Well not really, but close. For those of you that missed it, NIST has made several statements about the non-negotiability of cloud agreements. Most recently, in its Guidelines on Security and Privacy in the Public Cloud, NIST said “Non-negotiable service agreements in which the terms of service are prescribed completely by the cloud provider are generally the norm in public cloud computing.” This doesn’t mean all cloud engagements are non-negotiable or that they should be avoided. It does mean that if the contract is presented as non-negotiable, the customer must do a far more thorough analysis of the risks/benefits of the engagement, including conducting more detailed due diligence of the vendor, seeking references from existing customers, understanding exactly what types of data will be placed at risk, the criticality of the service to the customer’s operations, etc. Without that leg work, the customer will be walking largely blind into the relationship. In some instances, the customer may well determine that a cloud service provided under non-negotiable terms is simply not right for the particular engagement. Better to discover that as early in the process as possible.
Via CSO Blog