to Te Tiriti and the Māori–Crown Partnership
• increased supplier diversity and support for market development (for example, Māori–owned businesses and small businesses).

What this means for the Māori–Crown Partnership

• providing opportunities for Māori–owned businesses to supply services to government agencies
• recognising the importance of cloud suppliers building Te Ao Māori capability into agreements with agencies
• recognising the importance of Te Tiriti and the Māori–Crown partnership in agreements between cloud suppliers and agencies.

What this looks like in practice

• service catalogues — the creation of a new Marketplace channel with service catalogues for data centre services, current (first–gen) IaaS Services, public cloud IaaS services, Platform as a Service (PaaS) services, and web application (SaaS) services.
• supplier application — once the channel is established, suppliers will be able to provide agencies with infrastructure and cloud products and services via the Marketplace. New suppliers can join the Marketplace using the online application process.
• Marketplace agreement — during the process, suppliers will be asked to sign the Collaborative Marketplace Agreement (CMA), which sets the ground rules for their membership of the Marketplace. It describes how government agencies procure services through the Marketplace and, where relevant, recognises pre-existing all–of–government agreements some suppliers already have.
• secondary procurement — agencies will still undertake some form of secondary procurement process, which involves comparing service providers on the Marketplace. By having the primary procurement process covered by joining the Marketplace, this is a faster and more contained process.
• security tiering — Marketplace employs a 3–tier security process. Tier 1 (certified by the GCDO) is the most rigorous and comparable to processes for existing IT infrastructure and telecommunications services. Entry level for all suppliers is Tier 3 (baseline check only), with the move to Tier 2 (endorsed by the GCDO but requires agency certification) and Tier 1 is decided on a service–by–service basis.

Detailed description

A diagram showing the proposed Marketplace channels grouped together by type of service.

Professional Services:

• Consulting
• Development
• Cloud
• Networking
• Security
• Transition

Managed Services:

• Legacy
• Cloud
• Networking
• Security
• Orchestration
• Aggregation

Cloud and Infrastructure:

• Iaas
• First-GEN
• Next-GEN
• PaaS
• SaaS

Networking:

• Physical
• Logical
• Cloud
• Telephony

Security:

• Parameter
• End Point
• Network
• Cloud
• User

Enterprise Software:

• Office 365
• Oracle
• Sap
• Payroll
• OS

Timeline for implementation