Draft Administrative Order : Cloud First Policy, September 24, 2014

MALACAÑANG PALACE MANILA

BY THE PRESIDENT OF THE PHILIPPINES

ADMINISTRATIVE ORDER NO.______

ADOPTING CLOUD COMPUTING SOLUTIONS AS AN ICT DEPLOYMENT STRATEGY FOR DELIVERING SERVICES IN THE GOVERNMENT

WHEREAS, Section 24, Article II of the 1987 Constitution provides that the State shall recognize the vital role of communication and information in nation-building;

WHEREAS, Section 2(b) of Executive Order (EO) No. 47 (s. 2011) mandates the Information and Communications Technology (ICT) Office, under the Department of Science and Technology (DOST), to provide an efficient information and communications technology infrastructure, information systems and resources to support an effective, transparent and accountable governance and, in particular, support the speedy enforcement of rules and delivery of accessible public services to the people;

WHEREAS, the government recognizes the need to utilize ICT to optimize asset utilization and reduce operating costs;

WHEREAS, the government acknowledges that cloud computing is a more cost effective, secure and robust means of deploying ICT solutions;

NOW, THEREFORE, I, BENIGNO S. AQUINO III, President of the Philippines, by virtue of the powers vested in me by law, do hereby order:

Section 1. GENERAL POLICY.

All Departments, National Government Agencies and Government-Owned and Controlled-Corporations (GOCCs), including State Universities and Colleges (SUCs), are directed to adopt cloud computing as the preferred ICT deployment strategy for its own administrative use and delivery of government services, except in the following cases: (1) when it can be proven that an alternative ICT deployment strategy is more robust and cost effective given the same security given by cloud computing and (2) when cloud cannot meet the processing requirement needed by a particular application of a government agency.

Congress, Judiciary, Constitutional Commissions and all local government units are likewise encouraged/enjoined to adopt cloud computing.

Section 2. DEFINITION OF TERMS

The definition of terms used in this Order shall be as follows:

2.1 CLOUD COMPUTING

A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, software, applications, storage equipment and services) that can be rapidly provisioned and released with minimal management effort or service provider’s interaction.

2.2 CLOUD INFRASTRUCTURE

The collection of hardware, software and other related goods and resources that enables the provision of cloud services.

2.3 COMMUNITY CLOUD

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g.,mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

2.4 DATA BREACH

A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.

2.5 DATA ENCRYPTION

The conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. In an encryption scheme, the message or information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext.

2.6 GOVERNMENT CLOUD OR GOVCLOUD

It is a hybrid cloud offering cloud services intended for the exclusive use of the government.

2.7 HYBRID CLOUD

Deployment model of cloud computing using at least two different cloud deployment models.

2.8 INFRASTRUCTURE AS A SERVICE (IaaS)

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

2.9 PLATFORM-AS-A-SERVICE (PaaS)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

2.10 PRIVATE CLOUD

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

2.10.1 PUBLIC CLOUD

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider and/or its suppliers.

2.11.2 SOFTWARE-AS-A-SERVICE (SaaS)

The capability provided to the consumer is to use the service provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

2.10 SECURITY AUDIT

A security audit is a systematic evaluation of the security of the company's information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system's physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance, in the wake of legislation that specifies how organizations must deal with information.

2.11 SECURITY BREACH

A security breach is one of the earliest stages of a security attack by a malicious intruder, such as a hacker, cracker or nefarious application. Security breaches happen when the security policy, procedures and/or system are violated. Depending on the nature of the incident, a security breach can be anything from low-risk to highly critical. A security breach is also known as a security violation.

2.12 SERVICE LEVEL AGREEMENT

Documented agreement between the cloud service provider and cloud service customer that identifies services and cloud service level objectives.

Section 3. READINESS OF THE AGENCY

The Government institutions shall determine its level of readiness to adopt the use of cloud computing for its service delivery and running its applications and/or systems based on the guidelines to be formulated by the DOST- ICT Office taking into consideration the basic cloud service models and basic delivery models as follows:

3.1 Software-as-a-Service (Saas)

3.2 Platform-as-a-Service (Paas)

3.3 Infrastructure-as-a-Service (Iaas)

3.4 Private Cloud

3.5 Public Cloud

3.6 Community Cloud

3.7 Hybrid Cloud

 

Section 4. GOVERNMENT CLOUD (GOVCLOUD)

A Government Cloud facility shall be established to host all services of government subject to guidelines of prioritization on ICT resources and government services to be placed in the GovCloud. All government agencies shall use the GovCloud for their respective cloud computing service requirements. If cloud computing resources are not available in the GovCloud, ICT requirements of other government agencies can be sourced from other approved or certified cloud service providers on a short-term basis.

Section 5. RESPONSIBILITIES OF DOST- ICT OFFICE

The DOST-ICT Office shall establish, administer, operate and maintain the GovCloud, pursuant to this Administrative Order. The DOST-ICT Office shall likewise promote the use of GovCloud, provide technical support, maintenance, security and capacity building assistance to government agencies availing the GovCloud Services.

Section 6 RESPONSIBILITIES OF OTHER GOVERNMENT AGENCIES

Other government agencies shall have the following responsibilities:

6.1 Use the GovCloud in its daily operations and as a tool in the realization of its mandates;

6.2 Promote GovCloud to other government agencies and the public;

6.3 Follow all policies, rules, and regulations relating to the use of the GovCloud and related services;

6.4 Submit any cloud provisioning initiatives to the ICT Office for notification and/or approval.

 

Section 7. LEGAL AND REGULATORY REQUIREMENTS

The Government Institutions, including the DOST- ICT Office shall consider the following before implementing basic cloud service models and basic delivery models:

7.1 Existing Laws and Regulations. Applicability of laws and regulations that impact cloud computing initiatives, involving confidentiality, visibility, data location, privacy and security controls and records management shall be considered. Contracts with a cloud service provider (CSP) shall specify its obligations with respect to the agency’s/organizations responsibilities for compliance with relevant laws and regulations. CSP should not compromise compliance with the following, among others:

7.1.1 Data Privacy Law of 2012 (R.A. 10173)

7.1.2 Cybercrime Prevention Act of 2012 (R.A. 10175)

7.1.3 Electronic Commerce Act of 2000 (R.A. 8792)

7.1.4 National Archives Act of 2007 (R.A. 9470)

7.1.5 National Security Clearance System For Government Personnel with Access to Classified Matters and for other Purposes (Executive Order No. 608) 7.2 GovCloud shall be governed by the laws of the Republic of the Philippines. All contracts, agreements, and service level agreements pertaining to the GovCloud shall be bound by Philippine laws and any claims, or issues raised shall be resolved in the Philippine courts or Philippine adjudicatory bodies.

Section 8. SERVICE LEVEL AGREEMENT (SLAs).

The agency/organization shall include SLAs in its contracts to specify and clarify performance expectations, as well as establish accountability. The SLAs should relate to the provisions in the contract regarding incentives, penalties, disaster recovery and business continuity, and contract cancellation for the protection in the event the service provider failed to meet the required level of performance.

Section 9. MIGRATION PROCESS

The ICT Office shall formulate the migration procedures for government agencies transferring their data, infrastructure and services into the GovCloud considering the type of cloud computing services adopted.

Section 10. DATA OWNERSHIP AND DATA LOCATION AND RETRIEVAL

All contracts and agreements pertaining to the provisioning of cloud services to Government agencies covered by this Order shall contain provisions indicating ownership rights over data in favor of the government. All private cloud service providers must also be able to isolate and clearly identify data and other information system assets of the government agency it serves, and must be able to show that the same data are protected at all times, owned and controlled by the government, and is retrievable at any time.

Section 11. INFORMATION SECURITY REQUIREMENTS

Government Institutions, in adopting cloud computing, shall protect the confidentiality, integrity and availability of data. The use of PNS ISO/IEC 27002:2005 as basis for preparing the information security management system of government agencies is hereby mandated as the minimum requirement in preparing the information security management system.

Section 12. INTEROPERABILITY REQUIREMENTS

Government Institutions shall require Interoperability of the components of a cloud infrastructure to work together to achieve their intended result based on the Philippine Government Interoperability Framework and international standards. The components may come from different sources, both cloud-based and traditional, public and private cloud implementations. The components should be replaceable by new or different components from different providers and continue to work, to facilitate the exchange of data between systems.

Section 13. IMPLEMENTING GUIDELINES

The DOST-ICT Office in consultation with other government agencies and ICT related organizations shall formulate and issue the necessary rules and regulations that will serve as basis in the adoption and implementation of cloud computing services within ninety (90) days from the effectivity of this Order.

Section 14. AGENCY COMPLIANCE

Within 150 days from the effectivity of the Implementing Rules and Regulations (IRR), each Government Institution mandated under this Order shall submit to DOST-ICT Office a three-year Compliance Plan on the adoption of cloud computing solutions. DOST-ICT Office shall monitor the formulation and implementation of the Compliance Plan of the respective government agencies.

Section 15. APPROPRIATIONS The amount necessary to implement the provisions of this Administrative Order shall be charged against the current appropriations of the implementing Government Institution subject to the usual government and accounting and auditing rules and regulations. Thereafter, the funds needed for the continued implementation shall be included in the annual General Appropriations Act. The DOST-ICTO shall include in its annual appropriations the amount necessary for the personnel services, infrastructure, including the data centers, servers, appliances, equipment and utilities necessary to run and operate the GovCloud, subject to the rules and regulations from the Department of Budget and Management, the General Appropriations Act, and other applicable rules. The DOST-ICTO shall be allowed to charge fees from its subscribers for the use of GovCloud facilities and services on a cost recovery basis to fund its variable expenses, in accordance with the provisions of AO No 31 (s. 2012).

Section 13. REPEALING CLAUSE.

All issuances, orders, rules and regulations or parts thereof which are inconsistent with the provisions of this AO are hereby repealed, amended or modified accordingly.

Section 15. SEPARABILITY CLAUSE.

Should any provision of this AO be declared invalid or unconstitutional, the other provisions not affected thereby shall remain valid and subsisting.

Section 16. EFFECTIVITY.

This AO shall take effect immediately.  

 

DONE, in the City of Manila, this ___th day of _______, in the year of our Lord, Two Thousand and.Fourteen.  

(Sgd.) BENIGNO S. AQUINO III

  By the President:

(Sgd.) PAQUITO N. OCHOA, JR.

Executive Secretary  

 

Click here to Download a copy

FOR COMMENTS/SUGGESTIONS, kindly post it here.