• United States



It’s Official, NIST Says You are Out of Luck Negotiating Cloud Agreements

Jun 20, 20121 min
Data and Information Security

Well not really, but close.  For those of you that missed it, NIST has made several statements about the non-negotiability of cloud agreements.  Most recently, in its Guidelines on Security and Privacy in the Public Cloud, NIST said “Non-negotiable service agreements in which the terms of service are prescribed completely by the cloud provider are generally the norm in public cloud computing.”  This doesn’t mean all cloud engagements are non-negotiable or that they should be avoided.  It does mean that if the contract is presented as non-negotiable, the customer must do a far more thorough analysis of the risks/benefits of the engagement, including conducting more detailed due diligence of the vendor, seeking references from existing customers, understanding exactly what types of data will be placed at risk, the criticality of the service to the customer’s operations, etc.  Without that leg work, the customer will be walking largely blind into the relationship.  In some instances, the customer may well determine that a cloud service provided under non-negotiable terms is simply not right for the particular engagement.  Better to discover that as early in the process as possible.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author