SP-01 150 150 CloudGovCo
  • States requirements for security certifications.
  • Involves all key stakeholders at an early stage (procurement, legal, budget/finance, security, IT, and business leadership).
  • Focuses on overall application-level, performance-based requirements.
  • States requirements in commercial cloud industry-standard terminology and permits the use of commercial practices.
  • Purchases cloud services as a commercial item with acceptance of the cloud service provider’s unique terms and conditions.
  • Allows for evolving terms and conditions in order to benefit from dynamic cloud-service enhancements.
  • Creates separate acquisition approaches for each cloud service model (SaaS, PaaS, IaaS).
  • Separates acquisition of cloud infrastructure and the purchase of related services and labour, for maximum cost efficiency.
  • Develops an acquisition model for the on-demand, utility-style, pay-as-you-go nature of cloud computing.
  • Requires industry best practices and certifications for security, privacy, and auditing to assure that effective physical and logical security controls are in place.
  • Addresses the shared responsibility of security and compliance.
  • Retains full control and ownership over data and has the ability to choose the geographic location(s) in which to store data.
  • Retains full control and ownership over data when the organization defaults on payable invoices +90 days.
  • Defines evaluation criteria for the cloud that focus on requirements for system performance.