US Treasury guidance sets out sanctions compliance duties for virtual currency industry
Out-Law Analysis | 27 Apr 2018 | 10:17 am | 14 min. read
The UK's 'cloud first' policy and G-Cloud marketplace have undoubtedly helped boost UK public sector use of cloud. In mid-2011, six UK government departments stated that they had no plans to move to cloud computing. In 2010, only 38% of the UK public sector had formally adopted at least one cloud service; by 2015, that proportion had more than doubled to 78%, according to Cloud Industry Forum research.
The G-Cloud model was ambitious, but grew from a small initial uptake in 2012 to become a major part of the government's IT infrastructure. Use of it helped contribute to savings in government IT spend of £725 million in 2016/17, with 47% of the spend going to SME suppliers.
Other countries should assess and adopt the framework for re-use if they want their public sector to gain the efficiency and capability benefits of cloud computing without compromising security or confidentiality.
We have separately examined the particular security and assurance challenges of the G-Cloud project.
What is the G-Cloud?
The G-Cloud is a framework for UK public sector bodies to buy cloud-based IT services. It was established during the financial crisis as government departments' and public bodies' budgets were cut. It was intended to avoid the failures that had dogged high profile government IT projects in the past, moving them away from bespoke monolithic IT contracts.
The UK government identified the potential for public bodies to access more standardised, agile, scalable and innovative solutions through cloud computing. Whilst acknowledging it would likely be uncomfortable and unchartered territory for many public bodies, the UK government accepted in the wake of the financial crisis that public bodies could not, and should not, continue paying for bespoke IT goods and services.
Its decision to embark on the G-Cloud journey, whilst bold, paved the way for the G-Cloud the UK has today - a simpler, efficient process of buying IT, specifically cloud services, in a cost-effective way for the benefit of government and ultimately taxpayers.
Main objectives of G-Cloud included not only cost-efficiency, simplicity and speed of process, but also improving the UK public sector's access to a wider range of pre-vetted vendors and services, through a more open, transparent and competitive marketplace. By achieving this it was also hoped that the market for government IT services would become more level and open to SMEs, allowing flexibility.
Similarly, by expecting pricing and services and contract terms to be published on the marketplace, the UK government intended G-Cloud to foster greater competition. Allowing suppliers to continuously offer new or improved updated services would also enable the UK public sector to benefit from technological innovation.
Antiquated legacy contracts can often mean antiquated legacy technology, which in turn poses its own risks, not least in respect of operation and security. The introduction of G-Cloud allowed for a digital transformation – an ability for public bodies to use the G-Cloud marketplace as a catalogue to 'shop' for new and innovative technologies from suppliers big and small, at specific price points in a quick and simple way.
Of course, it should be emphasised that G-Cloud is not the only way for public sector bodies to procure cloud services. They can use other routes if they wish, and many have. However, G-Cloud is intended to ease and simplify government procurement of cloud services.
G-Cloud is made up of:
- a 'digital marketplace' of supplier services;
- standardised contract terms which apply to all transactions;
- pre-approval guarantees that suppliers meet privacy and security requirements; and
- SME-friendly streamlined process for suppliers to join the marketplace.
Although it was mooted in 2009, G-Cloud first went live in February 2012. There have been nine iterations of the G-Cloud, with a tenth due to go live in June 2018. Initially the take-up was modest. Public bodies in the UK spent just over £2.2m on 99 IT services in its first six months.
Figures up to July 2017 show that £2.4bn of business has been done through the G-Cloud to date, with 47% of total sales by value and 73% by volume going to SME suppliers, which found it difficult in the past to win huge government IT contracts.
The digital marketplace contains many SMEs as suppliers, but also cloud giants such as Microsoft, Amazon, Google, IBM, Oracle and Salesforce, offered directly or through intermediaries and resellers.
Examples of G-Cloud use
Central government has driven sales through the G-Cloud by adopting a 'cloud first' policy. In 2013, the Cabinet Office announced that central government departments would be required to consider and fully evaluate potential cloud solutions before looking at procuring alternative IT services. Under the 'cloud first' policy, it was permissible for government buyers to select non-cloud solutions, but they had to evidence that those solutions offered better value for money than the cloud-based services. The policy was not mandated for other public sector organisations, but the approach was strongly encouraged.
The 'cloud first' policy was intended to drive wider public sector adoption of cloud computing in order to boost competition, reduce costs, and increase efficiencies. The G-Cloud 'CloudStore' site that resulted from such policy - an online catalogue of services - offered a "quicker, cheaper and more competitive way" for the UK public sector to buy IT. The UK's Cabinet Office stated that "many government departments already use G-Cloud, but IT costs are still too high. One way we can reduce them is to accelerate the adoption of cloud across the public sector to maximise its benefits."
The government's approach to the use of cloud services has since evolved.
It published new guidance on public sector use of public cloud in January 2017. This emphasised that public sector bodies can "safely put highly personal and sensitive data into the public cloud", taking a risk-based decision for the systems and data concerned following risk management assessments, including regarding security.
The guidance also noted that major cloud infrastructure and platform providers understand customers' security concerns and have invested heavily in implementing secure products and guidance on secure use of their services, and that generally the more sophisticated cloud providers also have experience with data protection law requirements and offer standard terms to help customers meet their legal responsibilities.
In February 2017, the UK government followed up on its guidance with an updated 'cloud first' policy.
The revised policy explained that the 'cloud first' approach applied to public cloud solutions as opposed to "a community, hybrid or private deployment model". The government said this was because the "primary benefits" for the government from cloud computing are available in public cloud solutions.
Like under the old policy, departments are able to select alternative IT solutions where these provide better value for money. The new policy clarified that 'value for money' means "securing the best mix of quality and effectiveness for the least outlay over the period of the use of the goods or services bought". According to the policy, Government Digital Service (GDS) – a unit set up within the Cabinet Office to support digital transformation inside government – is on hand to help departments make such assessments.
The new policy recommended that departments consider cloud-based 'software-as-a-service' solutions, particularly for their enterprise IT and back office functions, and that they should "make use of public cloud hosting" whenever they need bespoke solutions.
UK plans to move beyond the 'cloud first' approach to becoming 'cloud native'
GDS has expressed its aspirations for the UK public sector to go beyond 'cloud first' and become 'cloud native'.
GDS said 'cloud native' was "not just about considering cloud before other options" but about "adapting how we organise our work to really take advantage of what’s on offer and what’s emerging". It said: "To become cloud native, we need to focus on the digital outcomes we need and how to achieve them".
GDS acknowledged it needed to better understand what different cloud providers offer in relation to security and where public sector should "place [their] trust".
"To truly become cloud native, we need to transform how we monitor and manage distributed systems to include ever more diverse applications," GDS said. "We need to deepen our conversations with vendors about the standards that will help us manage these types of technology shifts. We need to continue to ensure we always choose cloud providers that fit our needs, rather than basing our choices on recommendations."
Adopting the G-Cloud model
Other governments considering implementing the G-Cloud model in their jurisdiction can learn lessons from the way G-Cloud was implemented, and has subsequently evolved, in the UK.
For example, following feedback from buyers and suppliers, the way that cloud solutions available on the digital marketplace are categorised was changed by the UK government in time for G-Cloud 9, the latest iteration of G-Cloud.
Initially, the cloud services on offer were split into four different 'lots' – infrastructure-as-a-service (IaaS) solutions; platform-as-a-service (PaaS) solutions; software-as-a-service (SaaS) solutions and; specialist cloud services.
However, suppliers told the government that they were finding it difficult to describe their services without knowing which terminology buyers were using to search for their requirements, while buyers had difficulty finding what they were looking for in the marketplace as the indexing did not tie in with how they wanted to search for and buy cloud technology.
Now, cloud solutions are indexed within one of three main categories: 'cloud hosting', 'cloud software' or 'cloud support'.
Similarly, the duration of G-Cloud frameworks has changed over time. G-Cloud 9 is also the first iteration of the framework not to overlap with another version.
The rolling approach, which continued up to and including G-Cloud 7 and 8, allowed the government to experiment with new approaches, such as introducing different terms and conditions for G-Cloud contracts and evaluating, in a live environment, whether the new way of doing things were preferred to the old. It was also designed in that way to enable suppliers to change their offerings between frameworks in the hope that improvements and innovations could be made available more quickly to potential buyers.
However, the government found that there were benefits to removing the overlapping of G-Cloud framework iterations and so launched G-Cloud 9 in May 2017 as the sole G-Cloud framework in operation.
It highlighted advantages to this approach, such as having "consistent information about all services to bring more of the G-Cloud buying journey online" and for buyers and suppliers to be able to use "one set of contracts for all their G-Cloud services".
The government has also shown a degree of flexibility over the setting of the maximum term for call-off contracts under the G-Cloud frameworks. Originally, the maximum term was 12 months, reflecting the hard-line approach towards ending long-lasting, complex government IT contracts. However, after G-Cloud 1, the maximum term was increased to 24 months. For G-Cloud 9, the potential to twice extend call-off contracts by up to 12 months at a time was introduced in response to concerns that some technology contracts procured via previous G-Cloud frameworks may have been too short for some buyers.
Contract terms have also evolved as the G-Cloud initiative has developed over time. The UK government has become more open in the way it has engaged with buyers and suppliers on this issue.
For instance, for G-Cloud 9, it shared draft documents, including differences in the framework agreement and call-off contract from those that applied under G-Cloud 8, in advance of the new framework taking effect. In addition, it has provided alternative clauses for customers to use when procuring certain services available through the G-Cloud, such as clauses that accord to the specifics of the law in Scotland or Northern Ireland, or which place certain additional obligations on the supplier, such as in respect of health and safety.
For some suppliers, particularly SMEs, there has been some frustration about the complexity in the process of becoming a listed G-Cloud supplier, understanding all the terminology applicable to the frameworks, and in outlining their expertise in a way which will stand out to buyers searching for available solutions in the digital marketplace. The previous overlapping nature of G-Cloud frameworks, and therefore the ever evolving contract terms to meet the requirements of, did not aid matters.
The UK government has taken steps to simplify the process and terminology used through its engagement with industry via a variety of means, including through the sharing of draft documents, feedback on reasons for failed applications, and guidance materials.
In designing the procurement process for G-Cloud, the UK government has had to pay close attention to the requirements of EU public procurement laws. Those laws, which aim to ensure a level playing field for businesses across the EU in bidding for public contracts, have significantly influenced the way in which the G-Cloud functions.
For example, despite calls for better search functionality from users, the government in 2015 decided that it could not allow buyers to search for supplier names when seeking IT solutions via G-Cloud for fear that it would breach the procurement rules.
Other governments exploring the potential of the G-Cloud model would need to be mindful of the need to design the procurement process in a way which is both user-friendly and compliant with rules on public procurement.
Information assurance and security
One of the biggest barriers to cloud adoption has consistently been fears about the security of data, particularly in the public sector. A very important aspect of G-Cloud has therefore been its approach to security and assurance.
There has been a security accreditation process for suppliers to pass through to be eligible for certain contracts on offer via the G-Cloud frameworks since the inception of G-Cloud 1. Initially passing through this process was highly resource-intensive, costly and slow for suppliers. It has subsequently evolved into something much more practical.
Governments considering adopting the G-Cloud model can learn from the challenges posed by the UK government's initially clunky security accreditation process, which we have gone into in some depth, and from the changes it has made to make the process much less burdensome.
The UK government's G-Cloud frameworks have not been perfect. From the outset, compliance, culture and capability were seen as major barriers to G-Cloud adoption, with public sector reluctance, including lack of awareness and understanding, being a major issue. The challenge of raising awareness was acknowledged by the G-Cloud team. It published success stories in a bid to highlight the potential of G-Cloud to others, and further sought to educate buyers as well as suppliers.
Whilst the activities fashioned to address this certainly helped at a central government level, the uptake of G-Cloud at a local authority level remains an issue. The Cabinet Office was reportedly working to "better understand the needs of local authorities" as regards cloud adoption. The relative benefits of a G-Cloud model for central versus local government in any given country would seem to be a topic worth attention at an early stage of designing any similar marketplace.
A recent Institute for Government (IFG) paper considers how the UK has historically struggled with discord between policy and implementation, with insufficient attention being given to the practicalities of the latter. In line with the IFG recommendations, any government hoping to introduce policy and implement a cloud framework should ensure digital and policy specialists work together, not in relay, allowing for constant flexibility and adaptability.
An obvious pitfall to avoid for any government hoping to institute their own cloud frameworks is to avoid the confusing terminology and multiple-systems approach of the earlier G-Cloud frameworks.
The initial complexity of the G-Cloud frameworks, particularly their rolling overlapping nature, has been dealt with in part by doing away with multiple frameworks from G-Cloud 9 onwards. Although it took some five years for the UK to produce a digital marketplace with a simpler application process, other countries could benefit from the UK's experiences.
Running a cloud framework like a service, and calibrating it for different uses, would be welcomed. This might include better mechanisms for repeated procurement and focused contracts, for example. The G-Cloud has not yet developed features such as one-click purchasing, which would be welcomed by those familiar with the process who see its rigidity as frustrating.
Clear, accessible guidance for suppliers from the outset would also help to avoid delays, as happened with G-Cloud where submission deadlines were postponed for several frameworks due to the large volume of queries from SME suppliers, including regarding the contractual documents.
More guidance and help could be provided to new suppliers unfamiliar with G-Cloud or government procurements, not just suppliers on existing frameworks, bearing in mind that suppliers' expertise and experience may vary considerably, such that a "one size fits all" approach may not be the most effective.
The amount of work needed to submit applications is still considerable. Ongoing plans to improve contracts, already shortened and simplified in recent frameworks, can only benefit suppliers and buyers alike, as long as brevity is not at the expense of clarity.
In addition, despite the 'cloud first' approach mandated for central government departments, and encouraged elsewhere in the public sector, and wider improvements to the procurement process and security accreditations, the use of G-Cloud across the UK public sector is patchy. There is a lot more work for the UK government to do to encourage local authorities, for example, to procure cloud-based services through the G-Cloud.
Training of procurement teams in public sector bodies on digital skills, such as cybersecurity, might help raise awareness of the measures that can be taken to enable the benefits of cloud computing to be deployed more widely in the sector, and help those teams recognise that security and data protection issues are not a barrier to cloud adoption, that there are ways of managing risk, and that those ways are provided for in the G-Cloud regime.
Despite the challenges, the thinking behind G-Cloud and the market offering is laudable – it opened up the market, reduced transaction costs for both government and suppliers and drove digital transformation. This was only possible with the support of underlying government policy.
Claire Edwards is an expert in technology contracts at Pinsent Masons, the law firm behind Out-Law.com.
US Treasury guidance sets out sanctions compliance duties for virtual currency industry