All of Government Cloud Sourcing Strategy
Purpose
1 This strategy describes how the Government Chief Digital Officer (GCDO) will support government agencies to procure a diverse range of secure and resilient cloud services.
Audience
2 The audience for this strategy is New Zealand government agencies and cloud suppliers.
Background
What has changed in the strategic landscape
3 The context in which New Zealand government agencies procure cloud services continues to develop, including:
- Refreshed Cloud First policy — The refreshed Cloud First policy requires government agencies to use public cloud services while recognising the changing expectations of New Zealanders and the commitment to government priorities.
- New Zealand–based cloud providers — There has been continued growth in the New Zealand–based cloud infrastructure sector (for example, Catalyst Cloud, Datacom, Kyndryl and Spark).
- On–shore public cloud datacentres — There have been recent announcements that major global cloud providers (Amazon Web Services (AWS), Google Cloud, Microsoft) and several other specialist hyperscale data centre providers plan to create onshore cloud infrastructure.
- Māori expectations and interest — Discussions between officials and iwi Māori on the Public Service’s use of cloud has been an ongoing discussion. More recently, the Māori Data Governance Model has been publicly released by the Data Iwi Leaders Group (DILG) to provide guidance and advice with regards to Māori data sovereignty.
- Sustainability goals — The Carbon Neutral Government Programme (CNGP) aims to reduce emissions faster within the public sector. This includes government agencies setting emissions reduction targets and longer–term reduction plans.
Implications of the refreshed Cloud First policy
4 In April 2023, Cabinet re–confirmed the Cloud First policy (ERS–23–MIN–0019)[Footnote 1], which requires agencies to use public cloud services in preference to traditional IT systems.
The policy introduces new requirements for agencies to:
- consider accountability, ethics, transparency, and collaboration in relation to Māori data, when making decisions about using cloud services
- consider high–level sustainability principles in the public sector’s use of cloud
- move RESTRICTED information over time to New Zealand based data centres where suitable cloud services exist
- avoid investing in on–premises IT infrastructure unless certain conditions are met.
5 Recent discussions with government agencies suggest that most agencies will use a mix of traditional IT infrastructure services and public cloud services.
This is because they often have technology that requires significant re–investment before they can benefit from public cloud services. This ‘hybrid’ approach is in line with trends from comparable countries.
6 The refreshed Cloud First policy anticipates this ‘hybrid’ cloud approach. Although it directs agencies to avoid investing in on–premises IT infrastructure, it also recognises the challenges faced by agencies and allows for continued use of traditional IT infrastructure if specified criteria are met.
7 Insights from other jurisdictions also suggest that agencies are likely to use services from multiple cloud vendors to achieve the best outcomes. The flexibility of this approach may also help agencies to move applications and data to the most appropriate location. This is to meet the refreshed Cloud First policy’s direction to move RESTRICTED data to New Zealand–based data centres.
8 The use of multiple cloud providers may also provide agencies with greater flexibility to address Māori data sovereignty.
How the GCDO supports agencies to procure cloud services
9 The GCDO manages a range of products and services that are used by over 300 government agencies.
10 This provides government agencies with improved access to cost–effective digital products and commercial services. It reduces system risk by supporting agencies and suppliers to better manage their security and resilience, and supports the New Zealand digital sector by simplifying access to government procurement opportunities.
11 Government agencies use the portfolio to procure traditional IT infrastructure services, and software and cloud services. The traditional IT infrastructure services are provided by 2 suppliers through the IaaS agreements. The software and cloud services are provided through suppliers though a range of tailored agreements.
12 The GCDO also operates the Marketplace digital platform which enables a wide range of New Zealand and international businesses to offer their products and services directly to New Zealand government agencies. The Marketplace agreements are approved collaborative contracts that align with the Government Procurement Rules.
Strategic direction
What the Cloud Sourcing Strategy is
13 The sourcing strategy will:
- establish an IaaS and Cloud Services Marketplace channel for specified enterprise services (for example, infrastructure and platform services). It will have standard terms that provide for security assurance and primary procurement. This will be open to all cloud suppliers.
- negotiate standardised terms and price discounts with cloud suppliers that have existing framework agreements. The GCDO will negotiate standardised terms as the existing agreements expire. If required, there will be new Marketplace channels and contracts to make these available to agencies.
- take advantage of the Marketplace Professional Services channel. Support for agencies to transition to cloud services will continue to be available via the Professional and Consultancy Services channel and contract on the Marketplace.
- provide assurance and certification for public cloud datacentres. This will not directly enable government agencies to procure data centre services but will provide a level of assurance for cloud services hosted in these data centres.
- transition and enhance the Marketplace platform. The GCDO will continue to work on improving the user experience and operation of the Marketplace. This includes considering how to integrate the Marketplace with the Ministry of Business, Innovation and Employment’s (MBIE) digital procurement tool.
- transition the current Software as a Service (SaaS) channel to the new IaaS and Cloud Services channel, to remove any duplication of services and align with the new direction.
Guiding principles for the strategy
14 Based on the strategic context, the guiding principles for this strategy are to:
- support agencies to modernise and transition from traditional IT infrastructure to cloud services
- increase the number and diversity of cloud suppliers
- provide secondary procurement options for agencies
- create a common approach for agencies to procure commonly used cloud services
- rationalise the approach for security assurance and certification to ensure this is right-sized, while providing appropriate system–level assurance
- demonstrate a commitment to Te Tiriti and the Māori–Crown Partnership.
Current challenges addressed by the strategy
15 The GCDO engaged with agencies and cloud suppliers from October 2022 to January 2023 to understand what the GCDO could do in the future to support agencies to procure cloud services.
16 The key themes from the discussions:
- New suppliers are locked out — the high cost of negotiating framework agreements has meant that cloud framework agreements have only been negotiated with a small number of cloud suppliers.
- Lack of primary procurement — framework agreements do not provide primary procurement for agencies, meaning agencies are burdened with procurement costs.
- Current (first-gen) infrastructure services are required, alongside modern (next-gen) cloud services. A review of other comparable countries suggests that agencies will need access to IaaS ‘legacy’ services, alongside native cloud services from multiple cloud vendors (that is, a hybrid and multi-cloud approach).
- Agencies are generally supportive of the concept of a ‘marketplace’ but claim the current Marketplace user experience is poor, with some key functionality missing (for example, comparing services and pricing from multiple suppliers).
- Agencies need more guidance from the GCDO and other System Leaders, particularly on cloud transformation, Māori data sovereignty, and security assurance and certification.
- Māori expectations and interests in cloud are not considered. The current framework agreements do not give due consideration to Te Tiriti and Māori–Crown partnership.
Implementation
What this means for agencies and suppliers
17 For agencies and suppliers, this strategy means there will be:
- a single, consolidated Marketplace channel for accessing IaaS services and a wider range of cloud services
- simplified procurement for cloud services by introducing secondary procurement options
- consistent commercial terms for cloud suppliers with flexibility for suppliers to introduce government pricing models
- better alignment of cloud services with the all–of–government security assurance and certification model — including recognition of international security standards
- more clarity about the different levels of security and certification required for cloud services
- an uplift in security maturity across supplier and agencies, with improved security system settings
- an improved risk, resilience and security position for agencies using cloud services
- requirements for agencies and suppliers to give effect to Te Tiriti and the Māori–Crown Partnership
- increased supplier diversity and support for market development (for example, Māori–owned businesses and small businesses).
What this means for the Māori–Crown Partnership
18 The strategy will strongly support Te Tiriti outcomes by:
- providing opportunities for Māori–owned businesses to supply services to government agencies
- recognising the importance of cloud suppliers building Te Ao Māori capability into agreements with agencies
- recognising the importance of Te Tiriti and the Māori–Crown partnership in agreements between cloud suppliers and agencies.
What this looks like in practice
19 The high–level design for the IaaS and Cloud Services channel will include:
- service catalogues — the creation of a new Marketplace channel with service catalogues for data centre services, current (first–gen) IaaS Services, public cloud IaaS services, Platform as a Service (PaaS) services, and web application (SaaS) services.
- supplier application — once the channel is established, suppliers will be able to provide agencies with infrastructure and cloud products and services via the Marketplace. New suppliers can join the Marketplace using the online application process.
- Marketplace agreement — during the process, suppliers will be asked to sign the Collaborative Marketplace Agreement (CMA), which sets the ground rules for their membership of the Marketplace. It describes how government agencies procure services through the Marketplace and, where relevant, recognises pre-existing all–of–government agreements some suppliers already have.
- secondary procurement — agencies will still undertake some form of secondary procurement process, which involves comparing service providers on the Marketplace. By having the primary procurement process covered by joining the Marketplace, this is a faster and more contained process.
- security tiering — Marketplace employs a 3–tier security process. Tier 1 (certified by the GCDO) is the most rigorous and comparable to processes for existing IT infrastructure and telecommunications services. Entry level for all suppliers is Tier 3 (baseline check only), with the move to Tier 2 (endorsed by the GCDO but requires agency certification) and Tier 1 is decided on a service–by–service basis.
20 The end goal is to have a comprehensive set of Marketplace catalogues and agreements that government agencies can use to procure the full range of IT services that they need (including IT infrastructure and cloud services).
Detailed description
A diagram showing the proposed Marketplace channels grouped together by type of service.
Professional Services:
- Consulting
- Development
- Cloud
- Networking
- Security
- Transition
Managed Services:
- Legacy
- Cloud
- Networking
- Security
- Orchestration
- Aggregation
Cloud and Infrastructure:
- Iaas
- First-GEN
- Next-GEN
- PaaS
- SaaS
Networking:
- Physical
- Logical
- Cloud
- Telephony
Security:
- Parameter
- End Point
- Network
- Cloud
- User
Enterprise Software:
- Office 365
- Oracle
- Sap
- Payroll
- OS
Timeline for implementation
21 There will be a project to implement the strategy. This project is planned to begin in the 2023–24 financial year, with the IaaS and Cloud Services Channel to be established this financial year.
22 Transition existing IaaS and cloud suppliers to this new channel will be a high priority, but the process and related timeframes will be dependant on government agencies and negotiations with existing suppliers.
23 Cloud suppliers that do not have existing framework agreements will also be able to join the channel at this time on a case–by–case basis.
24 Other channels will be established for telecommunications and managed security services. These channels will be established after the IaaS and Cloud Services Channel.
Last updated