Definitions for the use of cloud computing services – Ordinance SGD/MGI No. 5,950, of October 26, 2023

Establishes the model for contracting software and cloud computing services within the agencies and entities that are part of the Information Technology Resources Administration System – SISP of the Federal Executive Branch.

Ministry of Management and Innovation in Public Services

Hello, how are you?

In today’s text, we will discuss the model for contracting software and cloud computing services that became mandatory in April 2024 for agencies and entities that are part of SISP.

The goal of creating this model is to standardize and simplify the contracting process, as well as to increase the accuracy of control by information and communication technology managers, in order to minimize the problems encountered in the contracting and management of services.

The non-application of the model only occurs exceptionally, provided that it is previously authorized by the SGD through an official letter.

In which types of services should the ordinance be adopted for contracting?

  • Software under the permanent licensing model of usage rights
  • Software under the temporary licensing model of usage rights
  • Software under the subscription or service model (SaaS)
  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Technical support for software and cloud computing services
  • Operation and management services for cloud resources
  • Migration services for resources to a cloud environment
  • Integration of cloud services
  • Specialized consulting in software and/or cloud computing services.

In which types of services is the Ordinance not adopted?

  • Acquisition of information and communication technology infrastructure assets
  • Acquisition of network assets
  • Contracting of hosting, understood as the leasing of computational resources in traditional physical data center infrastructure belonging to third parties, without sharing resources among clients, for hosting applications and information and communication technology solutions.
  • Contracting of co-location, understood as the leasing of third-party data center infrastructure to host computational equipment
  • Contracting of development, maintenance, and support services for software

And what are the premises of the model?

  • All service execution must be oriented towards a planned and controlled result.
  • The infrastructure must ensure the continuity, availability, security, and integrity of public services.
  • Information security must be observed through legislation, regulations, and guidelines.
  • Standardization of remuneration types.
  • Use of standardized catalogs in the planning of contracts.
  • Definition of minimum service levels as a reference for contracts.
  • Adoption of comprehensive processes and studies for risk analysis, paying attention to possible financial and non-financial impacts arising from these risks.
  • Technology solutions must be contracted in specific and economically advantageous parts, always evaluating the need for separate bids and contracts for items that can be divided.

It is interesting to highlight the financial impact as a metric to be observed in risk analysis. This demonstrates to us that the FinOps culture is universal, applicable not only to private organizations but also to public and governmental entities. For this reason, there is a Brazilian community of the Public Sector of FinOps gaining strength with the FinOps Foundation, with events occurring on the last Friday of every month.

Moreover, the public sector has a special interest group (SIG) with the FinOps Foundation to support public sectors and their challenges, including restrictions on financing processes, complexity in acquiring products and services, defining the value of cloud spending without profit or revenue incentives, using services and products from third parties or resellers, mandates and regulatory restrictions, as well as differences in organizational structures and organizational complexity.

We clearly see these challenges being outlined and mitigated in the foundations of the model, especially in the installment of technology solutions, which aim, above all, to ensure that contracts made with the public sector go through financing processes and value definition, ensuring that all public sector needs can be met through specific contracts with well-defined scopes, rather than adopting contracts with generic definitions and broad scopes open to interpretation. This also prevents the public sector from being tied to supplier A or B for managing its services.

And what are the usage drivers?

First of all, public, private, hybrid, community, or government clouds can be used in managing workloads that deal with information without access restrictions. These are workloads not prohibited or restricted by personal data security legislation, such as the LGPD.

However, workloads that deal with information with access restrictions as provided by Brazilian legislation must be maintained in a government cloud environment, including, among other examples:

  • Tax Secrecy
  • Banking Secrecy
  • Commercial Secrecy
  • Business Secrecy
  • Accounting Secrecy
  • Industrial Secret
  • Copyright
  • Intellectual or Industrial Property
  • Procedural, police, or administrative disciplinary secrecy
  • Information classified as confidential by the Executive Branch and its preparatory documents, according to Decree No. 7,724/2022.

Additionally, data processed in a cloud environment must be stored in data centers located in Brazilian territory, allowing for data processing in data centers outside Brazilian territory only in cases where there is an updated backup stored in data centers located in Brazilian territory.

Remuneration Modalities

Contracting may be carried out through different remuneration modalities for different items or lots, depending on the adopted strategy. The remuneration modalities provided in the Decree are:

  • Remuneration for software by perpetual license acquired
  • Remuneration by subscription or as a Service (SaaS)
  • Remuneration by Cloud Service Unit (USN)
  • Remuneration by cloud credits
  • Remuneration for cloud services by greater discount
  • Remuneration for managed instances
  • Remuneration for functions as a managed service (FaaS)
  • Remuneration for databases as a managed service (BBaaS)
  • Remuneration for migrated instances, functions as migrated services, and databases as migrated services

The continuity of services as a contracting criterion

It is important to emphasize the need to evaluate the degree of dependence of the solution to be contracted on the continuity of public service, in order to minimize the impacts caused by the eventual need to replace the solution later. The decree aims to reduce lock-in risks through:

  • Interoperable technological standards
  • Use of container technology to facilitate the standardization of solutions
  • Avoiding the use of proprietary databases from a specific cloud provider
  • Contracting more than one cloud provider as a contingency
  • Hybrid approaches
  • Multicloud approaches

Contract Duration

Contracts may have a duration of up to 5 (five) years for continuous services and supplies, which may be extended up to a limit of 10 (ten) years, through Preliminary Technical Studies by the contracting planning team.

Cost Management – FinOps for Public Sectors

Cost management should be the responsibility of the contractor, according to the guidelines in the service orders. The public sector may evaluate the contracting of specialized technical audit services for cloud computing services, aiming to ensure the optimization of the cloud computing resources used.

Based on this regulation, cost management is addressed within two types of control:

1 – Through the operational planning of the agency or entity, setting quotas for limiting resource consumption according to their needs. For this, capacity management is carried out in advance, aiming to avoid unexpected limitations, as well as defining control mechanisms such as alerts. Thus, control is performed directly through the establishment of parameters.

2 – The direct management of use and cost by the contracted companies, which aim to maintain the operational planning guidelines of the agency. In this case, control is performed indirectly by the entity and directly by the contracted company, through oversight and monitoring of the contract, to ensure compliance with the requirements.

Within direct and indirect control, it is still possible, at the discretion of the public entity, to evaluate the need for contracting specialized technical audit services for cloud computing services, aiming to ensure the optimization of computing resources.

Based on this, the importance of adopting the FinOps culture in the Public Sector involves training people to manage public interest with the necessary technical knowledge so that the contracts entered into are equipped with best practices and the adaptation of the FinOps Framework to the needs of the entity.

And what are the risks to be mitigated in the contracting process

According to the Decree, the following risks must be observed in the execution of service contracts and software acquisitions:

  • Contracting volume incompatible with reality
  • Non-compliance with established minimum service levels
  • Failures in information security and privacy of the solution
  • Contracting of licensing, implementation, or service provision models that do not meet the agency's needs
  • Delay in the delivery of contracted services
  • Incorrect specification of licensing, implementation, or service provision models
  • Incompatibility with other existing solutions
  • Premature closure of tickets
  • Contracting not aligned with final needs
  • Low resilience
  • Lock-in
  • Occurrence of commercial sanctions in the countries where the infrastructures are located
  • Non-compliance with legal restrictions regarding information subject to confidentiality
  • Loss of control or governance over information maintained in the cloud
  • Lack of standardization in multicloud scenarios
  • Migration to an environment or provider that does not offer the most suitable resources for optimizing usage
  • Increase in workloads not distributed among providers in an efficient and optimized manner
  • Reduction of long-term competitiveness
  • Reduction or absence of specialized human resources
  • Reduction in the number of specialized cloud brokers for a particular provider
  • Discontinuity of services or changes in technological resources in the long term

Attention to Contract Termination

The agency must establish procedures related to the transition or termination of contracts, including at least:

  • Obligation of the integrator/provider to return data, information, and systems
  • Data deletion
  • Data retention according to legislation
  • Guarantee of the right to be forgotten for personal data

In conclusion…

I hope this article has been useful to you! For more information, access the Decree directly! In it, you will find all the definitions and nomenclatures adopted, as well as various models of official documentation that should be adopted in the contracting processes!

Check the original article in Portuguese here

Pedro S. Drumond
Pedro S. Drumond

I work with FinOps at Beyondsoft Brazil, with emphasis on Microsoft Azure. Programming student with knowledge of C# and Python.

Articles: 10