The federal and private sector guidelines emphasize the importance of federal authorities using a Service Level Agreement (SLA) as part of a contract to acquire IT services through a cloud service provider. An ALS defines the level of service and performance expected by a provider, the measurement of that performance, and the enforcement mechanisms used to ensure that the levels of performance indicated are achieved. Comments: The Department of Defense approved our recommendation and said the department would update its cloud computing guidelines and contract guidelines. In August 2017, defence finalized its updated service level agreement guidelines in its Defence Measures Acquisition Guide, which contains the key practices mentioned in our report. The guide contains, for example, the roles and responsibilities of all parties to the agreement, including department staff and service provider staff; performance identification by the cloud service provider, including availability. B of the service and response time; and making available how data and networks will be managed and maintained. The guidelines also specify that the applicable consequences, such as sanctions. B, should be taken into account in the event of non-compliance with performance measures. In May 2018, the defence provided evidence that the guidelines were incorporated into cloud service contracts. For example, an audit of the contract documentation of the milCloud department showed that the language was contained, that the contractor would prove that it complied with certain parts of the service level agreement, and that the cloud provider would maintain the cloud environment in accordance with current service guidelines and guidelines. Updating its guidelines for the application of these key practices will allow defence to better measure the performance of the services received more effectively and, therefore, to ensure the provision and effective implementation of the services for which it has a contract.

The April 2016 report, agencies must incorporate key practices to ensure effective performance, detail its results and make recommendations. The GAO found that the five agencies and the 21 cloud service contracts it reviewed included most of the top ten practices.