You are on page 1of 64

UNCLASSIFIED

Data Centre Strategy


G-Cloud and
The Applications Store for
Government

Commercial Strategy Team

Workstream Report: Strategy for the High


Level Design 29th May 2010

Version 2.5 – Following Peer Review

UNCLASSIFIED
V2.5 Page 1
Authors
Gwil Davies Accenture
Barry Matthews Alsbridge PLC (industry co-lead)
Barry Jennings Bird and Bird
Neil Mellor BT
Joan Murray Buying Solutions
Bob Scott Cap Gemini
Andy Macleod CISCO
Mark O‟Conor DLA Piper
Adrian Hepworth Erudine
Dr Richard Sykes Independent
Peter Shakesby Logica
Simon Collinson Microsoft
Dr Maurette Cobb OGC
Andrew Curtois OGC
Nicky Stewart OGC (government lead)
Natalie Trainor Pinsent Masons
Rhys Sharp SCC
Reviewers
Lesley Meekes Buying Solutions
Stefan Masters Cabinet Office/Public Sector Network Programme
Andy Tait Cabinet Office
David Greenway Cap Gemini
Clive Read CISCO
Miles Gray Department for Health
Kevin Holland Department for Health
Mike Smith Department for Transport
Eileen Logie DWP
Philip Orumwense DWP
Roger Cox Gartner
Robin Wilson Gartner
Mike McCartney HMRC
Judith Mosely HMRC
David Light Home Office
Adrian Sharman MoD
Claire Henson MoJ
Tim Bett OGC
Bruce Harmsworth Partnerships UK
Steve Tuppen Serco

V2.5 UNCLASSIFIED Page | 2 of 64


v

Table of Contents

1. Executive Summary ................................................................................... 4


2. Background ................................................................................................ 7
3. Commercial Vision .................................................................................... 9
3.1 Market analysis .......................................................................................... 9
3.2 Industry context .......................................................................................... 9
3.3 Strategic drivers ....................................................................................... 10
3.4 Future vision and government capability................................................... 11
3.5 Re-use and re-deployment ....................................................................... 12
3.6 ICT Collaborative Procurement Strategy .................................................. 13
3.7 Commercial vehicles ................................................................................ 13
4. Commercial Principles .............................................................................. 14
4.1 Establishing an open market: ................................................................... 14
4.2 Running a successful market.................................................................... 16
4.3 Range of services..................................................................................... 18
5. Making it Happen ..................................................................................... 19
5.1 Transformational challenges..................................................................... 19
5.2 Four key working assumptions ................................................................. 19
5.4 Industry investment options ........................................................................... 22
5.5 Commercial mobilisation and in flight contracts transition models ............ 26
5.6 Legal and procurement related considerations ......................................... 29
6. Summary of Risks ................................................................................... 32
7. Key Recommendations and Next Steps

ANNEX A - Detailed commercial principles for software and opensource


ANNEX B - TUPE implications
ANNEX C - Data Protection, including consideration of the US Patriot Act
ANNEX D – Procurement Challenges ................................................................. 46
ANNEX E - Commercial Transition model
ANNEX F – Key risks ......................................................................................... 51
ANNEX G - Recommended commercial activities for Phase 3

V2.5 UNCLASSIFIED Page | 3 of 64


Executive Summary
The commercial potential of cloud computing and cloud services is widely accepted,
both in private industry and in the public sector. The opportunities for cost reduction
and efficiency in the UK public sector are real and achievable, but require significant
changes to procurement practices, delivery frameworks and across the supplier
landscape.

1.1 During Phase 2 of the programme the commercial strategy team has focused on understanding the
commercial implications of moving major elements of public sector IT delivery to shared, cloud based
delivery models.
1.2 The team has examined a number of commercial and contractual areas to understand potential
implications and complexities as well as the major opportunities, focussing on seven specific areas:
Commercial Principles – the overarching principles supporting the programme. These
are fundamental aspirations and objectives that a new model of cloud based delivery must
meet.
Commercial Strategy – providing the background and context to the approach and
covering wider industry context, strategic drivers and future vision as well as current and
required capability.
Commercial Roadmap – a suggested plan and framework for achieving the commercial
objectives, identifying the major steps on the journey to achieving them.
Commercial Models – covering how specific IT services will be bought and sold in reality,
based on industry expertise, parallel purchasing models and best practice and brought to
life through use cases.
Pricing Models – investigating how services will be priced, taking into account purchasing
on demand, the segmentation and price point of specific services and industry benchmarks
for existing cloud based services.
Procurement Law – analysis of the existing legal framework and associated procurement
rules governing how public sector IT services are purchased and consumed.
Industry Engagement and Investment – an assessment of the optimum way to engage
the IT industry in the programme in a way that maintains a level playing field and ensuring
alignment to other strategic government IT initiatives, along with an understanding of the
various investment options that could be applied to generate the level of investment and
commitment required to enable transition to a new way of working.
1.3 The analysis has provided a clearer understanding of the fundamental commercial implications and
opportunities which are explored in detail throughout the remainder of this document; however there
are a number of themes which at a high level give a summary of the conclusions:
Changes in business practice
o Realising the commercial benefits of cloud requires a significant change in working
practices and procurement culture. The re-use and sharing of utility applications and
services on a large scale will bring about significant efficiencies but requires strong central
control and facilitation to effect a rapid transition.
o There will need to be an effective commercial process to allow suppliers who opt to
move out to pass scope or existing contracts to other suppliers who opt to stay in.
The commercial process must also enable those who stay in to address the cost of
accelerating virtualisation and consolidation.
o In parallel there needs to be a determined Governmental organisational change
initiative with the objective of ensuring the motivation and commitment to move the sourcing

V2.5 UNCLASSIFIED Page | 4 of 64


of services and applications into the emerging G-Cloud and on to the Government
Applications Store platform in the G-Cloud.
Transition considerations
o A logical starting point for transition will be to accelerate virtualisation and
consolidation of existing data centre facilities operated by existing suppliers on behalf of
departments (the “initial consolidations”,) within the bounds of existing contracts. This will
help to identify cross government applications and infrastructures that can be used to
support initiatives owned by multi-centred communities of interest.
o In parallel, the Government Applications Store should be designed to enable the early
identification of applications (standard fit for purpose applications at best price through
utility models) that can be re-used across the public sector. Contributing organisations or
departments should be incentivised and rewarded for providing applications to be shared.
o A clear timescale and plan is required for the migration of established procurement
contractual terms which encourage long term, bundled IT services to a new model
based on the delivery of disaggregated services on demand. This will require a major
change to existing EU-influenced procurement practice, but has the potential to greatly
reduce the cost of procurement for both Government and the supplier community.
o Involvement from new suppliers to government who specialise in cloud based service
delivery should be encouraged and the framework and procurement model must be
implemented with this in mind.
Security considerations
o The major potential for public cloud based services is with those services with the
lowest security implications – i.e. those considered to be at least threat, given the
complexity and cost associated with higher security levels
o Although it is likely that computer hardware and software will initially be UK based,
the commercial model should allow for it to be physically located outside of the UK but within
EU boundaries where IA can be accommodated and built in, in order to optimise benefits
o Information Assurance will need to be treated as an ongoing activity, with IA
requirements built into the procurement process.
Dependencies
o A pre-requisite for realisation of the commercial objectives are a set of UK
Government technical & operational standards that can define the G-Cloud based on a
(significant) number of competing infrastructural service providers operating at any
appropriate security level – the public sector procurement community needs to understand
what it is it is buying.
o Information Assurance standards will be key to defining what is required, and at what
level, and whether or not facilities can be shared with non HMG clients
o The standards must enable practical & effective virtual segregation which will enable
suppliers to deliver services within the G-Cloud from a facility that may also be used for non
Government clients – this will enable new and existing entrants to realise economies of scale
and leverage existing technology.
1.4 The commercial potential of cloud computing and cloud services is widely accepted internationally
both in private industry and the public sector, with the benefits expected to include:
Improved agility in delivering public services digitally through
o reduced procurement times
o re-use of existing assets
o pre certification of services
Reduced ICT costs for the public sector through
o higher utilisation levels on infrastructure
o re-use of existing assets
V2.5 UNCLASSIFIED Page | 5 of 64
o volume discounts
o standardisation and simplification
Supporting achievement of sustainability targets through
o more efficient use of ICT assets
o more efficient data centres
Reduced risks to delivery of public services through
o improved data centre estate

1.5 The opportunities for cost reduction and efficiency in the UK public sector are real and achievable,
with initial estimates identifying cost savings of at least £500m p.a through the Government
Applications Store by 2020, £300m p.a infrastructure savings by 2015, plus a 75% reduction in power
and cooling costs by 2015. Realising these savings will require significant changes to procurement
practices, delivery frameworks and across the supplier landscape.
1.6 The remainder of this document addresses each of these major change areas in more detail. The
intended audience for this document is the public sector CIO, CTO and procurement communities, as
well as the UK ICT industry.

ANNEX D – Procurement challenges


ANNEX F – Key risks

V2.5 UNCLASSIFIED Page | 6 of 64


Background
The aggregation of demand and simplification of platforms has provided huge
economies of scale. Government has a significant legacy of applications which exhibit
low server utilisation and high operational costs. It must be understood however that the
cloud computing and cloud sourcing paradigms do not always directly lead to reduced
costs - the real challenge will be to ensure that sufficient economy of scale and
standardisation is reached quickly enough to deliver a net saving.

2.1 Cloud computing in this context is defined as the usage of clusters of standardised computing
resources managed in a highly automated fashion to service a particular business need where the
customer:
Does not own the infrastructure so as to avoid capital expenditure costs
Consumes resources as a service paying only for what is used as a utility or subscription cost
Does not always need to have or require any knowledge of the detail concerning provision of the
service
Has the option for dynamic, scalable or potentially unpredictable resource requirements.
2.2 The cloud is used as the broader term covering the availability of services that can be directly
sourced („from the cloud‟) including:
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS).
2.3 Private clouds serve a single client as part of an in-house or on-premise facility; or may serve a
restricted group of clients as part of a shared virtual data centre service but would exclude general
public usage. The overriding goals for the Data Centre Strategy, G-Cloud and Application Store for
Government Programme are to:
Reduce ICT costs (contributing to the Operational Efficiency Programme savings target
for ICT)
Provide open competition and create a vibrant marketplace enabling the best product at
the best price
Create flexibility by reducing supplier lock-in to ensure users can readily switch between
suppliers for ICT services
Reduce the carbon footprint of Public Sector ICT services

2.4 Public clouds are open for all potential users and benefit from a user base with a wide geographic,
time-zone and usage pattern mix.
2.5 The rapid development of consumer services by the likes of Amazon & E-Bay (e-commerce),
Google (search) and early enterprise services by the likes of salesforce.com (Customer Relationship
Management) has fuelled the growth of the public clouds to the point of being a serious contender in the
supply options for both government and enterprises.
2.6 The high degree of production automation that underlies the cloud model can both deliver the
economic benefits of standardisation while also enabling elements of reconfiguration by the user – a
more cost effective route to delivering the benefits of „the bespoke‟ than the creation of bespoke
software and systems.

V2.5 UNCLASSIFIED Page | 7 of 64


2.7 The Applications Store for government (ASG) in this context is defined as a library or catalogue
of business applications sourced from the cloud (which may be the G-Cloud or an external public cloud)
where the customer:
Can select an application for provision as a service from the cloud to serve their business needs
Is assured the application will work and has passed some level of accreditation
Has improved access to specifically developed applications and services, where the IPR is shared
and there is a choice from a range of suppliers
Pays for the application on a subscription or utility basis without term licences (as licence costs are
integral to the subscription or utility pricing).
There will be a single ASG for the public sector.
All services in the ASG (other than those in the “open zone”) will have been pre-procured, to
minimise procurement effort.

2.8 Government has a significant legacy of applications developed well before the cloud computing
paradigm existed and low (estimated 7%) server utilisation and a high cost of operation. The challenge
set by both the current economic climate and senior civil servants alike is to transition to a situation
where the benefits of cloud computing can be adopted to provide savings to government.

2.9 Data Centre Consolidation will:

Reduce to an optimum number of modern, resilient, efficienct and secure


data centres that may also act as infrastructure for the G-Cloud

Define and drive the standards for all Data Centres used by the public
sector

Drive value through a competitive supplier market

V2.5 UNCLASSIFIED Page | 8 of 64


Commercial Vision
The commercial vision is to improve value for money, enhance agility and realise cash
savings by creating a more open market for shared, flexible infrastructure and
applications through agreed and open standards.

3.1 Market analysis


3.1.1 Cloud computing utility and cloud sourcing change the business model and economics of IT
as they permit the “pay for use” of computing, processing time and software capabilities as opposed to
the purchase of computer infrastructure and software with licences in order to run applications. From a
commercial perspective they have the potential to replace the need for major capital investment in
discrete IT infrastructure and software with „pay as you go‟ operational expenditure. They can reduce
the overall cost of IT considerably through the reuse of software components based on a utility model,
and the reduction in development time therefore required to create or change applications or processes.
3.1.2 Networks and IT infrastructure such as data centres can be standardised, shared and their
management automated thereby reducing upfront investment costs, rationalising platforms (and hence
support costs), and increasing utilisation. This in turn permits much greater business agility, flexibility,
and operational efficiency. The standardisation of the data centre and infrastructure fabric will also
facilitate easier and, in some cases, less costly deployment of resilient infrastructure architectures.
3.1.3 The savings need to be balanced against risk, however. For this reason, whilst public cloud
services are likely to be applicable to applications with lower security and resilience requirements,
private (or virtual private) cloud services may be required to provide the levels of information assurance
and integrity essential to more sensitive government applications.
3.1.4 Despite the hype, cloud computing is driven by real advances in architecture, security, web
platforms, massively scalable processing, automation and the internet. It builds on existing models
such as utility computing, on-demand services, grid computing and software as a service. The main
market drivers for virtualisation and cloud services include IT savings from data, server and licensing
consolidation. According to Forrester (Q3 2009) 71% of enterprises in the US and Europe are already
deploying virtualisation technology, with 62% of x86 server OS instances estimated to be virtualised by
2011. By comparison a survey of UK public sector virtualisation by Kable in January 2009 indicated
52% of government bodies having implemented some form of virtualisation, but with the majority of
these addressing only up to 10% of servers
3.1.5 Exploiting such a market discontinuity requires major changes in IT deployment, business
models, skills and organisation from both users and suppliers to enable the benefits to be realised.
Cloud computing and cloud sourcing are recognised as a class of “disruptive technologies1”, with the
public cloud offering common and standardised functionality by comparison with established bespoke
solutions but at a considerably lower price point. Whilst commoditisation can lead to substantial growth,
it will therefore generate resistance as well as enthusiasm within both supplier and user communities.

3.2 Industry context


3.2.1 The primary change for the IT industry is an acceleration of the trend away from selling term
contracts for integrated and largely customised products to government and enterprise customers and
towards the provision of more commoditised services on a shorter term contract or dynamic usage
basis. The high degree of automation that underlies the cloud business model also challenges
significant parts of the established people-intensive commerce of the IT service providers.
3.2.2 The effect on industry – in particular incumbent suppliers to the public sector - is acute.
Servers, operating systems, personal computers, software and devices have generated revenue
through licenses for the technology used to implement systems. With a shift to virtualised infrastructure

1
The Innovators Dilemma, Clayton Christensen, HBS
V2.5 UNCLASSIFIED Page | 9 of 64
and near real time user changes in capacity and software configuration, new commercial models are
required that reflect the value of the services to the user. Yet these models must mitigate the
infrastructure investment risk now carried by service providers and yield an acceptable return to them.
3.2.3 Hardware and software providers, IT service providers, systems integrators, outsourcing
companies and major telecoms operators are all impacted by the shift to cloud and are developing
services to address the cloud opportunity and to mitigate the loss of traditional revenue streams. New
market requirements (such as for service integration) create opportunity for new types of suppliers,
while at the same time suppliers who have developed strong businesses in on-line consumer and e-
commerce markets are positioning to compete for enterprise and government business.
3.2.4 The shift to a cloud model will also enable new entrants in to the Government market place
including both established players, but also from the SME sector. This will bring new opportunity for
Government but also new challenges, partnership may play an important role where support and scale
are needed but overall this change will add significantly to the vibrancy of the new market.
3.2.5 Users are already changing buying behaviour and although it is unlikely either that on-
premises IT implementation will be completely abandoned or that complex mission critical processes will
move to public cloud services, there is a strong need to consume services in a more cost-effective way.

3.3 Strategic drivers


3.3.1 The public sector is seeking to reduce ICT costs, reduce carbon emissions and contribute to
the Digital Britain strategy. The Operational Efficiency Programme (OEP) and the Digital Britain report
have outlined a vision of how public services should be provided in the future, including:
Collaborative procurement to assist departmental ICT savings
Re-use of infrastructure
Encouraging investment and innovation from public and private sector
Migration from duplicated and vertically integrated solutions to common shared services
Creating new business models and a new market place.

Public spending
3.3.2 Government has agreed £30 billion of “value for money” savings in the CSR07 period, with
an additional £5 billion in 2010-11 based on the interim conclusions of the OEP announced in the 2008
Pre-Budget Report. The OEP has set out challenging efficiency targets for IT, to be achieved in three
years time, whilst Smarter Government sets out this challenge in the context of the need to deliver
responsive, quality services that meet public expectations.
3.3.3 The resulting downward pressure on departmental ICT budgets will accelerate the adoption
of transformative technologies that can yield practical benefits today and realise substantial savings in
line with CSR07/CSR10 (although conversely there is a risk that downward pressure on ICT budgets will
accelerate the extension of existing contracts in return for reduced prices).
Economy
3.3.4 The economic downturn is further accelerating impetus towards cost and carbon reduction in
IT. According to analysts IDC a slow global economy “will act like a pressure cooker on the IT market,
speeding the development and adoption of new technologies and business models."
Climate change
3.3.5 The Greening Government ICT white paper published in July 2008 laid out a clear direction
for public sector organisations to consider the energy efficiency, and disposal of IT equipment. Cloud
computing with virtualisation of servers, storage and desktops is driving the adoption of more energy
efficient thin clients and data centres and can be a significant contributor to progress in carbon
reduction. By 2020 Government aims to comply with and where possible lead best practice for
sustainability across the whole ICT lifecycle.

V2.5 UNCLASSIFIED Page | 10 of 64


3.3.6 Delivering Infrastructure as a Service (IaaS) instead of dedicated facilities requires higher
utilisation. Government is Britain‟s largest purchaser of ICT and recognises a responsibility to minimise
the negative impact of ICT on the environment. Smarter ways of working enabled by unified
communications and ubiquitous, secure access to data can further reduce departments‟ environmental
impact, saving many times the carbon footprint of the IT deployed.
Digital Britain
3.3.7 The Digital Britain report notes that government impacts on the digital economy in four ways:
In delivery of public services;
As a major purchaser of digital systems;
As commissioner and holder of data and content;
As a strategic hub for the development of Britain‟s future digital strength.
3.3.8 Citizens‟ expectations of public services are rising; industry‟s re-engineering of its business
practices for the digital world is accelerating and the pressures on public expenditure require a step
change in the efficiency of the delivery of purchases and ICT procurement. G-Cloud addresses these
concerns directly by enabling greater agility and value in the delivery of policy and services,
underpinned by the adoption of shared infrastructure at lower cost.
3.3.9 The report also addresses the development of the nation‟s digital skills. The creation of the
G-Cloud must therefore recognise the potential impact on employment and skills as well as on
information security and resilience of moving applications, data and their management offshore.
3.3.10 Provided that the business case (for the government cloud) can be properly developed, the
adoption of the G-Cloud will be a priority for government investment to secure efficiencies, even within
the very constrained environment for public expenditure over the next 3 years.

3.4 Future vision and government capability


3.4.1 G-Cloud aims to encourage the adoption of more flexible information infrastructure services
to improve agility and efficiency in public service delivery.
3.4.2 From a commercial perspective the vision is to improve value for money and realise cash
savings by creating a more open market for shared infrastructure and applications through agreed and
open standards.

3.4.3 Consumers of G-Cloud services will be able to choose from a set of stadardised set of pre-defined
service levels for resilience, availability and other performance measures. This recognises the
differences in requirement of test through to production services – for example test systems require
lower service levels than production systems.

V2.5 UNCLASSIFIED Page | 11 of 64


Current Future
Contracts Long term contracts Demand led consumption:
shorter term or spot transactions
for some service categories
Ownership Dedicated infrastructure owned Shared infrastructure owned by
by customer or providers service providers
Pricing Purchase, licence fee for Benchmarked, transparent,
technology provided, complex appropriate to the service and
contracts value enabled, with reasonable
return to provider. Built in
downward pressure on prices
with best price available to all.
Pay for use, utility, subscription
pricing models as well as
outcome models where
appropriate
Procured entity Hardware, software or Service components capable of
outsourced/managed service, seamless integration and re-use
systems integration geared to across departments and
specific departmental needs authorities
Relationship Supplier to user of technologies Provider to consumer of
services
Marketplace Restricted by high investment Competitive and vibrant market,
and cost of sale entry barriers open to innovation with lower
barriers to entry resulting from
the availability of IaaS and PaaS
Procurement Lengthy and costly for buyer Easy, rapid selection from pre-
and seller accredited, pre-procured
frameworks based catalogue
and minimum transaction cost
Requirements Largely customised and unique Largely standardised and
aggregated
Intellectual IP retained and resold by Incentive to sell services which
property supplier share or reuse retained IP
Contracting Multiple vehicles, multiple Single method for contracting for
departmental contracts an agreed basket of services,
incentives for departments to
use
Supplier Piece-meal – procurement by Pre-accredited: commercial,
Accreditation procurement, via standard (or technical, security
non standard PQQ
Security, Organisation based risk Shared risks to services and
Assurance, Risk management information across
Management organizational boundaries,
Corpus based risk assessment
and (some) management

3.5 Re-use and re-deployment


3.5.1 G-Cloud will enable the re-use and sharing of infrastructure (data centres), applications and
components across the public sector. This builds on the common multi-supplier network infrastructure
to be provided by the Public Sector Network (PSN).
3.5.2 G-Cloud will rely on aggregated and standardised requirements to create a commercial
model that supports re-use, treating the crown as a single customer and incentivising suppliers to
provide services which share or re-use retained government IP in the cloud.

V2.5 UNCLASSIFIED Page | 12 of 64


3.6 ICT Collaborative Procurement Strategy
3.6.1 The collaborative procurement programme led by the Strategic Stakeholder Forum (SSF)
through the ICT Collaborative Category Board, and administered by the Office of Government
Commerce (OGC) targets six categories of expenditure on goods and services which are commonly
bought across the public sector. It aims to bring all parts of the public sector into a single governance
structure, where government can derive maximum value from its common spend by approaching the
supply market in an appropriate and coordinated manner to achieve total savings of £7.7 billion by
2013-14.
3.6.2 Current government spending on ICT is approximately £13.9bn annually (estimated at £16bn
when staff costs are counted) with a forecast IT / Back Office saving through Collaborative Procurement
of £1.6bn by 2014.
3.6.3 Key initiatives in ICT collaborative procurement are:
Aggregating and leveraging accredited deals through new contracts and the use of e-Auctions to
increase purchasing leverage.
New ways to buy: utilising frameworks and shared services to deliver increased value for money and
greater leverage for government on ICT procurements.
Demand management: Curbing new procurements through clear procurement roadmaps and
increasing take up of best practice tools.

3.7 Commercial vehicles


3.7.1 The commercial vehicles used to procure G-Cloud services must ensure a range of services
from suppliers operating in an open competitive market with common terms for all customers, limiting
where possible the barriers to entry whilst ensuring that suppliers can deliver to the scale and
specifications required. Transaction costs for purchases must be minimised and transacting should be
standardised, simple and fast for both parties to achieve this objective.
3.7.2 It is also recognised that a choice of pricing and business models will evolve to meet the
differing needs of the market, reflecting for example the more stringent procurement and service
specification requirements of higher Impact Levels. Frameworks should be designed for specific
categories of service.
3.7.3 Whilst offering alternative purchasing models where capex may be moved towards opex and
the services and components purchased may be significantly different from traditional models in terms
of the units purchased it should be recognised that with the new models there will be a greater
awareness or skill required by the purchaser as the newer flexible models may actually have a greater
cost if not purchased in the right way. For example, offering the flexibility to purchase an application to
sit on an infrastructure that is charged by the amount of CPU consumed may be very expensive if that is
a CPU intensive application.

V2.5 UNCLASSIFIED Page | 13 of 64


Commercial Principles
The purpose of the commercial principles is to establish and run an open and successful
market, with an under-pinning commercial framework that supports transition to cloud
computing and cloud sourcing enabling sustained lower costs, improved agility and
better service.

Commercial principles fall into two areas, those required to establish an open market, and those
required to successfully run it.
The commercial principles set out here are designed to ensure that the commerce of the G-Cloud and
Government Applications Store operates in ways close to the developing commerce of public clouds.
This should ensure that, as government procurement of technology-based services from public clouds
develops, it can so do in ways that naturally integrate with procurement of such services from the
nascent G-Cloud.

4.1 Establishing an open market:


Make change simple and easy to achieve
Description Commercial and technical transfer into and out of the service will
be a simple and open process.
Limited contract terms will be determined by service category.
There will be a choice of supplier and there will be market
restrictions to counter monopolistic approaches
Objective To create a marketplace where purchasers can switch easily
between providers at the end of contracts, or where a provider
under-performs
Limited contract terms determined by category e.g. no tie in for
personal productivity applications, limited tie in for infrastructure
Methods Minimise termination penalties
Open standards determined by category
Make clear that levels of complexity will vary within the cloud
markets and this will have implications within those markets
Determine government appetite and likely level of participation
(transition workshop)
Determine, from ICT industry perspective, level of business
needed to establish attractive marketplace (concept viability)

Make pricing transparent and comparable


Description The supplier will offer a common set of terms, and single lowest
price to all government customers contracting for a given service.
The services provided will be priced on a pay for use, utility or
subscription model, with all costs scalable and transparent at
point of contract
Objective Pricing should incorporate and make visible all additional service
charges, or costs of change
Pricing should reflect total cost of service and be priced on a
utility model by a measurable unit (transaction, user, month,
capacity)
Initial and periodic benchmarking
Lowest price per unit for all public sector bodies for any given
service
Drive competition in infrastructure category through innovative

V2.5 UNCLASSIFIED Page | 14 of 64


approaches
Standards will drive easy to use, commoditised services by
category
Methods Development of different price models for different categories
(IaaS, PaaS, SaaS, AaaS) and for different Impact Levels with
defined units of commodity
A coherent pricing architecture that supports transparent and
comparable pricing whether buying by component or by
aggregated service
Encourage innovative pricing models
Benchmarking and market forces
Compliance with the pricing architecture will be a pre-requisite for
G-Cloud suppliers

Make it quick and simple to buy from the cloud


Description Transacting should be standardised, simple, and low cost for
both buyer and seller
Trial of services should be supported prior to purchase where
appropriate
Objective To minimise the transaction cost for purchase of service through
the cloud for all parties
Transacting should be standardised, simple and efficient for all
parties
Minimising procurement process whilst maintaining legal
compliance
Methods Commercial arrangements should be designed for categories of
service to incorporate simplified legal requirements
Standardised version of Ts & Cs for G-Cloud would be optimal
incorporating legal concepts determined by the commercial
arrangements
Analysis of optimum contract lengths

Create an open market for each service category


Description There should be no undue barriers to entry to the supply of
services to the marketplace
Service providers will allow open access to necessary platforms
to all accredited 3rd parties to develop applications for provision
Objective Ensure a competitive open market
Ensure that suppliers can deliver and scale what is being sold
Limit the barriers to entry
Methods Communicate the G-Cloud objectives to the wider supplier
community
Identify and brief relevant suppliers new to UK Government work
Establish a code of conduct laying out expectations and
responsibilities of all participants
Establish a G-Cloud Authority
App Store and G-Cloud should be available to all entrants
provided that they meet certain criteria including:
Service validation – scale, transact, measure, sustain and secure
Make clear that levels of complexity will vary within the cloud
markets and this will have implications within those markets
Business probity – appropriate commercial (financial standing
and viability) and ethical standards.
Standards should be open and published to include technical, IA
V2.5 UNCLASSIFIED Page | 15 of 64
and service management/integration.

4.2 Running a successful market


Encourage and enable reuse of IP and services
Description The marketplace will look to standardise the provision and
consumption of services to drive the greatest savings through the
reuse of IP
Standards for data, interfaces, architecture and usability will all
be published
Objective The Crown being treated as a single customer
To create a commercial model which incentivises government
and suppliers to facilitate collaboration, sharing and reuse of
services assets, licenses and IP
A market that is accepted as demonstrating best value2 by all
government stakeholders including HMT
To create the market of choice for re-usable services
Licences are paid for only once
Methods Compliance with established OGC collaborative guidelines
Measured through OGC collaborative procurement targets
Create a marketplace where purchasers can post requirements
to be fulfilled by G-Cloud service providers
Education of HMG‟s buying community
Exploitation rights and extension of IP to suppliers where
desirable
Owners of public sector data sets will allow, enable and
encourage re-use of the data sets by other trusted public sector
organizations, where relevant and possible.

Provide a mechanism to manage the process


Description An Authority will be established to govern the conduct of
suppliers and customers within the G-Cloud marketplace.
Accreditation of services and service suppliers will ensure entry
conditions are met and minimum standards are maintained.
Objective To protect customer and provider with comfort that the service
represents their interests fairly
To ensure that all players adhere to the rules and principles of
the G-Cloud.
To establish a place of arbitration/recourse for disputes within the
system
Methods Establish an Authority to act as ultimate arbiter, and to uphold
spirit of principles
Authority should represent the interests of government and
suppliers
Ensure supplier behaviour is managed to ensure the G-Cloud
continues to be a viable and attractive market place
Ensure clear policy set for government behaviour to deal with e.g
non-standard requirements

Encourage compliance as the default position


Description Suppliers and user organisations are to comply with a mandatory
governance and operating model

2
Best Value is an evaluation of features, functionality and price against requirements
V2.5 UNCLASSIFIED Page | 16 of 64
The marketplace will be the principal forum for the sourcing and
supply of cloud services for government. Purchasing outside of it
should be by exception
Objective To ensure that once a viable marketplace exists, government
departments use it
No duplication of sales costs for suppliers
To actively incentivise compliance and discourage non
compliance
Methods Create a simple and easy route to market for G-Cloud services
Create audit and compliance activities for the G-Cloud by
category of service
Ensure that a process exists to discourage non-standard choices
Adoption and savings should be linked to recognisable OEP
targets
Determine flexibility within existing contracts and encourage
commercial partnerships to deliver cloud model today
Collaborative Category Board and formal peer reviews
UK public sector organizations will be expected to use G-Cloud
services as their first choice where available, and where they fit
their business need: purchasing outside of it should be b y
exception.

Provide a clear commercial roadmap for transition


Description Suppliers may transition and transform existing contracted
services to cloud services within the bounds of existing contracts.
Different commercial models will emerge to accommodate these
migrations.
Objective To encourage incumbent providers to transition service (and
migrate business model) where relevant prior to the expiry of
contracts
To take into account the need for large scale transformation of
legacy to allow data centre consolidation and build critical mass
in the G-Cloud
To allow government and suppliers to transition business models
to cloud principles quickly to meet OEP targets
Transition seen as low risk to key government and industry
stakeholders
Methods Transition costs articulated and factored into risk/benefit
equations.
To encourage and allow different commercial principles to hold
for transition proposals, i.e. contract renewals, longer contracts
whilst critical mass is built up
Paying a premium during the transition period to non-continuing
data-centre suppliers in certain circumstances
Intercept of existing contracts if superseded by cloud services
where there is a strong economic case
Ensure strong governance of suppliers during transition process

ANNEX A – Detailed commercial principles for software and open-source


ANNEX D – Procurement challenges

V2.5 UNCLASSIFIED Page | 17 of 64


4.3 Range of services
The cloud will be comprised of multiple services each requiring its own commercial
approach and responding to different market conditions. Markets will be determined by
family of service (IaaS, Paas, SaaS) and each will have different rules of engagement for
customers and service providers.

4.3.1 The cloud will be comprised of multiple services each requiring its own commercial approach
and responding to different market conditions. Markets will be determined by family of service (IaaS,
Paas, SaaS), level of complexity and each will have different rules of engagement for customers and
service providers. The following schematic is not definitive, but is intended to illustrate how key factors
will influence cloud market rules of engagement.

Increasing security
Complexity: impact level
level;and
threat; compliance

Cloud
Layer
Impact
Level IL0 IL1 IL2 IL3 IL4

SaaS
Commoditised buying:

Competition
Dynamic Purchasing Systems:

PaaS

Potential for term


contracts:
IaaS

COST

4.3.2 The commercial implications of “Operate as a Service”, will need to be explored in more
detail during Phase 3 of the programme, but as a minimum, it is expected that there will be “Integrated
Service Managers” (ISMs) will comprise part of the G-Cloud service offering.

ANNEX A- Detailed commercial principles for software and open-source

V2.5 UNCLASSIFIED Page | 18 of 64


5. Making it Happen
The logical starting point is the accelerated virtualisation and consolidation of existing
computing facilities (the initial consolidations), along with new competition. Commercial
performance requirements will be well communicated to existing government suppliers.
In parallel, there will need to be a determined government change initiative to ensure
motivation and commitment to move to the G-Cloud model. Competition, accreditation
and common standards, along with closely managed transition of some legacy contracts
will build the momentum.

5.1 Transformational challenges


5.1.1 The challenge of making it happen is that there are three simultaneous transformations to
motivate, enable and drive through.
5.1.2 There is a transformation to bring through a blend of virtualisation and automation applied to
the delivery of existing infrastructural (data processing, storage and network) and transactional
(software & applications) services – a transformation already implemented in consumer and some
enterprise services (i.e. Amazon, Google, salesforce.com) and the transformation at the root of the
potential for major operational cost savings.
5.1.3 There is a transformation in the business models of the established government services
vendors to be motivated and enabled, as their existing business models seriously hinder delivery of the
intended operational cost savings – barriers to change here are very real, but the pressure of
competition from vendors already operating the new business models can be used as a powerful
change lever.
5.1.4 And, most key, there is a very significant transformation to bring about in Government and
Departmental approaches to services procurement if the potential major operational cost savings are to
be realised in practice.
5.1.5 Thus there are a number of specific activities that need to be undertaken through existing
governance to ensure a structured series of rapid transformations, building momentum towards
realisation of the commercial benefits of the new ways of working. We have structured these activities
as follows, starting with four working assumptions followed by a further six supporting developments.

5.2 Four key working assumptions


5.2.1 These key assumptions define key aspects of the policy and strategic procurement
framework necessary to enable and drive through the three simultaneous transformations. From the
start the objective is development of a (‘private’) G-Cloud that is as open as possible to draw on, and to
have to compete with, services sourced from established ‘public’ Clouds. Strategic commercial
considerations indicate that the further that the Government can position to exploit mixed-use (i.e.
government, private sector and consumer) „public‟ Cloud facilities and (notwithstanding the geographic
constraints imposed by technology) with a less restrictive geographic requirement (thus Dublin and
Shannon as acceptable as Belfast), the more likely it is that the major „new business model‟ suppliers
will be willing to invest competitively as new service vendors to HMG.
Working assumption 1: primary target applications
5.2.2. The major volume of Government business (Government/Local Government) that is best
positioned for initial exploitation is potentially manageable at Impact Levels 3 and below (this needs
confirmation). G-Cloud services will operate from security levels Impact Level (IL) 0 to IL3 inclusive.
IL4 will be added at a later stage where a business case can be developed to utilise a suitable technical
capability..
5.2.3 A key issue identified is that aggregation of IL3 and below can then move the overall security
requirement to IL4 or greater. The methods of managing the risk associated with aggregated impact

V2.5 UNCLASSIFIED Page | 19 of 64


levels will need to be considered in detail in Phase 3. Some of them may be less challenging than
others to manage.
5.2.4 In parallel, standard applications at the best price through use of utility application services –
Software as a Service (SaaS) such as email, office applications, Voice over IP (VoIP) and standard HR,
Finance and Property Management Services will be identified for transition into the Government
Applications Store.;
5.2.5 The objective would be to start constructing the G-Cloud in 2010 – starting at the lower
Impact Levels to solve the “low-hanging fruit” and working upwards towards IL3 as the security issues
become better understood. The overall approach will be determined during Phase 3.
Working assumption 2: standards definition
5.2.6 A set of UK Government Technical & Operational Standards, that define a secure but
commercially open G-Cloud service by competing infrastructural service providers operating at up
to/including IL3:
Open Standards-based with Service Oriented Architecture & integral CESG security frameworks.
Further Technical & Operational Standards that separately scope IL4,
The ability to meet & deliver to the standards will be the basis for the agreed formal registration &
(potentially automated) monitoring process – once thus qualified the service provider competes
within the market place.
The standards will define Technical and Operational minima only, with individual department
functionality potentially exceeding these levels.
Design of the standards must include focus on risk management in the fullest sense - reliability as
well as security etc.
The objective will be to have the initial framework of the standards in place during 2010. This
will be taken forward as a cross-Programme activity during Phase 3
5.2.7 Note that standards definition is being taken forward by the Technical Architecture work stream
together with the Information Assurance work stream
Working assumption 3: shared infrastructure
5.2.8. The standards will enable practical and effective virtual segregation – and thus enable a
supplier to deliver infrastructural services (and apps as services based on the infrastructure) „within the
G-Cloud‟ from a facility that may also be used to deliver services to non-Governmental clients (the
Consumer market, the Enterprise market), in order to optimise the benefits to all parties 3
5.2.9. Thus the objective is that the IL0-3 G-Cloud has secure but flexible boundaries, while
encouraging existing suppliers whose established or new facilities meet the standards to apply for
registration.
Working assumption 4: location of hardware
5.2.10 More likely than not hardware and service management functions will be UK based - at least
initially to meet existing vetting requirements - but there can be no formal commercial requirement for a
UK base, given EU Procurement law, which does not allow discrimination against EU providers, unless
there is a national security exemption.
5.2.11 The formal requirement in the standards framework should be demonstration that if located
outside the UK but within EU boundaries, UK Government interests can be effectively protected through
demonstrated and proven regulatory & legal structures and practice in the country concerned. (In
practice this likely brings EU locations in Ireland, Holland, etc. into play, but excludes those EU locations
considered to be unsuitable).

3
There are however security implications with this approach – see Service Management Work Stream report figure 7.2.1

V2.5 UNCLASSIFIED Page | 20 of 64


5.2.11 The objective of this is to encourage new investment in highly efficient facilities that will offer
the best service economics to the Government.
5.2.12 A detailed analysis of the risks and issues concerning the location of information, services
and the management of services start at Phase 3. Various legal and statutory Technical Architecture, IA
and Commercial risks need to be assessed before agreeing a set of principles on this overall issue.

5.3 Features of the journey


Starting point
5.3.1 The logical starting point for the transformational journey is the accelerated virtualisation and
consolidation of existing computing facilities within the bounds of existing contracts (the initial
consolidations, through natural contract break points and technology refresh points, although this does
not exclude new competition, which may take place in parallel (see section on Competition below),
along with the identification of standard applications. .
5.3.2 The standards framework will ensure that the further consolidation between the initial activity
into the next generation consolidation is positively facilitated - and that the development of flexible
migration of computing loads between the consolidations on a commercial basis can rapidly become the
norm.
5.3.3 The Government Applications Store should be designed to positively encourage and
commercially motivate the early identification of those standard applications that logically can be rapidly
evolved into generic across-government applications (thus desktop services, HR services, payroll and
so on).
5.3.4 As the virtualisation and consolidation of existing computing facilities into the initial
consolidations takes place, the immediate objective will be development of an applications platform
running across the initial consolidations onto which the common applications can be migrated as they
are developed and access to potentially externally-sourced common applications facilitated.
5.3.5 The more departmental-specific legacy applications that will require investment to make
them G-Cloud ready will remain pro-tem being run on infrastructural services drawn from the G-Cloud,
or where migration is unachievable a “segregated” section within an approved data centre. (The
development of flexible migration of computing loads between the nodes will be applied to real benefit
here.)
Communication and supplier choice
5.3.6 The commercial performance requirements that government is expecting the nascent G-
Cloud to deliver (pricing, flexibility, service levels, risk management, strategic commitment etc) should
be well communicated to all existing suppliers with government contracts.
5.3.7. The purpose of this exercise is to encourage them to make the key strategic decision:
„Are we going to be committed „G-Cloud‟ suppliers of infrastructural services‟; or
„Are we going to position to deliver value-add services elsewhere on the value chain‟.
5.3.8 This requires an effective commercial process that will allow those that elect to „move out‟ to
pass that part of their contracts onto those that elect to stay in (and this process would need to be
supported by a strong business case). This should be encouraged to happen rapidly as it has the
potential to help optimise the way the initial nodes develop.
5.3.9 This also the requires an effective commercial process that will allow the existing contracts
of those who elect to stay in to address the costs of accelerated virtualisation and consolidation to
create the initial nodes, and the sharing with government of the early benefits of the virtualisation and
consolidation.
Public sector change initiative
5.3.10 In parallel, there needs to be a determined governmental organisational and cultural change
initiative with the objective of ensuring the motivation and commitment to move the sourcing of services

V2.5 UNCLASSIFIED Page | 21 of 64


and applications into the emerging G-Cloud and on to the Government Applications Store platform in
the G-Cloud.
5.3.11 This needs to be at both departmental level and at local government level. Success will be
essential to the success of the G-Cloud initiative.
Competition
5.3.12 Government‟s core objective for the G-Cloud at the infrastructural services level should be to
strongly encourage the development of a landscape of competitive suppliers who have a strategic
commitment to the infrastructural services market place.
5.3.13 Alongside the development of the initial nodes, new capacity for standard compliant
infrastructural services should be encouraged from by existing suppliers of these services who may not
have been government suppliers hitherto, or by new ventures who invest with the „G-Cloud‟ opportunity
in view.
5.3.14 Thus the standards framework and related approval and registration process should be open
and cost effective from the point of new entrants. The implementation of the points above will make the
G-Cloud a more attractive investment proposition, especially for the new market entrants coming from
the consumer market space.
5.3.15 Such new investment will always see the UK government service market opportunity only as
a part of the underlying investment case as the potential market size is not large enough to justify new
investment on its own. The G-Cloud opportunity will thus be an adjunct to a wider investment thrust that
includes consumer and enterprise market opportunities.
5.3.16 Competition between the established players who take on the challenge of virtualising and
consolidating the existing government data centre resource into the initial nodes and the new entrants
with new investments will speed the further consolidation of the initial nodes into genuinely world class
competitive facilities - the second generation nodes.
Accreditation and standards
5.3.17 An open and cost effective standards approval and registration process will also speed the
population of the intended Government Applications Store by enabling the rapid selection, development
and roll out of Common applications in the G-Cloud. It will also enable the early sourcing of certain
applications that already exist „in public clouds‟ but are fit for government use and so can be beneficially
recruited into the Government Applications Store.
5.3.18 The more departmental-specific legacy applications that will require investment to make
them G-Cloud ready will then require „transformation‟ to make them fit for migration into the G-Cloud.
Transition of contracts
5.3.19 There needs to be a clear timescale for migration from the established government/supplier
procurement practice of term contracts to the cloud „on-demand‟ commercial practice (which is not
necessarily based on term contracts but on a robust commerce of „source as and when required, pay as
used‟).
5.3.20 While this development will require a major investment of effort within the context of current
EU-influenced procurement practice – and, potentially, high transition costs to government (depending
on the route chosen these could include termination charges, buy-out costs; management time,
professional support, redundancy, and re-training costs), it potentially sharply reduces the costs of
procurement for both government and its suppliers.

5.3.21 Some of the potential new entrants into the infrastructural services and common applications
market spaces will operate this „on demand‟ commerce from the start, as it is integral to their low-cost
commercial models.

ANNEX C - Data Protection, including consideration of the US Patriot Act

V2.5 UNCLASSIFIED Page | 22 of 64


5.4 Industry investment options

Whilst government is looking to drive down costs and improve delivery, the ICT supplier
will be seeking to provide services through the development of profitable business
models. Key drivers for both government and suppliers will determine the options for
investment:
Build it and they will come
Wind down to transactional charging
Do nothing – no business case exists
Provide existing industry investment for demand consumption
Funded development where a service is unique to government

5.4.1 In order to understand the options for investment we must first understand the drivers for
both the government customer and the supply side. Government is looking to drive out costs from the
provision of services that rely upon IT for their provision, and improve the delivery of service to the
citizen. The supplier is looking to provide services to the government through developing and delivering
profitable business models.
5.4.2 The traditional approach to drive down costs has been to procure services through a process
of competition by adversarial bidding and selecting a single supplier to deliver that particular service,
with tight controls around the procurement to ensure best value is derived. This approach has a
number of challenges, including the need to define clear requirements up-front, lock-in to the supplier
for an extended duration and the ongoing reliance on the supplier to make changes (where price cannot
be so easily controlled). The high cost of procurement borne by both customer and bidders alike is
factored into the eventual costs paid by the customer.
5.4.3 These drivers during the procurement phase work to make contracts as all-encompassing as
possible to minimise ongoing drain on resources, provide cover for risk, and remove the difficulties
associated with production of detailed specifications up-front. This approach gives rise to huge multi-
million pound service contracts for provision of an end-to-end service.
5.4.4 In the UK in particular, evidence shows that the large IT service provider community takes a
significant share - 72% for the top 20 suppliers according to Kable4. This is in part due to the challenge
faced by the SME community in contracting directly with government for the full range of services
required to run an end-to-end service, and an inability to afford the investment and risk profile of bidding
for large contracts.

This Table removed under section 21. The data contain is publically available from
www.kable.co.uk

5.4.5 One of the many consequences of cloud computing and cloud sourcing is to change the
procurement model to one where competition potentially remains present for the supply of the service,
rather than only during the initial procurement phase. Such multiplicity of supply forces a provider to
ensure continual best value and drives the adoption of innovation in order to achieve this. Multiplicity of
supply can only be achieved however when it is possible to commoditise and easily define the service

4
Source: Kable – the supplier landscape in the UK public sector market place 2007.
V2.5 UNCLASSIFIED Page | 23 of 64
required (standardisation), and for this to be achieved requires the break-up or modularisation of
complex services into smaller, more discrete packages of service.
5.4.6 This approach drives very different behaviours for both supplier and customer side.
5.4.7 A competitive landscape means it is in the supplier‟s best interest to ensure any product or
service is well maintained, reliable, low cost, easily changed, and rich in features. By these means
market share can be defended against competition and the margin delivered from the investment in the
product or service is maximised. These are all the attributes desired from a traditional procurement
process, but in reality rarely achieved as demonstrated by subsequent change notice costs frequently
exceeding the initial contract value.
5.4.8 The new world of the cloud drives the supplier to make a fundamental choice: to be a highly
competitive manufacturer of standard generic services („edge‟ in the factory economics) or to be a
supplier of specialised services (‟edge‟ in intimacy with the client‟s very specific requirements).
5.4.9 It is always in the customer‟s best interest to ensure free-market competition exists and in
addition that a healthy balance of market share exists between those in the market place. This can be
undertaken with simple volume or value restrictions on contracts that can be awarded to a single
supplier, or a more involved (and therefore costly) regulatory input.
5.4.10 In order to create a competitive marketplace, the customer (or independent standards body)
must mandate standards against which all players can adhere and the assessment of differentiated
services is undertaken by an intelligent buyer.

Business Case Options


Business Case options build up incrementally from the Do Minimum base case (Option 1).

Option 5: G-Cloud for New Work Option 6: Hybrid G-Cloud with


with Legacy Application Transition Legacy Application Transition

Option 3: G-Cloud for New Work Option 4: Hybrid G-Cloud

Option 2: Data Centre Consolidation

Option 1: Do Minimum

Option 1 Do Minimum
Description Government continues with current devolved approach, with individual departments
undertaking in-flight application and infrastructure rationalisation and cost reduction.
Investment Where no new business case exists for the transition, it is reasonable to assume
implications that the status quo will be maintained, with incremental improvements within
departments. Government investment will be required to uplift individual data
centres or to outsource on a tactical basis
Comparison Pro Con
No additional investment is No driver to deliver step-change cost reductions
required. for the majority (>70%) of existing applications.
No change in the baseline cost No potential for a rapid reduction in operational
profile. Expected spend will costs. Retained systems would continue to
continue as planned so budgets require technology refresh and risk
are well known and not subject obsolescence.
V2.5 UNCLASSIFIED Page | 24 of 64
Option 1 Do Minimum
to a transactional variation.
Long term cost reductions from
the gradual introduction of new
applications.
No additional effort anticipated. Difficulties would remain in the integration of old
and new systems.
Steady progress towards Unlikely to achieve some of the major transition
transition. barriers (such as VME operating system deadline
in 2020) within the desired timescales.
Matches existing skills

5.4.11 For Option 2, data centre consolidation, rationalising the data centre estate only to a smaller
number of appropriate UK facilities with virtualisation within but not across departments (the initial
nodes), a traditional funded investment model may be applicable.

Option 2 Funded development for “Traditional Model”


services unique to
government
Description There is no reason why a traditional design-build-operate contract would not be
awarded, if the service was truly unique, but all future new development should
make use of existing re-usable services where possible to reduce costs. Suppliers
should be mandated to utilise common infrastructure services.
Comparison Pro Con
Process of procurement well Retains a CAPEX element by government.
understood by both supplier and
customer.
Costs should reduce in line with Unlikely to drive fragmentation of the application
increasing re-use. development lifecycle, and unlikely to introduce
competition.
Procurement costs well Requires standards for the elements that have
understood, and enforced re- re-use, but likely to result in single-source supply
use should drive reductions. and minimal competition.
Timescales are as per existing Lengthy “boil the ocean” procurement processes
projects and driven by and long lead-time delivery of services.
procurement.

5.4.12 Options 3-6, involve private or hybrid cloud implementations with virtualisation across
departments, shared consolidated data centres and automated processes, providing a multi-tenanted
infrastructure with elastic scalability. In the transition to these environments a range of alternative or
complementary investment models may be applicable.

Options 3-6 Supplier investment “Build it and they will come”

Description In this model, the supplier shoulders the capital expenditure costs for the
development or transition of a service into the cloud, and expects a transactional or
rental charge from the continued usage of the service from the customer. In order to
achieve a level of competition, a formal specification of the requirement needs to be
provided by the customer along with the desired service levels.
Comparison Pro Con
No CAPEX costs to government, and The supplier shoulders the risk for the
indeed it would be normal practice for the development, particularly if there is no
owner of the IPR to be the supplier, so commitment to purchase from the
there is potential for the purchase of the customer and therefore this cost will be
IPR for existing services from passed onto the customer in the resulting
government. transaction price.
Pricing retains an element of competition Pricing on a transactional basis will lead
as once a specification has been to greater costs in the longer term unless
created, others can be invited to offer the competition can drive these costs out

V2.5 UNCLASSIFIED Page | 25 of 64


Options 3-6 Supplier investment “Build it and they will come”

same service. ahead of time.


A specification for the service would only Initial effort to extract a specification for a
need to be created once, and refined as legacy application may be costly and
time passes – this would increase the likely to require effort by the incumbent
ownership of the process by government. supplier who is unlikely to be co-
operative without financial incentives as
it represents a threat to future revenues.
Potential for transition ahead of any Timescales driven by the supplier and
contract termination period as it is in the their ability to fund the purchase of IPR
interests of the supplier to transition if the and transition the services
business case exists

Wind down to transactional “Necessity is the mother of invention”


charging
Options 3-6
Description In this model the supplier of an existing service is given a limited time period before
a transactional charging scheme would apply, and the per-transaction costs would
be pro-rata the current charges (e.g. 75% after year 1, 65% after year 2 etc..). This
creates a significant driver for the supplier to reduce costs ahead of the impending
deadline to retain margin.
Comparison Pro Con
No CAPEX costs to Risk of the supplier endangering service by
government. It remains a cutting costs inappropriately to maintain margin
possibility that the supplier faced with the reductions in revenue.
would want to purchase the IPR
of an existing system.
The costs would be known to Unlikely to result in competition for legacy
reduce (given consistent application delivery unless a detailed
volumes) over time. specification is made available as part of the
transition.
Minimal effort required by Extensive effort required by the supplier, and it
customer, other than to re- may just be easier to offer up termination which
negotiate contract terms. would leave the situation untenable.
The government would be in Supplier may have limited resources available to
control of the timescales for perform any transition activities.
transition.

Options 3-6 Direct purchase “Platform purchases”

Description In this model the supplier would provide existing IPR investments for consumption
on-demand by the customer. Most applicable for commodity items such as e-mail,
printing, CRM and other platform services.
Comparison Pro Con
No large up-front investment. No innovation and minimal competition will be
unlikely to drive cost downwards.
Pervasive usage will drive costs Risk of lock-in to a supplier or monopolistic
down with tiered pricing for practices.
utilization
Minimal effort involved Transitioning existing licences would require
additional unplanned effort.
Quick to place on a catalogue Takes time to drive adoption and standardisation.
or framework.

5.5 Commercial mobilisation and in flight contracts transition models

V2.5 UNCLASSIFIED Page | 26 of 64


An open, competitive market is fundamental to the G-Cloud commercial model. There
are a number of options for legacy transition, which will be considered on a contract by
contract basis, balancing risk and opportunity, and with due accordance to commercial
and contractual probity. HMG is seeking to benefit from early adoption of G-Cloud
pricing models, and an interim G-Cloud benchmark will be set to encourage a determined
approach to price transparency.

5.5.1 Basic assumptions


5.5.1.1 Successful commercial mobilisation for data centre consolidation and transition to the
applications development store is predicated on a number of basic assumptions:
Appropriate level scene setting and communication has taken place with suppliers.
A basic information architecture, standard specification and interim benchmark will be used to
set a cloud infrastructure price target prior to formal competition/procurement being run.
Existing data centre suppliers should be encourage to move towards cloud pricing as soon as
possible.

This may include accelerated transformational activity for data centre suppliers who wish to
continue to provide these services into the G-Cloud model and transition from one supplier to
another where a supplier does not wish to continue.

A commercial model will need to be developed in Phase 3 which takes into account the cost of
transformation and who bears this, but some of the tools available to HGM to encourage the
migration include extension of contracts where this can be undertaken within OJEU limits, scope
movements between suppliers (ditto) and shared risk/reward models that share the benefits of
accelerated transformation.

New data centre suppliers (without current contracts/frameworks) can, subject to same
constraints, enter the market early, but only as a sub-contractor or within OJEU procurement
limits until formal competition/procurement has been run.
Government may choose to intercept current commercial arrangements where there are
appropriate commercial triggers and a sound economic case (termination charges and buy-out
costs could be high), with viable alternative products already available in either the private or
public cloud.
In some cases, existing suppliers who do not wish to continue providing data centre capacity can
be encouraged to move this element of their contracts to another supplier by being paid a
transition premium for a period of time – the revenue will reduce and eventually disappear but
they will at least have a “soft landing”
Government benefits from early adoption of cloud benchmark pricing and generates some seed
corn funding from technology refresh and indexation provision funds held in supplier financial
models (which can be change controlled out) and from saved procurement costs.
Legacy transition will be considered on a case by case basis, balancing risk, opportunity, and
the cost of transition to government, with due accordance to commercial and contractual probity.

5.5.2 Data centre consolidation and commercial transition


Interim cloud benchmark
5.5.2.1 The initial information architecture and market segmentation needs to be finalised in order to
set an interim G-Cloud benchmark, which recognises the base unit prices achievable in the public cloud,
and also the cost drivers that will be unique to G-Cloud (e.g. IL, need for additional commercial “wraps”
to ensure compliance with EU law and guidance). Within this, there are a number of options:
Use the established public cloud provider pricing as the starting point
V2.5 UNCLASSIFIED Page | 27 of 64
Use established best pricing from existing public sector IT services suppliers
Commission benchmarking to set interim benchmark based on current data
5.5.2.2 It is recommended once the Interim benchmark has been established; an ongoing
benchmarking exercise will continually refresh the target achievable with the new pricing models.
5.5.2.3 Note: CSR7/CSR10 - Acceleration within the bounds of in-flight contracts and movement
towards interim cloud benchmark by infrastructure supplier (continuing) - i.e. a supplier who will be
delivering data centre services in the future and currently owns and delivers data centre assets and
infrastructure services.
5.5.2.4 A period of intensive contractual analysis would be required to agree prioritisation and legal
status, and technical and commercial standards will need to be set and understood to establish the
initial consolidations:
Voluntary acceleration (e.g. consolidation, virtualisation etc) within in-flight contracts
Move infrastructure to cloud benchmark progressively through CSR7/CSR10.
Early adopters could be at a technology refresh point, end of contract/extend point or other
“intervention” point.
HMG strips out any technology refresh/indexation monies in financial model and retains savings
from moving to cloud benchmark (assume saving)
Infrastructure supplier (continuing) could market services to other government contracts where this
is legally possible. This would provide first mover advantage to the supplier and provide early
savings to government.
Existing infrastructure contracts which are moved to interim cloud benchmark price are extended
where possible or desirable (including potential renegotiation of price), but to minimise the risk of
perceived market distortion/supplier “lock-in”, the quid pro quo for a contract extension could be the
bundling of aggregated requirement for open competition in the G-Cloud market.
No transition fee (or premium) payable to supplier
This establishes the “initial consolidations”.
5.5.2.5 Note: CSR10 - Infrastructure supplier (non-continuing) i.e. a supplier who currently
owns/delivers data centre assets but who does not plan to deliver cloud infrastructure services in future.
5.5.2.6 This option is predicated on the commercial performance requirements that government is
expecting the nascent G-Cloud to deliver (pricing, flexibility, service levels, risk management, strategic
commitment etc) should be well communicated to all existing suppliers with government contracts.
The purpose of this exercise is to encourage them to make the key strategic decision:
o „Are we going to be committed G-Cloud suppliers of infrastructural services‟ or
o „Are we going to position to deliver value-add services elsewhere on the value chain‟.
5.5.2.7 This requires an effective commercial process that will allow those that elect to „move out‟ to
pass that part of their contracts onto those that elect to stay in, assuming there is a strong supporting
business case. This should be encouraged to happen rapidly as it has the potential to help optimise the
way the initial nodes develop., and Government would experience actual price reduction.
5.5.2.8 The supplier could stay locked into present contract but would not get any transition
premium or any extension, other than as set out in contracts. Alternatives are:
Transition to future (continuing or new entrant?) infrastructure supplier within x years.
Retain overall client contract (for infrastructure element) for the full x years.
Future infrastructure supplier charges incumbent at interim cloud benchmark rates.
Incumbent can charge a transition premium for the x years.

V2.5 UNCLASSIFIED Page | 28 of 64


Future infrastructure suppliers can offer premium to non-future suppliers for early transition such as
an additional payment which they fund themselves.
5.5.2.9 There will be early opportunities for new infrastructure suppliers to enter the market. Subject
to meeting basic accreditation standards and the interim benchmarks, new suppliers can provide
services as a sub-contractor to an infrastructure supplier or direct where this falls below OJEU
procurement limits. However, entrance to the full market will be via a regulated procurement or existing
framework.
ANNEX D – Procurement Challenges, ANNEX E – Commercial transition model
ANNEX F – Key risks

5.6 Legal and procurement related considerations


Procurement law will apply to most of the activities anticipated, and all normal rules will
need to be followed. It will be important to get this right at the outset. This is particularly
the case given the arrival of the regulations implementing the Remedies Directive on 20
December 2009. This puts an increasing emphasis on the use of legally compliant
procurement vehicles.

5.6.1 Procurement law will apply (in the normal way) to most of the activities anticipated
(technology services generally are Part A and so will be subject to the full regime). This means that
where the Cabinet Office, OGC or another Contracting Authority (as defined by the procurement
regulations) undertakes a procurement of technology which is over the financial thresholds, then all the
normal rules will need to be followed.
5.6.2 This in turn means that a formal competition will need to be commenced (with a carefully
drafted OJEU, reflecting the purposes for which the technology is being procured). The OJEU should
be sufficiently precise to attract the right suppliers, but sufficiently wide to (1) allow use by a wide range
of Contracting Authorities (the Sprint II OJEU is a useful example for this approach), (2) attract the right
suppliers, through the use of the correct main CPV code and supplementary codes.
5.6.3 Any OJEU will need to reflect the chosen procurement route (open, restricted or competitive
dialogue) and it is likely that either restricted (where requirements are known and negotiation not
needed) or competitive dialogue (where applicable, and where the requirements are complex) will be
the most often used procedures.
5.6.4 Part of the decision regarding which route to follow will be influenced by time available - a
competitive dialogue will inevitably take a number of months to complete.
5.6.5 In some cases, such as those anticipated by the Quick Wins stream, procurements may be
below the relevant threshold, allowing direct procurement of relevant services from chosen providers.
5.6.6 Whilst the underlying Treaty principles of fairness, transparency, proportionality etc will
continue to apply, procurements below the thresholds mean that the full requirements of the regulations
do not need to be followed, and instead the Contracting Authority will merely need to follow its own
normal procurement procedures.
5.6.7 Of the available procurement routes, the most appropriate will be likely to be the following
(taking each of the three strands in turn):-
For the G-Cloud itself - restricted and competitive dialogue where a full procurement is required, and
existing frameworks where relevant. This will be dependent upon choosing which Contracting
Authority is procuring, and on behalf of which other Contracting Authorities. It will also be
dependent upon the extent to which the requirements for the cloud can be specified in detail. If so,
we recommend a restricted procedure, using contract terms based upon best practice (OGC ICT
Model Agreement and/or Catalist Model Contract terms). In the event that more than one cloud is

V2.5 UNCLASSIFIED Page | 29 of 64


required, perhaps for different levels of data security, it may be sensible to initiate parallel
procurements; simple ones under the restricted procedure and more complex procurements using
the competitive dialogue.
For the Government Applications Store - as above, provided that the degree of applications sharing
is anticipated by the original OJEU. It is important to distinguish between the procurement issues
relating to the establishment of the Government Applications Store, and those relating to
subsequent contributions of applications (and how they are later called-off by contracting
authorities). Further work is required to establish how applications will be contributed, and on what
commercial basis.
For data centre consolidation - two routes: (1) extension of existing contracts (cancel poor contracts,
roll into better contracts) dependent upon the scope of the original OJEU, (2) new procurements /
frameworks as above. For route (1), it will be necessary to locate the applicable OJEU, analyse the
wording (looking for ability to extend scope and length of term), and also to locate the relevant
contract to establish the way in which change control operates under that agreement. For those DC
contracts which are being cancelled, the applicable contracts will need analysis for rights to
terminate and unwind.
5.6.8 To test if a procurement is covered by the standard regulations, there are a number of
simple test questions that can be asked, a useful checklist or methodology for proposed procurements
is shown in the table below:
Question Most likely answers for G-Cloud
Is this a contract for "goods" or "services”? Yes – likely
Is it let by a "Contracting Authority" Yes – likely
Is it over the relevant threshold? Yes – likely
Do any of the exclusions apply? Reg 6 exclusions unlikely to apply
Is it a Part A and Part B? Part A
Choice of procedure: open, restricted and competitive Restricted or Competitive Dialogue
dialogue (and very restricted circumstances in which
negotiated is still permitted)
Decide award criteria: either lowest price or "most MEAT
economically advantageous tender" (MEAT)
Is a relevant framework available? Yes – very likely
5.6.9 Further analysis will be required to establish:
Which services should be procured anew (through new frameworks or new full procurements).
Whether existing frameworks cover the required services.
Whether the OJEU for existing frameworks are sufficiently wide for Government Applications
Store purposes.
Whether existing OJEU of existing data centre contracts are sufficiently wide for DC
consolidation.
5.6.10 It will be important to get this right. Given the excitement surrounding the cloud, and the
perception that the market could become closed to new entrants if frameworks are established, and
suppliers are not able to secure a place on the framework, it seems very likely that procurement
processes will come under close scrutiny. This is particularly the case given the arrival of the
regulations implementing the Remedies Directive on 20 December 2009. It may be that in order to
encourage smaller suppliers to participate (to meet the aims of the Digital Britain report) that the
relevant Contracting Authorities should consider full or partial reimbursement of bid costs (on a
procurement by procurement basis).

V2.5 UNCLASSIFIED Page | 30 of 64


The commercial transition to the G-Cloud model will be determined by the G-Cloud
markets, the existing contractual landscape, the forward demand trajectory, EU and UK
regulation, as well as the evolution of public cloud transacting. Some aspects of public
cloud transacting will always be challenging for the G-Cloud, given the constraints of EU
law and regulation. Nevertheless, the scale of opportunity is substantial. It is
recommended that HMG works with its European colleagues to influence those aspects
of EU law and regulation which will inhibit full realisation of the benefits

ANNEX B – TUPE implications, ANNEX C – Data Protection, including consideration of the


US Patriot Act , ANNEX D – Procurement challenges, ANNEX F – Key risks

V2.5 UNCLASSIFIED Page | 31 of 64


Summary of Risks

The benefits of the adoption of the data-centre consolidation, G-Cloud and


Applications Store for government strategy are clear. Realising these benefits will
require a transformational journey for the UK public sector and, to a lesser degree,
the ICT industry.
Some risks will be relatively straightforward to resolve, others will be challenging.
All will require resource, innovative thinking and analysis to enable the detailed
understanding that in turn will drive the development of effective and credible
mitigation plans

6.1 The benefits of the adoption of the data-centre consolidation, G-Cloud and Applications
Store for government strategy are clear, with the potential for substantial efficiency gains. Realising
these benefits will require a transformational journey for the UK public sector and, to a lesser degree,
the ICT industry.
6.2 Key risks are set out in detail at Annex F. Some will be relatively straightforward to resolve,
others will be challenging. All will require resource, innovative thinking and analysis to enable the
detailed understanding that in turn will drive the development of effective and credible mitigation plans
6.3 The stakeholder community is wide ranging – encompassing both the public sector ICT and
procurement communities, as well as the ICT industry – both incumbent and prospective suppliers.
Risks and issues can be broadly categorised under a number of headings:
Constraints imposed by EU and UK procurement law and guidance – in particular the risk of
challenge and the implications for competition law
Costs and risks associated with transition to the new model, which could diminish the appetite
of the public sector and industry alike
A need to better understand the respective cost drivers for public and G-Cloud, and the
implications for pricing options (e.g. can government and industry enterprise really manage a
“pay for use” model?)
Risk, accountability and governance: these are key questions for public sector stakeholders
which must be answered during the next phase of the programme.
6.4 Chapter 7 – Key Recommendations and Next Steps – makes recommendations for the
next phase (Phase 3) of the programme, with particular emphasis on resolving the risks set out
above.

ANNEX D – Procurement Challenges


ANNEX F – Key risks
ANNEX G – Recommended commercial activities for Phase 3

V2.5 UNCLASSIFIED Page | 32 of 64


7. Key Recommendations and Next Steps

Commercial transition to the cloud will be complex, potentially costly, and in some
cases challenging from a procurement perspective. Nevertheless, the benefits are
expected to be substantial. The key challenge will be in managing the up-front
investment to realise the benefit – regardless of where the investment is derived.
Full realisation of the benefits will be dependent on the determination of the commercial
and contractual migration plans, the development of viable contractual models that
enable transition, gaining an understanding of the cost drivers in both public and private
clouds to enable interim benchmarks to be constructed, motivating and engaging the
ICT industry, and the resolution of a number of key risks and issues.

7.1. Commercial transition to the cloud will be complex, potentially costly and time-consuming,
and in some cases challenging from a procurement perspective. Nevertheless, the benefits could be
substantial (initial estimates identify cost savings of at least £500m p.a through the Government
Applications Store by 2020, £300m p.a infrastructure savings by 2015, plus a 75% reduction in power
and cooling costs by 2015). There are also significant early opportunities, e.g. in public web hosting and
standard software application domains.
7..2 Full realisation of the benefits will be dependent on the determination of the commercial and
contractual migration plans, along with up-front investment models, and the development of viable
contractual models that enable transition, and “future proof” forthcoming procurements.
7.3 Phase Three will need to gain an understanding of the differential cost drivers in public and
private clouds to enable initial benchmarks to be constructed, resolve of a number of key risks, and the
critical dependencies. As the programme moves into Phase Three, the commercial strategy team
recommends the following:
The development of detailed commercial and contractual migration plans which mitigate current
risk, are based on detailed analysis of the current contractual landscape (what are the
opportunities to aggregate/intercept?,are these opportunities viable? What is the appetite within
both government and ICT industry to move to the new model?), and early transition principles,
which align to the programme transition model, and to the roadmaps being developed by all
programme strands.
Work with and across the programme to develop standards, certification criteria and supporting
processes.
Standardised, viable contractual models will need to be scoped and developed to enable transition:
for Phase Three, with the principal focus on developing and issuing guidance to Departments who
are in the process of procuring services which have the potential to migrate to cloud, and in
developing key clauses for Model Contract 2.4 (due for publication Summer 2010), and for
forthcoming OJEUs.
The construction of initial cloud benchmarks based on known HMG requirement, to enable full
development of the value proposition, and inform the business case and the commercial and
contractual migration plans. Key to this will be working with established public cloud providers to
understand their cost models, define the commoditised components, and then understand the
differential cost drivers within the private G-Cloud (for example, pre-procurement, incremental
security, confidentiality, integrity and availability costs), to establish credible benchmarks. In tandem,
benefit methodologies will need to be developed and agreed to enable benefit capture from the
outset of transition.
A focus on motivating & engaging with a new diversity of suppliers whose business models and skills
are relevant to the development of the G-Cloud combined with a focus on the motivation of
established suppliers to transform their long established business models accordingly.

V2.5 UNCLASSIFIED Page | 33 of 64


Resolution of a number of key risks, issues and dependencies to make the overall proposition
attractive and viable to all parties. In particular, there is a need to increase the level of government
input into the overall proposition and resolve concerns around risk, accountability and governance.
ANNEX F – Key Risks
ANNEX G – Recommended commercial activities for Phase Three.

V2.5 UNCLASSIFIED Page | 34 of 64


ANNEXES

ANNEX A – Detailed commercial principles for software and open source


ANNEX B - TUPE implications
ANNEX C – Data Protection, including consideration of the US Patriot Act
ANNEX D – Procurement challenges
ANNEX E – Commercial transition model
ANNEX F – Key risks
ANNEX G – Recommended commercial activities for Phase Three

V2.5 UNCLASSIFIED Page | 35 of 64


ANNEX A – Detailed commercial principles for software and open-source
1. Implications for the use of all applications through the Application Store
1.1 The Government Applications Store demonstrates a good practice procurement route for
collaborative software procurement in terms of: contract, governance, approvals process, and
collaborative procurement. The Government Applications Store is either a single store (newly procured,
or via an existing framework), or the amalgam of a number of existing frameworks, all offering
applications to Contracting Authorities on a call-off basis.
1.2 The Government Applications Store helps you determine the best value deal for you and your
organisation, so you can compare on a VFM basis how you want to buy software: e.g. compare costs of
COTS with support and maintenance against pay as you go SaaS.
1.3 Software is provided through commercial vehicles which have been competitively tendered, using
standard terms and conditions (T&Cs)*, and provides the opportunity to include new services as
business demand grows.
5

1.4 A series of model terms can be selected, from the simple licence to use, to a licence combined with
support and maintenance. [Note: different use options and therefore different prices would be ideal]
1.5 Software asset management and reuse are enabled in the standard T&Cs and through processes
and MI reporting to ensure transferability and reuse on an intra and inter government organisations
basis, and ensure procurement managers can track MI for their organisations.
1.6 Machinery of government issues are addressed through an agreed process for managing change
within the standard T&Cs. (pre-agreed rights to assign are embedded within the standard terms).
1.7 Suppliers commit to provide their best price in the Government Applications Store, with government
being treated as one customer, with as much transparency on pricing as possible.
1.8 Resellers only exist within the supply chain where there is a genuine benefit for customers, for
example should not sit in supply chain for buying SaaS.
1.9 Software suppliers experience benefits from Government Applications Store of: reaching hard to
reach public sector customers, the opportunity to maintain or expand their market and customer base
instead of losing; greater opportunity to innovate; reduced cost to selling and managing deals.
1.10 The best value solution will include the ability to buy licenses with minimal restrictions, with
as wide a scope as possible, and the ability to demonstrate value for money to the UK taxpayer.
1.11 Change control costs will be minimised as much as possible by building as much flexibility
as possible into the licence framework.

2. Contributing to the Government Applications Store


2.1 Contributors (who have pre-qualified to be part of the Government Applications Store) can
contribute new applications at any time. The Government Applications Store directory will be updated

5
*Standard T&Cs will have been negotiated as part of collaborative deals by government leveraging as much
of its potential buying power as possible.
V2.5 UNCLASSIFIED Page | 36 of 64
frequently. [Note, this would require a very wide new framework, or the combination of a number of
existing frameworks]
2.2 Contributors may agree payment for their contributions with the Government Applications Store
operator. i.e. a contributor, on the framework, will agree, through change control, with the framework
contracting authority, e.g. OGC, that it should be paid for a particularly valuable application. However, it
is suggested that the default is that applications are contributed for free, and then revenues are earned
by the contributor for future sales.
2.3 Assurance will be built into the contributions process.

3. Open Source
3.1 Open Source COTS (common off the shelf) software and services and the reuse of bespoke
applications are available in the Government Applications Store where there is government demand and
potential to derive efficiency savings.
3.2 There is commercial guidance to help customers compare the Total Cost of Ownership of COTS
Open Source in comparison to propriety software, and guidance on considerations for Open Source
licensing models. Customers should ensure that they read any restrictions on use or restricting the
combination of open and closed source software. Open source licences differ and different applications
may be subject to different terms. [ query whether we can make it a term of the new framework setting
up the Government Applications Store that open source is licensed on the basis of an OSI recognised
licence, or even better, that it is licensed on the basis of the GPL v3 (or 2) ]
3.3 It will be clear who will have access to Open Source code and applications, where this will be, and
on what basis they will be able to use and modify. This also includes points of consideration for the ICT
model contract.

4. Application Development
4.1 There is the ability to reuse government bespoke services, applications, and patterns, and
transparency of changing models.
4.2 Government's policy is to retain the Intellectual Property Rights for specialist applications developed
for government, and to ensure that appropriate provisions and protections are included in suppliers‟
contracts to allow for easy reuse within central government and wider public sector, including rights to
access source code and associated documentation, and IPR ownership and related warranties and
indemnities.

V2.5 UNCLASSIFIED Page | 37 of 64


ANNEX B - TUPE implications
1. TUPE - Transfer of Undertakings (Protection of Employment) Regulations 2006 is a UK law which is
used in conjunction with the ARD (Acquired Rights Directive), a European Council Directive
77/187/EEC. The purpose of the legislation is to protect employees if the business in which they are
employed changes hands. Its effect is to move employees and any liabilities associated with them from
the old employer to the new employer by operation of law.
2. The recommended changes associated with data centre consolidation, the application store and G-
Cloud have a number of staffing based implications which under certain situations fall under this
legislation including:
A requirement for fewer human resources
A requirement for human resources with different skills and capabilities
Potentially a greater number of suppliers
Potentially a greater frequency of supplier changes/switches
The expiry or early termination of existing services agreements
The creation of new service agreements to replace expired/terminated agreements and for new
outsourcing agreements
3. TUPE applies under situations where there is a transfer of an undertaking, business or part of an
undertaking or business situated immediately before the transfer in the United Kingdom to another
person where there is a transfer of an economic entity which retains its identity
4. Or where there is a service provision change – where a contract:
Is awarded to a contractor (contracted out / outsourced)
Is re-let to a new contractor (reassigned)
Comes to an end with the bringing “in house” of the service or activities (contracted in / insourced)
5. Cabinet Office Statement of Practice on Staff Transfers in the Public Sector states that:
Transfers involving the public sector “will be conducted on the basis that staff will transfer and TUPE
will apply”.
Therefore the project is premised on the basis that TUPE should apply unless there are genuinely
exceptional reasons not to do so.
6. The resources affected by TUPE are:
Any person employed by the outgoing employer and assigned to the organised grouping of
resources or employees that is subject to the relevant transfer; and
whose employment would otherwise have been ended by the transfer
or who is employed immediately before the transfer

6. Therefore one of the key issues is to identify who is assigned to the functions that are transferring.
Resources are protected by TUPE in the following ways:
Transfer of employment: employees automatically transfer to the new employer on their existing
terms and conditions with continuity of service intact.
Transferee inherits all employee liabilities: pre-transfer liabilities relating to the relevant
employees are also transferred to the new employer (other than for any criminal liabilities).
Variation of contracts are void: any change of terms and conditions by reason of the transfer are
void in certain circumstances.

V2.5 UNCLASSIFIED Page | 38 of 64


Dismissals automatically unfair: any dismissal by reason of the transfer is automatically unfair,
unless it is for an “economic, technical or organisational reason entailing changes in the numbers or
functions of the workforce”
Duty to inform and consult: the employer is under a duty to inform appropriate representatives of
affected employees of the proposed transfer. If “measures” are proposed in relation to the affected
employees, consultation with appropriate representatives is required. Consultation must commence
in good time so as to enable it to be carried out prior to the transfer taking place.
Agreements can not be made to avoid TUPE: any agreement to "contract out" of TUPE is void
7. Whilst it is not possible to contract out of TUPE, the outgoing and incoming employers can agree to
allocate TUPE liabilities contractually between them, e.g. by the inclusion of contractual indemnities.
8. Another practical way to avoid TUPE is to offer to deploy staff with their agreement before the
transfer. This is often suggested when the transferring staff are at risk of redundancy.

Potential application of TUPE to Data Centre Consolidation


9. TUPE may apply if there is a “relevant transfer” of existing services in consolidating / rationalising
data centres.
10. For Example: Supplier A currently provides data centre space and infrastructure to department A
(Data Centre 1). A number of supplier A‟s staff are assigned to the department A‟s account.
11. It is determined that the requirement for Data Centre 1 will be consolidated and any applications,
etc. hosted in Data Centre 1 will be transferred to Data Centre 2 provided by supplier B.
12. This is likely to constitute a “relevant transfer” and TUPE will apply as follows:
Supplier A will have a duty to inform and consult with relevant staff.
Such staff (and any liabilities) will transfer automatically to supplier B.
Any dismissals made by either supplier A or supplier B in connection with the transfer will be
automatically unfair.

Potential application of TUPE in establishing the Government Applications Store


13. TUPE may apply if there is a “relevant transfer” of existing services in establishing the Government
Applications Store.
14. For example: A number of staff (employed within government and/or by supplier A) are currently
engaged in activities and services which will be replaced by the Government Applications Store.
15. The Government Applications Store is outsourced to supplier B.
16.This may constitute a “relevant transfer”, in which case TUPE will apply as follows:
The employers (i.e. government and/or supplier A) of such staff will have a duty to inform and consult
with relevant staff.
The staff (and any liabilities) will transfer automatically supplier B.
Any dismissals made by government, supplier A or supplier B in connection with establishing the
Government Applications Store will be automatically unfair.

Potential application of TUPE once the Government Applications Store has been established
17. Once the Government Applications Store has been established, TUPE may apply if there is a
“relevant transfer” of services provided in connection with the Government Applications Store.
18. For Example: A number of staff are employed by supplier A and engaged in
hosting/supporting/maintaining, etc. the Government Applications Store.

V2.5 UNCLASSIFIED Page | 39 of 64


Responsibility for hosting/supporting/maintaining, etc. the Government Applications Store is transferred
from supplier A to supplier B (or in-house to government).
19. This is likely to constitute a “relevant transfer”, in which case TUPE will apply as follows:
Supplier A will have a duty to inform and consult with relevant staff.
Such staff (and any liabilities) will transfer automatically to supplier B (or government if the
Government Applications Store is being brought in-house).
Any dismissals made by supplier A or supplier B (or government) made in connection with
transferring responsibility for hosting/supporting/maintaining will be automatically unfair.

Potential application of TUPE in Transitioning/Transforming to the G-Cloud


20. TUPE will apply where there is a “relevant transfer” of services in transitioning and/or transforming
to the „new world‟.
21. For Example: Supplier A currently delivers IT enabled services to department A under a contract
due to expire in 2012. A number of staff are employed by supplier A and are assigned to the services
provided to department A.
22. Department B procures services from supplier B for itself and for the benefit of other government
departments.
23. Department A allows the contract with supplier to expire on the basis that its requirements post-
2012 can be met by supplier B through the arrangements with department B.
24. This is likely to constitute a “relevant transfer” and TUPE will apply as follows:
Supplier A will have a duty to inform and consult with relevant staff.
The staff (and any liabilities) will transfer automatically supplier B.
Any dismissals made by supplier A in connection with the expiry / replacement will be automatically
unfair.
25. TUPE will also apply where there is a “relevant transfer” when switching suppliers in the G-Cloud.
This will depend on the requirements and types of products and services offered, how they are procured
and provided, and the basis and structure of the arrangements in the G-Cloud. At one end of the
spectrum, there will be highly configured, specialised and bespoke applications and/or services with
dedicated staff.
26. Switching from one supplier of this type of application/services to another supplier is highly likely to
constitute a “relevant transfer” under TUPE and this will have the same implications outlined in the
previous example.
27. At the other end of the spectrum, there is likely to be pure utility/commodity products and generic
services which suppliers offer to multiple customers on a no commitment / „pay as you go/grow‟ basis.
28. To the extent that these do not involve any human resources then TUPE is unlikely to apply.
29. For example, switching from one provider of commercial „off-the-shelf‟ software to another provider
of itself is unlikely to trigger TUPE. However, in practice, there are likely to be circumstances where
TUPE could apply:
30. For Example: A number of staff are employed by supplier A and engaged in supporting and
maintaining software, manning a helpdesk and/or managing the account in respect of software for
government (or a department).
31. Government (or the relevant department) decides to switch to another software provider, supplier B.
32. This may constitute a “relevant transfer”, in which case TUPE will apply as follows:
Supplier A will have a duty to inform and consult with relevant staff.
The staff (and any liabilities) will transfer automatically supplier B.

V2.5 UNCLASSIFIED Page | 40 of 64


Any dismissals made by supplier A or supplier B in connection with the transfer will be automatically
unfair.
Or
33. A new company is set up or an existing company (supplier A) decides to assign a team of staff to
provide products / services to government (or a department).
34. Government (or the relevant department) decides to switch to another supplier (supplier B) for the
same or very similar products / services.
35. This may constitute a “relevant transfer”, in which case TUPE will apply as follows:
Supplier A will have a duty to inform and consult with relevant staff.
The staff (and any liabilities) will transfer automatically supplier B.
Any dismissals made by supplier A or supplier B in connection with the transfer will be automatically
unfair.

Other Key Considerations


Location of services and employees providing the services - local law may apply and local law advice
is recommended.
Genuine redundancy - there may be certain employees whose employment will end by reason of
redundancy and then if certain contacts are coming to an end there may be a genuine redundancy
situation?
The Unions - the Unions may oppose any attempt to outsource these services and to make
redundancies and so a strategy needs to be implemented to deal with this.

TUPE – Further Analysis


36. To enable more specific advice to be provided on the application of TUPE and the strategy for
addressing TUPE implications, further due diligence, analysis and work is required to:
I37. dentify and understand legacy arrangements/contracts:
What services currently exist, how they are provided, where and by whom.
How and to what extent the employees are engaged/deployed in delivering the current services.
Expected duration and expiry dates of existing contracts.
Protections/indemnities included in the existing contracts and extent to which these extend for the
benefit of a replacement supplier.
Agree which legacy arrangements/contracts will expire/come to an end to determine if genuine
redundancy situations could exists.
Agree which legacy arrangements/contracts will continue and/or be replaced, by whom and on what
basis.
Determine the target operating model of the „new world‟.
Determine the sourcing/procurement/transition strategy for the „new world‟.
Determine the contracting strategy and framework for the „new world‟.

V2.5 UNCLASSIFIED Page | 41 of 64


ANNEX C – Data Protection, including consideration of the US Patriot Act
1. Most cloud computing relationships are complex and involve the transfer of data across multiple
jurisdictions. There is currently very little regulation specific to cloud computing and whilst data
protection regulation will clearly be relevant where personal data is processed as part of the G-Cloud
services, the Information Commissioner does not currently have any specific guidance on cloud
computing. Obligations and duties of privacy and confidentiality are also likely to be relevant and
compliance with, and the implication of local laws should not be overlooked.
G-Cloud and the Data Protection Act
2. The Data Protection Act 1998 (DPA) will apply to G-Cloud in the same way as any other
outsourcing where personal data is concerned. In most cases:
Government (the relevant department) will be the 'data controller' of personal data; and
The relevant supplier will be the 'data processor' of personal data.
3. Where personal data is transferred to/processed by suppliers, government (the relevant
department) will usually be responsible for complying with the DPA. Data controllers are responsible for
compliance with the DPA and compliance with the DPA cannot be outsourced.
4. It is therefore essential that appropriate provisions are included in the contracts with suppliers
regarding personal data. As well as the usual data controller/data processor and other good practice
and 'mandated'6 contractual clauses, minimum security requirements and other measures (based on
those set out in the SPF7 and MMMs8) should be developed and incorporated in supplier contracts as
contractual requirements. Minimum requirements and measures should also be used to evaluate
suitability and adequacy for accreditation purposes.
5. Once established, standard contractual clauses and minimum requirements and measures should
be reviewed and assessed on an ongoing basis to ensure that they remain adequate and appropriate,
for example, in light of technological advancements, etc.
DPA Principles
6. Government (the relevant department) must ensure that personal data is:
Fairly and lawfully processed;
Obtained for specified and lawful purposes;
Adequate, relevant and not excessive;
Accurate and up to date;
Not kept for longer than is necessary;
Processed in line with a data subject's rights;
Secure – appropriate technical and organisational measures should be taken against
unauthorised/unlawful processing and against accidental loss/destruction/damage (Seventh
Principle); and
Not transferred to countries outside the EEA unless there is adequate protection (Eighth
Principle).
The Seventh Principle – Appropriate Organisational and Technical Measures

6
The Cabinet Office's data handling review and report and related OGC guidance require the inclusion of a
number of contractual clauses in the OGC‟s Model ICT Services Agreement where data handling/security is an
issue and/or personal and/or confidential information is used/handled/disseminated. For more details, see:
http://www.cabinetoffice.gov.uk/reports/data_handling.aspx;
http://www.ogc.gov.uk/documents/PPN13_08_Data_Handling.pdf ;
http://www.ogc.gov.uk/documents/PPN_Data_Handling_Review.pdf
7
HMG's Security Policy Framework. For more details, see http://www.cabinetoffice.gov.uk/spf.aspx
8
Cross Government Actions: Mandatory Minimum Measures. For more details,
http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_gov080625.pdf
V2.5 UNCLASSIFIED Page | 42 of 64
7. What is appropriate in each case will depend on all the circumstances of the relevant
processing/transfer of personal data, e.g. the type of information, the potential harm and the technology
available to protect the information.
8. However, a standard approach and guidelines could be developed, for example, in relation to the
carrying out of initial due diligence, the inclusion of standard contractual clauses (which include
minimum security requirements and measures as mentioned above) and specify rights, processes and
procedures in relation to review, monitoring and audit to ensure compliance and continued adequacy
and appropriateness.
9. Government (the relevant department) must demonstrate that it has conducted adequate due
diligence on suppliers, systems and processes prior to permitting any personal data to be transferred.
10. In practice, this means:
Selecting a reputable supplier whose privacy and security standards meet agreed standards;
and
Knowing where its data is - if not to the exact machine, at least the actual data centre.
11. This second requirement is potentially difficult in a cloud environment as data is often moved to
different locations depending on capacity and many suppliers store copies of a data at different
locations as part of their business continuity arrangements. However, without such knowledge it will be
difficult satisfy the obligation to ensure the appropriateness of the technical and organisational
measures taken by the supplier to protect personal data. It might therefore be appropriate to consider
and specify certain restrictions on the movement/location of particular types of data.
12. Government (the relevant department) should also require the incorporation of
technologies/practices to minimise the risk of unauthorised access to the data.
13. Examples include:
Anonymisation of data;
Encryption of data;
Data segregation;
Restrictions on access to data;
Explicit and detailed procedures in relation to inter-system and inter-provider privacy and
security requirements;
Regular reviews of identity and access management to the data; and
Prohibition on use of data or access to data for secondary purposes, e.g. advertising.
The Eighth Principle – Transfer of Data
14. Transfers outside the European Economic Area9 (EEA) are prohibited unless it is to a country which
can ensure an 'adequate level of protection'.
15. Argentina, Canada, Switzerland, Guernsey, the Isle of Man and Jersey have been deemed
'adequate' by the EC and personal data can also be transferred to companies in the US that have
signed up to the 'Safe Harbor' agreement.
16. Where a supplier intends to transfer personal data to a country that is not approved by the EC (or to
a US-based provider that is not a member of the Safe Harbor scheme), EC approved model clauses
should be used in supplier contracts.
17. Transferring data is an integral part of cloud computing and so the government (the department) will
need to ensure that all transfers of data will be performed with adequate safeguards for the security and
integrity of the data and, in the case of personal data, for the rights and freedoms of the individuals
concerned. They will also need to know which country or countries will host its data, carry out regular
audits to ensure ongoing compliance and should not allow transfers if there is any doubt as to the
hosting country's standards.

9
The EEA currently comprises the EU member states, Norway, Lichtenstein and Iceland.
V2.5 UNCLASSIFIED Page | 43 of 64
Confidentiality
18. Personal data aside, government and departments will need to ensure compliance with any and all
duties of confidentiality (financial, contractual and/or regulatory) when transferring all information and
data to suppliers.
19. Confidentiality and privacy requirements must be considered whenever information is shared,
particularly where the data being transferred is data previously maintained on a secure internal /
dedicated server.
20. Obligations of confidentiality should be included in supplier contracts, including restrictions on
disclosure / access.

Data Management and Security


21. All contracts with suppliers should recognise the importance of data security and provide clear
obligations and procedures in the event of data loss, misuse and/or corruption. As data is likely to be
spread over numerous servers, consideration needs to be given to how inappropriate/illegal activity can
be traced and responsibility for data lapses can be allocated. As a minimum, suppliers should be
required to comply with the HMG risk management process.
22. The following should be scrutinised:
Supplier‟s security policies and processes, including internal audits and improvements
Supplier‟s level of testing to verify service and control functionality
Supplier‟s risk-control processes and response plan that will apply on detecting vulnerabilities
Independent certifications in respect of security assessments should be considered and/or built
into supplier accreditation
23. Where appropriate, suppliers should be required to comply with the HMG risk management process.
As a minimum, supplier security policies should be reviewed to ensure they do not cut across/are
consistent with government/ department security policies
24. Suppliers should also be required to:
encrypt data categorised as personal/sensitive/confidential (both for storage and transmission
purposes)
perform regular back-ups and have in place clear processes and procedures for restoring lost
of corrupted data
N.B. Back-ups may not be necessary where data is stored in multiple physical locations as a matter of
course. Government/ departments should ensure that it retains ownership of data at all times.
Local Laws
25. Government and departments will need to ensure that all information/data is stored, transferred and
processed in compliance with local laws and privacy requirements and that appropriate provisions are
included in contracts with suppliers.
It should be noted that the laws of other jurisdictions:
May not recognise the personal/sensitive/confidential nature of information/data
May permit examination of information/data to take place without the government/ department‟s
permission and/or knowledge
Examples include the US (Patriot Act) and Singapore
The US Patriot Act – Introduction and Application
26. The Patriot Act was enacted by the US Congress shortly after the September 11 attacks to enhance
the ability of US security services to prevent terrorism. Under the Patriot Act, the US federal
government / FBI can compel the disclosure of records held by suppliers. The Patriot Act applies to US
corporations and may apply to suppliers with a US parent, particularly if the US parent has access
V2.5 UNCLASSIFIED Page | 44 of 64
to/control of data.N.B. We are not aware of any cases of the Patriot Act being applied to a UK
subsidiary of a US company.
27. The Patriot Act is also likely to apply to any assets (including information and data) held on US soil.
28. However, it is questionable if the Patriot Act provides any substantive additional rights to access
information/data. Law enforcement agencies have always been able to apply for a court order to
disclose information and data and the Patriot Act arguably just provides a short cut.
29. In practice, if the US government / FBI (or any other government / enforcement agency in any other
country) wants access to information/data, they will invariably find a way.
30. For example, the legal basis for the US‟ Terrorist Finance Tracking Program (an Office within the
Office of Foreign Assets Control) activities and related subpoenas which required the Belgium-based
Society for Worldwide Interbank Financial Telecommunications (SWIFT) to transfer personal data held
on US servers in 2006 appears to have been founded on a number of sources.
Patriot Act – Risk Mitigation
Agree safeguards and protections with the US government, e.g. Mutual Legal Assistance
Treaty;
Make use of supplier advanced features and offerings, e.g. data anonymisation and
regionalised cloud computing;
Contract with supplier groups/consortia which are structured so as to minimise the
application of the Patriot Act;
o UK/European incorporated suppliers
o No rights to access/control data for US parents
o N.B. Will still need to ensure compliance with public procurement rules
For certain categories of data (e.g. personal/sensitive/confidential), include minimum
requirements and other provisions in supplier contracts in relation to hosting/storage (e.g.
to remain within the EEA)
Require all G-Cloud suppliers to notify government (the relevant department) immediately
of any requests for disclosure and co-operate
31. To enable more specific advice to be provided on the potential application of the Patriot Act and the
strategy for addressing the implications of this, further due diligence, analysis and work is required to
understand:
The type and nature of data (the Patriot Act has different implications depending on the
nature of the data);
Who will host/store data; and
Who will have access to the data.
32. Local law advice is also advisable.

V2.5 UNCLASSIFIED Page | 45 of 64


ANNEX D – Procurement Challenges
1. Frameworks
1.1 The working assumption is that frameworks will be segmented along service lines, so there will be
at least 3 frameworks – one for each of SaaS, PaaS and IaaS. However, some suppliers will want to
offer more than one of these services and their competitive edge may exist in that consolidation (rather
than excelling at any one level).
1.2 Will such suppliers need to win a place on multiple frameworks? If so, how do you ensure that they
can put their best prices forward if this relies on the ability to consolidate services that cut across several
frameworks?
1.3 Conversely, an SME might be very competent for provision of one type of application or platform.
How will the frameworks police their ability to expand into other areas (undoubtedly HMG will want to
encourage such expansion but ensure it does not put public services at risk by allowing companies to
operate in activities they lack the competencies for).
1.4 It should be noted that there are constraints on the suitability of framework agreements for delivery
of the various elements of the strategy that will need to be considered and addressed. Firstly, they must
be limited to 4 years in duration which therefore limits the period over which suppliers can sensibly
amortise their CAPEX costs.
1.5 Call off contracts under framework agreements can be for a longer duration but this is limited and in
any event the intention under this strategy is for call-off contracts to not have fixed terms. If a supplier
does not gain a place on a second generation framework, how will services be transitioned from that
supplier and their offerings removed from G-Cloud and the Apps Store?
1.6 Secondly, in order for the framework approach to work, adherence to the Ts & Cs set out in the
framework is a pre-requisite for retention of procurement law cover – neither the customer nor the
supplier can seek to vary the terms of individual call-off contracts. Price competition can be continued
through mini-competitions using procedures set out in the framework agreement but the evaluation
criteria used must be based on those set out in the original OJEU.
1.7 The alternative approach to a strategy of framework procurements is presumably to view the G-
Cloud as a concessions model. This would involve HMG allowing any service provider that met certain
standards and criteria to be accredited as a supplier of a class of services, with the accreditation
reviewed annually. Authorities would then buy these services through the G-Cloud.
1.8 However, this approach would not give authorities procurement law cover and they would need to
run their own restricted procurement process if the value was above the threshold. There would also be
a risk of sprawl as HMG would not be able to close the market to any competent supplier from the EU
and policing such a market place would be a challenge.
1.9 The contractual and commercial challenges are greatly reduced where dealing with new
procurements or re-tenders (although there will still be transition and re-training costs). However, the
report clearly envisages a more aggressive timescale for transition with existing contracts being
transitioned and reluctant service providers being replaced.

2. Early Transition of Existing Services (Continuing Suppliers)


2.1 Even where a supplier is enthusiastic about transition of their services to align with the new
strategy, there will be a number of costs for Authorities that will need to be factored in:
management time to re-negotiate contracts and complete the required scrutiny and approvals
processes;
legal, financial and consultancy support;
redundancy costs (see Employment section below);
re-training costs
V2.5 UNCLASSIFIED Page | 46 of 64
2.2 Changing the delivery model of existing contracts is also potentially problematic from a procurement
law perspective if the amendments to a contract are materially different in character from the original
contract. This would include, for example, where the economic balance of the contract is fundamentally
changed (as seems likely). This is regardless of the scope of the original OJEU notice (C-454/06
Pressetext v Austria).
2.3 Whether a change is material or not is a complex question and depends on the context of the
particular case – it will be difficult to establish a single „rule of thumb‟. The risk of challenge and the risk
of such a challenge being successful would be balanced against the economic benefits but the potential
for challenge seems high as (i) not all suppliers are necessarily going to wish to be part of the new
strategy, and (ii) the new Remedies Directive gives a greater likelihood of meaningful recourse.

3. Early Transition from Existing Contracts (Non-Continuing Suppliers)

3.1 Such transitioning will attract a number of costs, potentially including (but not limited to):
termination charges or buying out of contracts;
management time to re-negotiate contracts and complete the required scrutiny and approvals
processes;
legal, financial and consultancy support;
redundancy costs (see Employment section below);
re-training costs;
procurement costs (even if only mini-competitions under frameworks)
3.2 All of these costs are likely to be higher in this scenario where the supplier is resistant to the
transition. There would also be greater service risk in transitioning from an unco-operative service
provider.

4. Periodic v Utility Charging


4.1 A number of possible utility pricing models have been identified, including monthly subscription. It
useful to draw a distinction between periodic charging and usage-based or transaction charging.
Periodic charging is the most common model and usually involves a set subscription fee based on the
number of users (banded pricing) and an overall or per-user storage limit. This offers a degree of
certainty to both buyer and seller.
4.2 Usage-based charging, which relates the charges to be paid to the amount of usage of the service
by the customer, can be attractive to customers, particularly where their policies and practices enable
them to make best use of the service and minimise wasted charges.
4.3 However, usage arrangements tend to pass the business risk of IT use back to the customer, which
makes charging less predictable, so that the customer loses one of the key benefits of cloud computing.
This model may also be unattractive to the cloud service provider, since the charges it receives will
fluctuate from one charging period to the next on a basis that is beyond its control.

5. Additional Charges
5.1 Whichever charging model is being used, it will be necessary to establish at the outset what the
service charges will consist of and what will be sold as add-ons or "hidden extras". Support and
maintenance are often provided for an additional charge based on a percentage of the subscription fee
− and these percentages vary between service providers.
5.2 Service providers also vary considerably in respect of their add-on charges for extra users, extra
storage, premium maintenance and uptime guarantees, so it can be difficult for customers to evaluate
the overall value for money of different solutions. Charging models will need to be harmonised to enable
meaningful comparisons to be made.
V2.5 UNCLASSIFIED Page | 47 of 64
6. Lock-in & Price Increases
6.1 The basic premise of the strategy is that lock-in is undesirable, both in technical and commercial
terms. However, lock-in does provide suppliers with revenue certainty and therefore a platform for
investment. Suppliers will want some reassurance of their ability to recoup the capital investment it is
envisaged they will provide.
6.2 It is likely that many suppliers will still look for contracts of a fixed term (albeit shorter than many of
the traditional 10 year IT outsourcings). This is akin to the approach of mobile phone and digital TV
operators who seek to get customers on 12-24 month deals and then to renew subscriptions for a
further 12-24 months in return for equipment upgrades. This sort of model could benefit customers who
have leverage at contract renewal time to negotiate discounts or upgrades and therefore drive prices
down.
6.3 For such short-term contracts, customers may seek to negotiate options to renew for a single term
or further terms up front with the charges payable during the renewal terms fixed. The customer is
always entitled to not exercise such an option when the time comes and move to a different vendor if
the charges available in the market are better.
6.4 Longer-term agreements should restrict price increases by reference to a fixed percentage of the
charges paid in the preceding year or to an indexation mechanism such as the retail price index (RPI) or
to IT specific indices. IT-specific indices generally track remuneration in the IT industry and are therefore
likely to outstrip the RPI. In fact, many of the costs associated with cloud computing may decrease over
time in line with the cheaper price of hardware. Price restrictions that relate to IT-specific indices may
therefore become relatively favourable to the cloud service provider.

7. Pricing and charging: exceptions


7.1 There are likely to be cases within the deployment of this strategy where utility pricing is not
achievable or desirable. For example, the contract to develop and operate the Apps Store does not
necessarily lend itself to a utility pricing model (unless the service provider is paid a transaction fee by
the responsible authority (OGC) for each application sold or a commission for each transaction by either
the purchaser or application service provider) or a move away from a fixed term service agreement.
7.2 Where a bespoke application is being developed that will then be re-used via the Apps Store,
suppliers will not necessarily want to make all of the investment themselves but still submit to a
customer acceptance regime (if they carry the full investment cost they will want full discretion over the
design and delivery of the application). This scenario might lend itself to a gainshare structure where an
authority shares in the investment costs but also gets a cut of future revenues (whether from the public
or private sectors). This might then better incentivise authorities to share their bespoke applications via
the Apps Store.

8. Competition Law
8.1 It should be noted that attempts by a public body representing the State to engineer the structure of
competition and the extent to which participating government entities or public bodies may purchase
services or products from particular suppliers, may raise questions of EU law, in particular, of
compliance with the free movement of services and of goods rules, respectively, under the Treaty on
the Functioning of the European Union (TFEU). Any measure which has the equivalent effect to a
restriction (direct or indirect) on the extent to which services or products can be purchased
or inputs obtained from other EU member states (or other EEA states), could be unlawful under the
relevant TFEU provisions.
8.2 This may be more likely in the absence of a compliant public procurement procedure having been
followed for the appointment of approved suppliers. It would therefore be preferable to plan for guidance
only on the principle of the desirability of ensuring a competitive supplier market place, whilst
leaving any choice of supplier open to the participating bodies.

V2.5 UNCLASSIFIED Page | 48 of 64


8.3 Alternatively, recommendations could be issued on an objective and non-discriminatory basis by
reference to the characteristics or technical features or other specifications of the service to be
provided, to encourage diversity of choices of supplier. In any event, careful consideration will be
needed to ensure that the format of any measure of the type now contemplated will not infringe the EU
free movement rules.
8.4 Further, insofar as any of the participating government entities or public bodies are undertakings for
the purposes of competition law, i.e. insofar as they operate commercially, it is possible that an
agreement between undertakings might arise, depending on how the proposed arrangements are
structured. Agreements between undertakings restricting purchases from particular suppliers could
infringe EU competition law (Article 101 TFEU) or UK competition law (under Chapter I of the
Competition Act 1998).

9. Employment
9.1 The proposed rationalisation and increased automation of services is likely to raise the prospect of
significant redundancy costs if those employees affected cannot be readily redeployed by the service
provider or Government Department. A key factor in determining strategy is likely to be who will bear the
costs of such redundancies, which in the case of public sector and former public sector employees
could be very significant.
9.2 There will be of course some situations where the allocation of cost and risk may have been
allocated between parties under pre-existing agreements. In other circumstances this may not be the
case. A supplier who takes over the provision of pre existing services which are to be rationalised and
automated may wish to challenge the application of TUPE in these circumstances, in reliance on case
law developing in this area.
9.3 The aim of such a challenge would be to avoid the transfer to it of large numbers of potentially
redundant employees from an existing supplier. Challenges to the application of TUPE could be either
because the economic entity does not retain its identity, or in the case of a service provision change, no
activity is transferred.
9.4 The approach taken by Government in addressing this issue is likely to be a key consideration.
9.5 If the transfer is “second generation” between two suppliers what approach will the Government
adopt? Will it simply leave the suppliers to argue the position on the application of TUPE or will it seek
to protect the rights of the affected employees?
9.6 Both the attitude of the unions and suppliers is likely to be heavily influenced by the approach
adopted by the Government in this regard. The greater degree of protection the Government seeks to
provide to employees affected by the change in commercial strategy, the greater the likely potential
costs associated with its implementation.

V2.5 UNCLASSIFIED Page | 49 of 64


UNCLASSIFIED
ANNEX E: – Commercial Transition Model

Accreditation
Migrating Collaborative Contracts/Frameworks into Apps Store

Basic Apps Store Available for purchase by


Procurement Analysis and
Catalogue of Shop Window SI‟s (in contract) or other
Architecture (LITE) Prioritisation Security Available Government Departments
existing products
subject to constraints
Service Management Basic Apps Store
(LITE)
NEW PRODUCT DESCRIPTIONS AND Commercial Model
NEW PROCUREMENT FRAMEWORK Dependencies/
Constraints
Get house in
Replaced over time
G-Cloud Services
order / Data Anlysis Catalogue Created Legal confirmation
Containing G-Cloud Non functional New Procurements
Legal check Services Definitions requiremements
Supplier
G-Cloud Services
Questionnaires End User
Enterprise Architectures Catalogue Defined Procurement Government Apps
Accreditation Procurement
“Harvest Defined for Bodies based As Procurement Framework Store
Mechanism
Mechanism” upon XGEA Framework
Define Business
Case Options
G-Cloud Governance, Payment
Systems Integrator and Architecture
Service Integrator Roles
Defined

HMG confirm Suppliers define


demand profile and new business
commitment level models
In-Flight Data Centre Contracts

Interim Benchmark Interim Benchmarks


G-Cloud market
Subject to local Prioritision & Basic Service based on Standard Applied Progressively
Legacy Transition initiated for ICT
agreements Targetting Definition Service To Existing ICT
Supply Contracts
Specifications Supply Contracts
Commercial
Architecure
New Contracts
Commercial
Firewall
Voluntary
acceleration within
inflight contracts

CSR 7 CSR 10 CSR 13

V2.5 UNCLASSIFIED Page | 50 of 64


UNCLASSIFIED

ANNEX F – Key risks

Impact [H/M/L
Date raised Description Owner Proposed Actions Action undertaken
Likelihood
8/11/09 Procurement law constraints impact Mark High/Low Confirm constraints
ability to transition at scale: O‟Conor
Ensure appropriate
pre-procurement to
ensure EU
law/guidance not
breached
Data-centre consolidation creates supplier Mike Truran High/Low Ensure consolidation Discussions with
lock-in and market distortion is done within bounds DLA/Pinsent Masons
of existing contract
and within scope of Annex E
original OJEU –
contracts to be
considered on a case
by case basis –
balance risk and
opportunity
TBD High/Low Establish demand Annex E
Unmanaged dis-aggregated cloud buying
breaches EU procurement thresholds Ensure pre-procured
TBD High/Low Ensure pre-procured
Buying “from” the Government TBD Med/Med Minimise risk of Programme players
Applications Store without a pre- challenge through made aware
procurement careful risk analysis in
the context of this
EU Remedies Directive increases risk of Directive
challenge
Explore viability of
“re-selling”
contractual vehicles

Monitor against EU

V2.5 UNCLASSIFIED Page | 51 of 64


UNCLASSIFIED
thresholds

Establish principle of
pre-procurement
TBD Med/High Minimise risk of DLA seeking specific
Competition law – Treaty of the
challenge through advice in the context
Functioning of the European Union (any
careful risk analysis in of DC-Consolidation
restriction on the provision of products the context of Annex G
and services within EU states likely to be competition law and
unlawful under this treaty): potential
this Treaty
impact:

- location of
hardware/data

- managing cloud markets


22/12/09 TBD Med/Low Need to understand Annex C
Political impact of a) data-centre the potential impact of Annex E/TUPE
consolidation (job-loss) data-centre workshop – Phase 3
consolidation at
regional/local level
22/12/09 TBD Med/Low More research needs Annex C
Political impact of implementing ability to to be done in this Annex E
switch suppliers rapidly (job-loss/TUPE) area TUPE workshop –
Phase 3
22/12/09 Over complex process and practice TBD Med/Med Learn from Public Planned engagement
deters new entrants Cloud providers and with Amazon/ONS
apply
22/12/09 Lack of HMG commitment deters TBD High/Med A clear signal of
new entrants and discourages commitment to
encumbents from changing their industry and clear
business models implementation/transit
ion plans
22/12/09 High transition costs deter both TBD Med/Med Innovative investment Detailed analysis
government and industry models with through Phase 3
appropriate
risk/reward
mechanisms
23/11/09 Pricing and commercial terms for TBD High/High Ensure that terms Annex E
G-Cloud and data centre migration adequately reward
insufficient to encourage industry commercial risk
V2.5 UNCLASSIFIED Page | 52 of 64
UNCLASSIFIED
investment and participation. commensurate with
value for money and
cost savings
23/11/09 Industry engagement not senior TBD High/Med Appropriate industry Pricing workshop and
(CEO) or early enough to ensure engagement Intellect event,
decisions on G-Cloud service Individual company
provision and to prioritise “Concept Viability” escalation.
investment in FY 2010/11. type event early 2010

Continuous, informed
communication with
industry
23/11/09 Technical standards need to be TBD Med/High Engagement with TA Through Peer
available to enable the strand Review process
development of meaningful
benchmarks and commercial
standards
22/12/09 OEP is perverse incentive and TBD Med/High Rapid Quick Wins and Early
drives Departments to extend deployment/demonstr Proof of Concept
existing contracts in return for ation of early benefit.
reduced prices.
15/01/10 Location of Data/hardware – EU or Darron Med/Med Seek guidance from Guidance sought
UK? (general assumption that Stronge IA strand from IA strand –
majortity of Department‟s Understand what National interest
constrained to UK, but EU Departments are needs to be declared
directives prevent a direct doing in respect of
articulation this
15/01/10 Continuous pressure on prices TBD High/med Develop procurement Chapter 6 – key
within cloud markets creates an and migration recommendations
oligopoly or monopoly by default strategies to mitigate
risk
15/01/10 Need to understand how pan-public TBD High/High Establish a process Flagged to service
sector demand will be managed in that understands and management team
the cloud a) to generate attractive manages forward
markets; and b) to prevent the demand
breach of EU procurement
thresholds
15/01/10 Para 5.6.10 – need to consider re- TBD Med/med More analysis during Chapter 6 – key
imbursment of bid-costs in some Phase 3 recommendations
instances to create a genuinely
open market for all players –
V2.5 UNCLASSIFIED Page | 53 of 64
UNCLASSIFIED
potentially politically un-palatable
15/01/10 Accountability and structure – who TBD High/high Needs to be taken Flagged to service
bears the risk when things go forward as part of the management team
wrong? overall work on
governance
15/01/10 Supplier behaviours will need to be TBD High/med Needs to be taken Flagged to service
managed in a way that ensures the forward as part of the management team
cloud market remains viable – this overall work on
is as applicable to suppliers governance
operating outside of the cloud as to
those within
15/01/10 Failure to understand the security TBD Med/High Await guidance from Guidance sought
implications of public cloud (and IA strand from IA strand
therefore what government
may/may not buy from it) could lead
to sub-optimal benefits realisation
15/01/10 The risk of supplier transition could TBD High/high Develop a migration Chapter 6 – key
make the cloud concept very strategy to mitigate recommendations
unpalatable to e.g Perm secs and use early proof of
concept to prove
15/01/10 Ability to scale could create barrier TBD High/Med Consider whether Chapter 6 – key
to entry, particularly for SMEs ability to scale can be recommendations
determined by cloud
market
20/01/10 Costs for open standards need to TBD Med/low Transition of Chapter 5 – making it
be fully accounted for up-front legacy/in-flight happen
including the cost for remedying applications would be
legacy and in-flight applications that determined by benefit
require software upware upgrades case
where there is a prohibitive cost for
retrofitting
25/01/10 Can government and industry really TB D Med/high Establish process that Flagged to service
adopt use-base charging on an understands and management team
enterprise basis given the lack of manages forward
forward demand capability and demand
therefore inability to profile
spend/revenue?
25/01/10 Resources: Phase 3 of the G-Cloud Programme High/High Increase public sector To be flagged to
programme will, from a commercial resource programme director.
perspective, be resource intensive
given the level of commercial detail
V2.5 UNCLASSIFIED Page | 54 of 64
UNCLASSIFIED
needed. Given the nature of the
proposed analysis, much of this
resource will need to be drawn from
the public sector

V2.5 UNCLASSIFIED Page | 55 of 64


UNCLASSIFIED

ANNEX G – Recommended commercial Activities for Phase 3

Develop commercial and contractual migration plans


Activity Who? Methods Stakeholders Dependencies Timescale Prior
To 3
Define common Programme Sanitised version of Phase 2b 1a
outcomes of the business case
strategies from including benefit
all work projections. Clarify
streams incentives.

Align road- Programme Close working and All programme Standards from IA, Phase 2b 1b
maps across “hot house” sessions stakeholders SM and TA streams
strands – TA, to come through
IA, SM, CS . In rapidly
flight
procurements
e.g. PSN etc to
be aligned

Need to Programme Determine new All programme Department‟s willing Early to middle
understand and governance models stakeholders to articulate Phase 3
manage downstream
forward requirement
demand.

De-risk and QW strand Through early All programme None Early to middle
prove supplier delivery of proof of stakeholders Phase 3
transition. concept
Commercial
Strategy Team

V2.5 UNCLASSIFIED Page | 56 of 64


UNCLASSIFIED

Contract Programme Determine new All programme None End Phase 3


Management governance models stakeholders
Board needed
for each Cloud
category

Supply OGC/CO Develop SRM All programme Service Management June 2010 End
management – proposition for cloud stakeholders phase 3
within and
without cloud
Determine new
Programme
governance models
Develop Programme, Work shops and ICT TA team must give Phase 3
commercial best value standards
OGC Policy and Collaborative
standards to assessment
standards Category Board Service Management
enable the
standards
commercial Local CIO Forum
accreditation
ITSG
process.
Commercial
directors
Industry via Public
Sector Council
Improving
procurement Tiger
Team
Quick wins team

Develop criteria Programme and Close working and All programme None Phase 3 Phase 2b 2
for existing hot house sessions stakeholders
certification/de- accreditation
certification bodies
Commercial Programme in Government ICT Availability of End Phase 3 3
migration plan conjunction with transition workshops technical standards (TBD)
Collaborative
and commercial government
V2.5 UNCLASSIFIED Page | 57 of 64
UNCLASSIFIED
guidance. departments, Cross government Category Board
wider public commercial working
Local CIO Forum Development of
sector and groups to share best
commercial standards
industry practice. ITSG
(6.3)
Competent support Commercial
to departments for directors
commercial issues Development of initial
Industry via Public
cloud benchmarks
Sector Council
(6.4)
Industry transition Improving
workshops procurement Tiger
Team Resolution of key
risks and issues (6.5)
Industry concept
Analysis of current
viability * to be
contracts, frameworks
completed end
and in flight
phase 2b
procurements

Contractual OGC in Rigorous analysis of As above Resource intensive As above 3


migration conjunction with current contractual and can only be
analysis and government landscape to undertaken by
planning for G departments understand the Relevant government
Cloud and opportunities, government
quick wins. benefits case, risk departments and
and appetite their suppliers Resolution of key
risks and issues (6.5)

V2.5 UNCLASSIFIED Page | 58 of 64


UNCLASSIFIED

Scope and develop standardised contractual models


Activity Who? Methods Stakeholders Dependencies Timescale
Scope OGC Workshop/s ICT Technical , IA and SM Early Phase 3
contractual standards
Buying Solutions Collaborative
models in
Category Board
context of cloud Partnerships UK Analyse and
markets and determine optimum Local CIO Forum
transition to Technology
contract durations by
cloud Strategy Board or ITSG
market
similar
Commercial
directors
Improving
Procurement Tiger
Team
Industry via Public
Sector Council
Early transition OGC/Department Workshops As above Technical and IA End Phase 3
principles for s standards and also
contracts in Quick Wins work
flight and quick stream
wins
Immediate OGC Develop guidance As above None identified Phase 2b
guidance for from DLA and clear
forthcoming through OGC Policy
and current and standards and
procurements/ OGC legals
OJEUS

V2.5 UNCLASSIFIED Page | 59 of 64


UNCLASSIFIED
Influence Improving BAU for this team As above plus Availability of By publication of
development of Procurement Tiger Team resource v2.4 (expected
Develop
Model Contract Tiger Team Summer 2010)
communication As above plus As above
2.4
OGC strategy and plan OGC Ongoing from
Publicise and Comms/Intellect development of
Intellect
embed within Comms early guidelines
government
and industry
Standard T&Cs OGC/PUK/Industr BAU for these teams As above As above By publication of
by y via Public V2.4
model/market Sector Council
Analysis of Ts
and Cs of new
suppliers and
checking
supplier market

Develop initial G-Cloud benchmarks


Activity Who? Methods Stakeholders Dependencies Timescale
Understand Commercial Engagement with Programme – in None Early Phase 3
existing cost strategy team Amazon and others particular business
and price planning strand
models of
public cloud Ongoing research
providers.
Understand
supply chain
Define Commercial Research by G- Programme Development of TA, Early Phase 3
commoditised strategy team Cloud market, IA and SM standards
components
Government ICT
Technical procurement
Architecture community
strand
Identify and Commercial Research by G- Programme Understanding the Mid Phase 3
understand difference between
V2.5 UNCLASSIFIED Page | 60 of 64
UNCLASSIFIED
differential G- Strategy Team Cloud market public and private
Cloud cost cloud provision
Business planning Government ICT
drivers – e.g.
team Procurement
pre- Government pricing
community
procurement workshops Ability to quantify
costs and costs associated with
incremental IA team
security levels
security costs Industry pricing
Willingness of cost
(others?) workshops
Tiger Team transparency
Work with
suppliers to try
and drive out
cost.
Develop OGC Apply lessons ICT CCB Willingness of End Phase 3
benefits learned through Departments to (TBD)
Business planning ITSG
methodologies proof of concepts provide MI
team
for existing cost Commercial
alternatives. Directors
Develop Work with OGC
scenario for Quick wins team Value Ministers
Markets and
alternative cost Collaborative
models Procurement PMO
Participating
to ensure
departments
compliance to HMT
Green Book rules

V2.5 UNCLASSIFIED Page | 61 of 64


UNCLASSIFIED

Resolve key risks, issues and dependencies


Risk, issue, Who? Methods Stakeholders Dependencies Timescale
dependency
Availability of Programme Reset of phase 2b. All Phase 2b
experienced Resource, (immediate)
industry commitments
resource to
support the
program.
Particularly
SME and
independent
Availability of TA/CTO Council CTO Council to Commercial TBD Early Phase 2b
TA, IA and SM IA and SM determine Strategy Team and
standards strands stakeholders
IA and SM to
determine
Location of IA Strand IA strand to Commercial TBD Early Phase 3
data/hardware determine Strategy Team and
dependant on stakeholders
acceptability to CIOs
Understand OGC/CO Departmental Commercial Need to understand Phase 2b/ Phase
level of Transition strategy team and the commercial 3
Departmental workshops stakeholders landscape in detail
take-up as
suppliers,
consumers or CCB
non players

Departmental bi-
laterals
Understand Commercial Concept viability Commercial Need to ensure CIO Phase 2b/ Early
level of industry Strategy workshop strategy team and Council buy-in before Phase 3
take-up. Which team/Intellect stakeholders this activity takes
will supply place
direct/indirect

V2.5 UNCLASSIFIED Page | 62 of 64


UNCLASSIFIED
Risk, issue, Who? Methods Stakeholders Dependencies Timescale
dependency
or leave
Prevent the Commercial Transition All programme None Early Phase 3
creation of strategy team workshops stakeholders
monopolies by
default
Government and Innovative cost
industry models
stakeholders
Manage the Programme to TBD All programme None End Phase 3
market to develop initial stakeholders
ensure ongoing proposition
competition
Deeper Commercial Transition All programme Contractual analysis Phase 2b
understanding strategy team for workshops stakeholders and associated
to transition workshops resource implications
and switching
costs
OGC for
Bi-laterals with
contractual
relevant
analysis
departments

Monitor time, Commercial Transition and Commercial None End Phase 3


cost and quality Strategy team pricing workshops strategy team and
of bids. stakeholders

Lack of Develop rules and All programme None End phase 3


behavioural guidelines stakeholders
change – e.g.
dealing with Programme
non-standard Test with
requirements stakeholders
(Maintain status
V2.5 UNCLASSIFIED Page | 63 of 64
UNCLASSIFIED
Risk, issue, Who? Methods Stakeholders Dependencies Timescale
dependency
quo of too
much
bespoke.)
Possibility of
configuring
Third party Whoever TBD Departmental None End Phase 3
contract use – develops SR for stakeholders
delegation of Apps store
rights to agents
Ability to scale Commercial Determine the All government None End Phase 3
could raise strategy team markets where Departments
barrier to entry ability to scale really committed to
for SMEs matters Government policy
TA team on SMEs

SMEs

V2.5 UNCLASSIFIED Page | 64 of 64