Secondary procurement of public cloud services
Secondary procurement of public cloud services
This guidance is provided to support Agencies purchasing public cloud services from Marketplace. Agencies are required to apply their own procurement policies and procedures.
1. The procurement of public cloud services is different from the more orthodox procurement of goods and services in the following ways:
a) more often than not, the cloud service providers are based overseas or use third party infrastructure based overseas from which to provide their cloud services;
b) the cloud service providers are usually providing highly commoditised services and are usually targeting large global audiences;
c) cloud service providers’ business models usually depend on high consumption volumes with minimal to no on-boarding effort on their part for individual customers;
d) the transparency of online international pricing and services ensures competition between providers that, in many respects, is comparable to pricing within a commodity market;
e) supplier’s margins for individual customers are often low;
f) for these reasons, most public cloud service providers are unlikely to participate in public procurement processes for individual purchases unless (and even then only in some cases) the value of the projected spend is high;
h) agencies using Marketplace will be expected to apply their own policies and follow the government rules of sourcing when making procurement decisions. The business rules that have been developed for the marketplace have been done so with the following considerations.
2. We believe that the approach taken by agencies undertaking a secondary procurement through the marketplace should:
a) take into account the matters mentioned above; and
b) reflect the different kinds of purchasing decisions that agencies could be making
3. We also think it needs to be realistic given the nature of public cloud services whilst also enabling:
a) comparison of the same or similar cloud services where required or desired; and
b) interaction with relevant cloud service providers when an agency needs further information before being able to make a purchasing decision.
4. The preferred secondary procurement processes are essentially a combination of Marketplace design and implemented secondary procurement processes.
Typical Secondary Procurement Process for Procurement of Public Cloud Services
The following describes the steps of a typical secondary procurement process that will be undertaken through Marketplace:
Step 1 – Agencies to be shown competing offerings by default:
i. Marketplace presents the competing offerings to agencies by default (by category tags), regardless of the potential cost of their purchasing.
ii. When an agency searches for a particular type of public cloud service, Marketplace will also show the competing offerings.
iii. The agency is able to then drill into the differing offerings as it chooses. This design choice immediately creates transparency of competing service providers.
Step 2 – Assessment of simple versus complex sign-up:
i. Agencies have differing informational and assurance needs depending on the nature and complexity of the kind of cloud service they wish to use.
ii. It is proposed, therefore, that an agency would be prompted when in the marketplace whether it is simple or complex for the agency to sign up for the services.
iii. In making this assessment, the agency would need to consider its requirements, the nature of the services, the amount of functional and assurance-related information already available on Marketplace and the extent to which it may require further information from suppliers to make an informed decision and satisfy its own cloud-related certification and accreditation responsibilities.
iv. This is a matter for each agency. Subject potentially to a ‘direct purchasing’ off-ramp for purchases of low value, the answer to this question would take the agency to one of two alternative short form competitive processes.
Step 3 – Short form competitive process:
i. The short form competitive process could take one of two forms, depending on whether the agency:
a) can obtain sufficient information from the marketplace to make a decision (aka simple); or
b) requires significant further information from suppliers before being able to determine which service(s) would meet the agency’s requirements (aka complex).
ii. The two types of competitive evaluative process are summarised as follows:
a) Simple sign-up evaluative process – primarily passive evaluation:
The evaluative process for simple procurements would be by reference to pre-existing information on service listings in the marketplace (which may include links to other information that the service providers already make publicly available to all customers) but an agency could ask specific questions of suppliers if it wished.
This differs from a traditional RFP / RFQ / closed tender approach as it’s more passive in nature by reference to information suppliers have already supplied as part of the on-boarding process. For that reason, we’re referring to it as a ‘primarily passive evaluation’.
b) Complex sign-up evaluative process – interactive evaluation:
The competitive process for non-simple sign ups would involve evaluation of suppliers’ information on Marketplace together with their responses to a mini-RFP.
This is a more formal process than the primarily passive evaluation and is expected to involve more active and agency-specific input from suppliers.
Cloud security risk and assurance considerations
To support security risk and assurance processes and decisions, Marketplace has been designed to apply a three-tier Security Assurance and Cloud Endorsement Model to Public Cloud Services.