Refreshing the Cloud First policy and strengthening cloud adoption across the public service

1 noted that agencies face several interdependent and complex challenges when considering cloud adoption;

2 noted that if the public service is not supported to invest in and adopt cloud services, there is a risk the potential benefits of cloud computing will not be realised;

3 noted that the Cloud First Policy has become diluted in focus, and the policy does not reflect changes in technology, society or government priorities;

4 noted that the refresh of the Cloud First Policy represents a significant opportunity to include Te Ao Māori perspectives, and would represent a world first for incorporating indigenous considerations into national cloud policies;

5 noted that if utilised well, cloud offers the potential to contribute to achieving the carbon reduction aims of the Carbon Neutral Government Programme;

6 noted that the 2012 directive on the use of Infrastructure-as-a-Service is out of step with technological change and policy aims;

7 noted that addressing security, including jurisdictional risk concerns, actual and perceived, would support cloud adoption;

8 noted that legacy, on-premise infrastructure can pose challenges to the management of security risks, transformation of service delivery, and transition to the cloud;

9 noted that the proposals in the paper under ERS-23-SUB-0019 are not intended to conflict with the Public Finance Act 1989 requirements related to responsibilities and accountabilities of Ministers and chief executives;

10 reconfirmed the existing Cloud First Policy, that directs agencies to:

11 agreed that agencies consider accountability, ethics, transparency, and collaboration in relation to Māori data, when making decisions about adopting cloud services;

12 agreed that agencies make adoption decisions that consider high-level sustainability principles in the public sector’s use of cloud;

13 agreed to revoke the 2012 Infrastructure-as-a-Service directive to provide greater clarity to the Cloud First Policy;

14 agreed that over time, RESTRICTED information should be hosted in a New Zealand based data centre, where a suitable onshore service exists;

15 agreed that agencies will not invest in on-premise ICT infrastructure unless specified criteria are met or approved by the Government Chief Digital Officer (GCDO);

16 noted that the Department of Internal Affairs, in partnership with Statistics New Zealand and the Data Iwi Leaders Group, is working on guidance to support the public service’s capability to give effect to Māori interests when making decisions about adopting cloud;

17 directed officials from the Ministry for the Environment, Ministry of Business, Innovation and Employment, and Department of Internal Affairs to work in association with Iwi and Māori to develop high level principles to encourage and support sustainable adoption and use of cloud technologies;

18 directed officials from the Ministry of Business, Innovation and Employment, and the Department of Internal Affairs to produce updated guidance in line with the high-level principles to support agencies to adopt cloud technologies in sustainable ways through their procurement activities;

19 directed the GCDO, supported by the National Cyber Policy Office, National Cyber Security Centre and Ministry of Foreign Affairs and Trade, to produce updated guidance to agencies on jurisdictional risk of cloud by August 2023, and thereafter as needed, and at least every five years;

20 noted the creation of a centralised certification process for onshore hyperscale data centres, to provide confidence to providers and agencies that the facilities have appropriate physical and personnel security, as well as ownership and contractual requirements to host RESTRICTED and below information ;

21 noted that the GCDO will undertake, with agencies, a stocktake of current and planned expenditure within specified criteria regarding on-premise infrastructure, provide regular reporting on progress, and support agency transition to cloud;

22 noted that the challenges of limited capacity and capability, financial resourcing and system-wide prioritisation remain;

23 invited the Minister for the Digital Economy and Communications and the Minister Responsible for the GCSB to carry out further work and report back to Cabinet by April 2024 with options to address these challenges;

24 noted that further detailed investigation will seek to address barriers raised by agencies, and will include estimating different levels of intervention and investment required;

25 noted that the delivery of some elements of Phase Two of the Cloud First Policy will require funding through future Budgets for affected agencies, and that if assumed funding is not included in future Budget packages, elements of Phase Two of the Cloud First Policy will need to be funded through reprioritisation of existing baselines or be reconsidered;

26 noted that officials will undertake targeted engagement with agencies and relevant groups, such as the Data Iwi Leaders Group and other Iwi and Māori representatives and industry, to inform the work referred to in paragraph 23 above;

27 noted that the GCDO will lead, supported by relevant agencies, engagement with the public sector and providers on the refreshed Cloud First Policy;

28 noted that communication of the refresh will include explaining the benefits of cloud, acknowledging potential concerns, and highlighting tools for mitigation, while drawing a distinction between the Policy and other issues outside the scope of the refresh;