OASIS Public Administration Cloud Requirements (PACR) Technical Committee

Governments are evaluating the use of, and increasingly converting many of their information and communication technology ("ICT") systems to cloud and other remote distributed computing services and installations. The nature of these relatively novel systems requires some re-examination of the public policy and government responsibility requirements generally applied to ICT functions on which public administrations rely, including their:

• Safety, reliability, stability and minimal risk;
• Legislative conformance;
• Regulatory compliance;
• Degree of control and auditability by or on behalf of the responsible public administration;
• Reliance on and vulnerability to single sources, vendors, formats, applications or computing protocols;
• Usability and extensibility of data and data functions by anticipatable stakeholders;
• Portability of data;
• Portability and composability of data functions across multiple systems and clouds operating in concert;
• More agile enhancement and maintenance and multi-site resilience;
• Cost effectiveness; and
• Skills needs.

The increased speed, functionality, reach and efficiencies sought and availability from cloud computing methods in some cases puts unique stresses on the foregoing conventional ICT requirements, and may also give rise to special needs not encountered or well defined in segregated, stand-alone computing installations.

Some work has been done (as cited below) in creating typologies of cloud computing service function levels, and towards models of services; and several recently-formed coalitions have proposed requirements lists at one or another level of cloud activity, some of which are beginning to form a web of partially overlapping and disjointed mass of specifications and candidate standards.

However, there is little help available to governments to integrate those lists into common, readily-understood rules that inform procurement, auditable assurance and conformance testing and acquisition criteria; and little or no openly available, vendor-neutral information mapping of such requirements to the rather large but loosely-organized body of existing ICT standards.

The foregoing state of affairs can lead to haphazard, constantly-changing criteria; serious difficulties in comparing or evaluating possible cloud services; accidental data architectures (or none at all); and a failure to take advantage of easily-used but hard-to-define bodies of existing openly-available work. The Public Cloud (PACR) TC will draw together a common set of attributes and operational requirements that are relevant to public administrations, at each of the major service levels of cloud systems, and show the relationships (where applicable) to existing open standards and published governmental works that supply methods of measurement and definition.

The committee will develop a set of common required functional elements, and measurable criteria or qualities that should be present in cloud computing services or installations employed by public administration entities, whether purchased, hired or self-created and self-installed.

In this context, "should be present" refers to aspects of a cloud service or installation that are likely to be necessary to reflect public sector risk profiles in order to satisfy the public policy aspects, governmental reliability and stability requirements, responsibility to citizens and constituent stakeholders, and broad, platform-neutral accessibility that generally are expected and desirable from useful, long-term government ICT resources. In essence the work will form a ‘profile’ of government requirements, drawn from and informed by existing works.

Out of Scope: The TC's deliverables will not recommend or require the use of specific tools, products, technologies, software systems or branded commercial or non-commercial services. However, the TC may demonstrate implementation by publishing ‘profiles of the PACR profile’ based on specific protocols, and may identify which tools are used in connection therewith where needed to permit replication of results.

Within 18 months of the TC’s first meeting it will look to deliver a measurable and auditable implementation/conformance profile for government i.e. the features that governments want to see in cloud offerings to government. The profile will include as a minimum the following:

1. A base set of required attributes, expressed as architecture-neutral functional features, that generally should be sought in any cloud or remote computing infrastructure employed by or on behalf of governments (including computer networking, network management, data storage and shared repository, multi-site resilience, abstracted hosting environment, service or device management and virtualization management).
2. A base set of required attributes, expressed as architecture-neutral functional features, that generally should be sought in any cloud or remote computing platform services employed by or on behalf of governments (including common transactional, eventing, notification and messaging operations such as middleware and enterprise service buses, and interaction patterns and protocols among autonomous physical or virtual machines).
3. A base set of required attributes, expressed as architecture-neutral functional features, that generally should be sought in any cloud or remote computing data application services employed by or on behalf of governments (including application program interfaces (APIs) and end-user software applications).

   Thereafter the TC will look to deliver:

4. If deemed useful and feasible, identification of existing ICT standards and openly-available, vendor-neutral specifications that are available to implement and measure the requirements of the profile.
5. If deemed useful and feasible, gap analysis identification of those requirements where additional openly-available methods are needed for implementation and measurement.
6. If deemed useful and feasible a government Cloud Reference Model that would include amongst other aspects a common taxonomy of government services and a shared information model.

The deliverables shall:

1. Be vendor-neutral and product-agnostic. (The TC may elect to point to or provide proof-of-concept instances of specific protocol uses, but will strive for catholicity and multiple examples, and facilitate ease of implementation regardless of protocol choices.)
2. Wherever feasible, specify and explain methodologies for compatibility with legacy system integration and incremental adoption.

The committee will operate under the Non-Assertion Mode of the OASIS IPR Policy.

• Government units and other entities responsible for data and computing resources employed in public administration, particularly those who have migrated or are evaluating migrating to cloud computing architectures.
• Market participants, who consume, rely on and transact with those resources.
• Regulators and policymakers with an interest in the procurement, control, interoperability, auditability, certification and accreditation of cloud resources.
• Providers of cloud computing services, devices and advisory assistance who support the evaluation, initialization, migration, maintenance and monitoring of cloud computing services and installations.
• Data integrators for the products & services used by the foregoing.
• Providers of certification and accreditation services.

The TC will conduct its business in English but will strive to translate its deliverables in a number of non-English languages. The TC may elect to form subcommittees that produce localized documentation of the TC's work in additional languages.