Draft Administrative Order : Cloud First Policy, December 20, 2014
BY THE PRESIDENT OF THE PHILIPPINES
ADMINISTRATIVE ORDER NO.______
ADOPTING CLOUD COMPUTING AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT
WHEREAS, Section 24, Article II of the 1987 Constitution provides that the State shall recognize the vital role of communication and information in nation-building;
WHEREAS, Section 2 (a) of EO 47 (s.2011) mandates ICTO to formulate, recommend and implement an appropriate policy and program framework that will promote the rapid development and improved global competitiveness of our country’s information and communications technology industry through research and development and through effective linkages to industry;
WHEREAS, Section 2(b) of Executive Order (EO) No. 47 (s. 2011) mandates the Information and Communications Technology (ICT) Office, under the Department of Science and Technology (DOST), to provide an efficient information and communications technology infrastructure, information systems and resources to support an effective, transparent and accountable governance and, in particular, support the speedy enforcement of rules and delivery of accessible public services to the people;
WHEREAS, the government recognizes the need to utilize ICT to optimize asset utilization and reduce operating costs;
WHEREAS, the government acknowledges that cloud computing offers the most cost efficient, cost effective, robust and the quickest means to deploy, maintain, and upgrade ICT resources;
Section 1. GENERAL POLICY.
All Departments, National Government Agencies and Government-Owned and Controlled-Corporations (GOCCs), including State Universities and Colleges (SUCs), are directed to adopt cloud computing as the preferred ICT deployment strategy for its own administrative use and delivery of government services, except (1) when no cloud computing deployment can meet the requirements of a government agency or (2) when it can be proven that an alternative ICT deployment strategy is more robust, cost effective, and as secure as a cloud computing deployment.
Congress, Judiciary, Constitutional Commissions and all local government units are likewise encouraged to adopt cloud computing.
Section 2. DEFINITION OF TERMS
The definition of terms used in this Order shall be as follows:
2.1 CLOUD COMPUTING (or CLOUD SERVICES)
A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, software, applications, storage equipment and services) that can be rapidly provisioned and released with minimal management effort or service provider’s interaction.
2.2 CLOUD INFRASTRUCTURE
The collection of hardware, software and other related goods and resources that enables the provision of cloud services.
2.3 COMMUNITY CLOUD
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
2.4 GOVERNMENT CLOUD OR GOVCLOUD
It is a facility established to host government online services.
2.5 HYBRID CLOUD
Deployment model of cloud computing using at least two different cloud deployment models.
2.6 INFRASTRUCTURE AS A SERVICE (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
2.7 PLATFORM-AS-A-SERVICE (PaaS)
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
2.8 PRIVATE CLOUD
The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
2.9 PUBLIC CLOUD
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud services provider and/or its suppliers.
2.10 SOFTWARE-AS-A-SERVICE (SaaS)
The capability provided to the consumer is to use the cloud service provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
2.11 SERVICE LEVEL AGREEMENT
Documented agreement between the cloud service provider and cloud service customer that identifies services and cloud service level objectives.
Section 3. READINESS OF THE AGENCY
In order for a government institution to assess its readiness for cloud computing, the DOST-ICT Office shall define and implement the standards to determine the level of readiness of a government institution to adopt the use of cloud computing for its service delivery.
Section 4. GOVERNMENT CLOUD (GOVCLOUD)
4.1 A Government cloud facility shall be established to host government online services subject to the guidelines of prioritization on ICT resources.
The facility, which shall be a hybrid cloud, shall include, but not be limited to the following:
4.1.1 Infrastructure as a Service (IaaS) which includes GovCloud hardware;
4.1.2 Platform as a Service (PaaS) which includes the Government Web Hosting Service;
4.1.3 Software as a Service (SaaS) which includes the PMGov, Forms Generator (FormsGen), Archives and Records Management Information System (ARMIS) and PhPay.
4.2 If cloud computing resources are not available in the GovCloud, ICT requirements of other government institutions can be sourced from ICT Office accredited cloud service providers on a yearly basis.
The ICT Office shall formulate accreditation guidelines which shall consider cloud confidentiality, visibility, data location, privacy and security controls and other requirements of the government.
4.3 Upon implementation and adoption of the GovCloud, the following responsibilities shall be performed/undertaken by:
4.3.1 ICT Office
220.127.116.11 Administer, operate and maintain the GovCloud, pursuant to this Administrative Order.
18.104.22.168 Promote the use of GovCloud.
22.214.171.124 Provide technical support, maintenance, security and capacity building assistance to government agencies availing the GovCloud Services.
4.3.2 Government institutions
126.96.36.199 Submit cloud services requirements to ICT Office for assessment/approval.
188.8.131.52 Use the GovCloud in its daily operations and as a tool in the delivery of its services;
184.108.40.206Follow all policies, rules, and regulations relating to the use of the GovCloud and related services.
4.4 The operations of GovCloud shall be governed by the laws of the Republic of the Philippines. All contracts, agreements, and service level agreements pertaining the same shall be bound by Philippine laws and any claims, or issues raised shall be resolved in the Philippine courts or Philippine adjudicatory bodies.
Section 5. SERVICE LEVEL AGREEMENT (SLAs)
The provisioning of Cloud Computing, either by the government through the ICT Office, or by ICT Office accredited cloud service providers, shall be governed by SLAs to specify and clarify performance expectations, as well as establish accountability. The SLAs should relate to the provisions in the contract regarding incentives, penalties, escalation procedures, disaster recovery and business continuity, and contract cancellation for the protection of the institution in the event the service provider failed to meet the required level of performance.
The government institutions should closely monitor the service provider’s compliance with key SLA provision on the following aspects, among others: Availability and timeliness of services; Confidentiality and integrity of data; Change control; Security standards compliance, including vulnerability and penetration management; Business continuity including disaster recovery and contingency plans; Help Desk Support.
Section 6. MIGRATION PROCESS
The ICT Office shall formulate the migration guidelines for government agencies transferring their ICT resources into the Cloud considering the type of cloud computing services adopted.
Section 7. DATA OWNERSHIP AND DATA LOCATION AND RETRIEVAL
All contracts and agreements pertaining to the provisioning of cloud services to Government institutions covered by this Order shall contain provisions indicating ownership rights over data in favor of the government. All cloud serviceproviders must also be able to isolate and clearly identify data and other information system assets of the government agency it serves, and must be able to show that the same data are protected at all times, owned and controlled by the government, and is retrievable at any time.
Section 8. INFORMATION SECURITY COMPLIANCE
Government Institutions, in adopting cloud computing, shall protect the confidentiality, integrity and availability of data. The use of PNS ISO/IEC 27002:2005 as augmented by ISO/IEC 27018:2014 is hereby mandated as the minimum requirement in preparing the information security management system.
Section 9. INTEROPERABILITY REQUIREMENTS
Government Institutions shall require interoperability of the components of a cloud infrastructure to work together to achieve the intended result based on international standards, such as ISO/IEC 17203:2011. The components may come from different sources including public and private cloud implementations. The components should be replaceable by new or different components from different providers and continue to work, to facilitate the exchange of data between systems.
Section 10. IMPLEMENTING GUIDELINES.
The DOST-ICT Office in consultation with other government agencies and ICT related organizations shall formulate and issue the necessary rules and regulations that will serve as basis in the adoption and implementation of cloud computing within ninety (90) days from the effectivity of this Order.
Section 11. AGENCY COMPLIANCE.
Within one hundred fifty (150) days from the effectivity of the Implementing Rules and Regulations (IRR), each Government Institution mandated under this Order shall submit to DOST-ICT Office a three-year Compliance Plan on the adoption of cloud computing. DOST-ICT Office shall monitor the formulation and implementation of the Compliance Plan of the respective government agencies.
Section 12. APPROPRIATIONS.
The DOST-ICTO shall include in its annual appropriations the amount necessary for the personnel services and ICT resources, including the data centers, servers, appliances, equipment and utilities necessary to run and operate the GovCloud, subject to the rules and regulations from the Department of Budget and Management, the General Appropriations Act, and other applicable rules.
The DOST-ICTO shall be allowed to charge fees from its subscribers for the use of GovCloud facilities and services on a cost recovery basis to fund its variable expenses, in accordance with the provisions of AO No 31 (s. 2012).
Government Institutions shall include in its appropriations the amount necessary to avail of cloud computing services from the ICT Office accredited Cloud Service Providers, subject to the usual government accounting and auditing rules and regulations.
Section 13. REPEALING CLAUSE.
All issuances, orders, rules and regulations or parts thereof which are inconsistent with the provisions of this AO are hereby repealed, amended or modified accordingly.
Section 14. SEPARABILITY CLAUSE.
Should any provision of this AO be declared invalid or unconstitutional, the other provisions not affected thereby shall remain valid and subsisting.
Section 15. EFFECTIVITY.
This AO shall take effect immediately.
DOWNLOAD a copy of this draft AO on cloud computing.