CFA and Government Digital Transformation

Disclaimer

This page is intended to provide general information regarding the Cloud Framework Agreement (CFA) for government agencies and how they can leverage cloud services for their digital transformation. The content is based on publicly available resources, especially from the official MyGovCloud CFA website, and is for informational purposes only. The purpose of this page is purely to educate and raise awareness.

1. What is CFA (Cloud Framework Agreement)?

• Introduction:
  • The Cloud Framework Agreement (CFA) is an initiative by the Malaysian government that allows public sector agencies to access cloud services through a simplified process. This agreement includes services like Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) provided by approved Cloud Service Providers (CSPs) and Managed Service Providers (MSPs).
  • MyGovCloud is part of this initiative, offering both private and public cloud services tailored to meet the specific needs of government agencies. This hybrid approach ensures flexibility and scalability for government agencies, supporting their digital transformation goals.
• Key Providers Under CFA:
  • The government has partnered with several leading cloud service providers:
    • Amazon Web Services (AWS)
    • Microsoft
    • Google Cloud
    • Telekom Malaysia (TM)
    • Additionally, Managed Service Providers (MSPs) such as Cloud Connect, Enfrasys Solutions, and Radmik Solutions support the implementation, management, and monitoring of cloud services for government agencies.
• Governance and Oversight:
  • Jabatan Digital Negara (JDN) is the governing body responsible for overseeing the CFA’s implementation. JDN ensures that all cloud services comply with government standards for security, performance, and governance.

2. CSP (Cloud Service Provider) Scope

• Scope of Services:
  • The CSPs under CFA are responsible for delivering a wide range of cloud services, including:
    • Infrastructure as a Service (IaaS): Essential computing resources such as virtual machines, storage, and networking.
    • Platform as a Service (PaaS): Platforms for developing, running, and managing applications without the complexity of maintaining infrastructure.
    • Software as a Service (SaaS): Software solutions available on a subscription basis.
    • Other Cloud Services (XaaS): Additional services such as databases, containers, and specialized cloud offerings designed to meet government needs.
• Cloud Account Management:
  • CSPs provide two types of accounts:
    • Master Account: The overarching account that allows government administrators to manage all aspects of cloud services, including subscriptions and billing.
    • Agency Account (Sub-account): Individual accounts for agencies to manage their cloud resources, configure services, monitor usage, and handle billing.
• Service Levels and Support:
  • Each CSP offers Service Level Agreements (SLAs) to ensure that cloud services meet the required standards for performance, availability, and security. CSPs also provide comprehensive support, with response and resolution times clearly defined based on incident severity.
• Trial Periods and Demos:
  • CSPs provide trial periods or demo accounts for agencies to test out cloud services before committing to long-term contracts.

3. MSP (Managed Service Provider) Scope

• Scope of Services:
  • MSPs are responsible for overseeing and managing the operational aspects of cloud services, ensuring they are running smoothly and efficiently. They also provide platforms for managing cloud resources.
  • Professional Services: MSPs assist in planning, migration, configuration, and testing of cloud services to meet agency requirements.
• Training and Support:
  • MSPs provide ongoing training and support, including certified and non-certified courses for government employees to help them better understand and use the cloud services effectively.
• Support for Licensing and Software:
  • MSPs manage software licensing and ensure all software used in the cloud environment is properly licensed in accordance with government policies.

4. How to Apply for Cloud Services (Guidelines)

• Identifying Cloud Needs:
  • Agencies should begin by assessing their specific cloud requirements based on business goals. This includes identifying which cloud services will help meet their digital transformation needs.
• Application Process:
  • Step 1: Complete the Cloud Service Application Template. This includes providing details on project objectives, service needs, technical specifications, and cost justifications.
  • Step 2: Submit the completed application to the Jawatankuasa Pemandu ICT (JPICT) for approval. This submission should include the business case and relevant technical assessments.
  • Step 3: Upon approval, the procurement process begins, and the agency can proceed to finalize contracts with the selected CSP and MSP.
• Approval Criteria:
  • Projects involving cloud services that cost more than RM5 million require additional approval from the JPICT.

5. Download the Application Template

• Access the CFA Application Template:
  • Government agencies can download the cloud application form from the official MyGovCloud portal. The form should be filled out with detailed information about the agency’s project and cloud service needs.
• Guidance for Completing the Template:
  • Agencies are advised to complete the form in full, ensuring that they select the appropriate cloud services and provide a clear justification for their needs. If necessary, assistance from an MSP can be sought to ensure the form is properly completed.

6. Frequently Asked Questions (FAQ)

Q1: What is the CFA (Cloud Framework Agreement)?

• A1: The Cloud Framework Agreement (CFA) is a government initiative that allows public sector agencies to access a wide range of cloud services through a simplified process. This agreement includes services like Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Q2: Who is eligible to use the services provided under the CFA?

• A2: Only federal ministries and departments are eligible to use the Government Hybrid Cloud (GHC) allocation. Other government entities like state public services, statutory bodies, and local authorities must adhere to specific guidelines to access services.

Q3: What is the duration of cloud service subscriptions under CFA?

• A3: The subscription period for cloud services under CFA is between three (3) to five (5) years, depending on the specific project and requirements.

Q4: Do agencies need to classify their data before applying for the Government Hybrid Cloud (GHC)?

• A4: Yes, data classification is essential before applying for the GHC. Agencies need to ensure that they follow the guidelines set out in the Surat Pekeliling Am Bilangan 2 Tahun 2021 regarding the classification of data, especially for sensitive data that may require additional security measures.

Q5: What security measures must be taken for sensitive data in the cloud?

• A5: Agencies must perform a security risk assessment to ensure that technology protecting confidential data is implemented at all stages of data processing, including storage, transfer, and usage. This is in line with security requirements such as SPA Bil. 2/2021 and Surat Edaran Ketua Pengarah Keselamatan Kerajaan Bilangan 4 Tahun 2023.

Q6: What services are included in the CFA for Government Hybrid Cloud (GHC)?

• A6: The GHC includes the following services:
  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)
  • Cloud professional services offered by CSP and MSP
  • Cloud managed services.

Q7: How can an agency apply for cloud services under CFA?

• A7: Agencies must submit an application after receiving approval from the JPICT at the ministry/agency level. The application includes a business requirement and a data security risk assessment. The process involves obtaining clearance from relevant authorities like the Pejabat Ketua Pegawai Keselamatan Kerajaan and conducting a market survey if needed.

Q8: Is there an exception for services that are not provided by the CFA panel providers?

• A8: Yes, agencies can apply for an exception if the required cloud service is not offered by the panel providers. This involves providing a justification, including the product details and supporting documentation from the panel CSPs confirming the service is unavailable.

Q9: What happens if a cloud service needs to be acquired from a single provider (sole provider)?

• A9: If a service is only available from a single provider, the agency must submit a request for a sole provider exception. This requires approval from JDN and must follow the established procurement processes.

Q10: What happens after the CFA contract expires?

• A10: After the expiration of the CFA, agencies must follow the procurement procedures outlined in PK2.6 for any new cloud service acquisitions. If the cloud services are to continue, they will need to align with the new CFA 2.0 framework, subject to approval.

Q11: Do all projects require JDN approval before using cloud services?

• A11: Yes, all projects involving cloud services must be approved by JDN, especially if the services are to be procured using public funds. However, projects costing under RM10 million may be approved at the JPICT level at the ministry or agency level.

Q12: What are the procedures for requesting an exception for the use of cloud services (CFA or Government Hybrid Cloud)?

• A12: To request an exception, agencies must submit a formal application to JDN, including:
  • Project details
  • Justification for why cloud services are not suitable for the project
  • Relevant supporting documents such as security assessments and system architecture.

Q13: Can agencies continue existing cloud service contracts after the CFA ends?

• A13: Yes, agencies can extend existing contracts until the contract expires, typically for up to one year. For new contracts after the interim period, procurement will follow the new guidelines under PK2.6.