New guidelines for contracting IaaS and PaaS cloud services

On September 23, Provision No. 1/2020 (hereinafter, the “Provision”) of the National Office of Information Technologies (hereinafter “ONTI”) was published in the Official Gazette, by means of which Guideline 10 of the “Technological Standards for the National Public Administration” (ETAP), in its version 24, was repealed and Guideline 10 IAAS (Infrastructure as a Service) and PAAS (Platform as a Service) was approved, incorporating it into the “Technological Standards for the National Public Administration” (ETAP) version 24.0. The Provision entered into force as of September 24, 2020.

The ONTI deemed it necessary to redefine the instruments available to the National Public Sector to promote the contracting and adoption of cloud services, having noted that the current instruments could affect the participation of interested parties (for example, the Argentine Satellite Solutions Company (ARSAT S.A.)) and competition among providers.

These new guidelines serve as a guide and reference for national public sector agencies in preparing procurement documents for technological products and/or services. They do not represent technical specifications that must be included in specific procurement documents, but rather are intended to facilitate the drafting of technical requirements by agencies.

We outline below the main points of the Provision:

1. Service providers must commit to meeting certain service and availability levels, specified in a Service Legal Agreement (SLA). This SLA must be equal to or higher than the SLA the public agency requires to provide to its users;
2. Contracting agencies must be able to measure the level of service provided by suppliers, comparing it with that committed to in the SLA;
3. The penalties to be applied in the event of non-compliance with the functionality and availability required in the SLA must be specified;
4. Technical specifications should detail exit strategies (service termination) to minimize lock-in with the proprietary services offered by a particular provider. To this end, the contracting agency will consider the terms and conditions or policies offered by the various providers for retaining customer data once the cloud service contract is terminated.
5. ONTI recommends that contracting agencies give preference to services offered by other cloud providers that are functionally compatible and/or have the capacity to integrate the functionalities and features required in the specifications;
6. Contracting agencies should avoid restricting the procurement process to a single supplier and/or including requirements based on very specific implementation descriptions. Restrictions may only be imposed if there are technical justifications for the restriction. The ONTI will assess whether the restrictions are exclusionary or unnecessary, based on the technical and functional needs that led to the specific descriptions of the required service.
7. Main guidelines for preparing a technical requirement. The contracted service must allow and/or possess:
   1. User accounts: manage different user accounts and different levels of access to contracted resources;
   2. Statistics and usage reports: generate reports and historical usage statistics for the purpose of monitoring the use of the infrastructure or platform;
   3. Users and systems accessing the cloud service: configure interfaces so that users and/or systems that require access to the service can interoperate without difficulty;
   4. Redundancy for high availability: enable redundancy for those services considered critical;
   5. Provisioning elasticity (scalability on demand): ability to configure the elasticity (scalability on demand) of infrastructure and/or platform resources, using digital tools that allow parameterizing and automating the provisioning of computing, storage, networking, database resources, among others, increasing or reducing the available resources (within certain parameters configurable by the user), in order to provide an adequate response to unforeseen changes in demand;
   6. Infrastructure as Code: If required by the public agency, provision infrastructure resources using programming languages ​​and batch processing files to model or provision the resources needed for applications, regardless of the region or account where they run;
   7. Load balancing: if the public body requires it, load balancing, configuring through digital tools, the automatic distribution of incoming application traffic across multiple sources;
   8. Cronograma de activación de recursos: en caso que el organismo público lo requiera, definir rangos o periodos de actividad, configurando los días y horarios de consumo de uno o más recursos especrsos s, para que de manera automa que se activen úse active en los den y horarios establecidos;
   9. Advance reservation of resources: if the public body requires it, reserve resources with access to various payment facilities and discounts;
   10. Advance consumer credit reserve: If the public agency requires it, reserve a consumer credit with access to various payment options and discounts. The transferred credit must be able to be transferred to another provider account, used as a credit reserve, or transferred as credit for the following month;
   11. Architectural stress testing: If required by the public body, tools are available to simulate overloads in access and/or processing of the defined infrastructure and/or platform, allowing for different levels of demand to be established in high-demand scenarios;
   12. Technical assistance: Contracting bodies may contract technical assistance directly from the cloud service provider or from a partner (official partner of the provider);
   13. Resource audit: tools to trace actions and incidents that may have occurred on contracted resources or platforms;
   14. Production, development and testing environment: if required by the public body, perform necessary additions, deletions and modifications, develop and test applications.
8. El porcentaje de disponibilidad requerido no será dispuesto por los organismos contratantes sino por los proveedores oferentes, convirtiéndose en una característica a evaluar;
9. The contracting agency must make available in the public domain the monthly availability percentages for the contracted general service, and specifically for each of the contracted services and resources. The ONTI establishes different availability ranges as a recommendation for contracting agencies;
10. Penalties: These are part of the service characteristics, the percentages of credit or refunds assigned as fines or penalties for unavailability of resources offered by cloud providers. These percentages cannot be modified unilaterally by the provider. To introduce changes to these percentages, the provider must coordinate in advance with the contracting entity.
    1. It should also be noted that the specifications will establish clauses that consider the minimum average time between failures, with the aim of ensuring that accumulated unavailability in a single day does not exceed the maximum allowable.

We copy the link to the publication in the Official Gazette:

https://www.boletinoficial.gob.ar/detalleAviso/primera/235289/20200923

This report should not be considered as legal or any other type of advice by Allende & Pitch.