house.gov
Find Your Representative

Cloud Services

In accordance with House Information Security Policy 17 (HISPOL17) only cloud services specifically authorized by the Committee on House Administration may be used for official House business.

Cloud services include SaaS, PaaS, and IaaS solutions that will store or process House data off the House network.

Cloud service reviews include assessments of company viability, security controls, impact on the House infrastructure, data management, support, and terms and conditions:

  • Vendor Fitness Review and Requirements Review: Evaluates the Vendor's maturity, fiscal soundness, and previous work with the Federal government.
  • Risk Review: Identifies security controls, weaknesses, and any risks associated with the use of the application.
  • Technical Review: Assesses the impact of the solution on the House infrastructure, how the data is maintained, and how customer support is provided.
  • Contract and Legal Review: Examines the terms of service, end user licensing agreements, service level agreements, and ensures that language exists to protect the House.

The software or service must be fully developed before being submitted for review. The House will not assist or advise companies in the development of its software or service.

Reviews will be conducted concurrently and require Vendor communication and response to CAO inquiries.

Becoming a Cloud Services Provider

Companies interested in providing or marketing their solutions to House offices must be sponsored by an interested office that will submit the solution for review.

Applications must be fully developed (not in beta).

Depending on the review results, the CAO will recommend authorization or non-authorization of a Cloud service to the Committee on House Administration. Notification of authorization or non-authorization will be sent to the requestor and may be posted to the House intranet.

Common Reasons for Non-Authorization

  • Company non-responsiveness to CAO outreach during the review process.
  • Company is foreign owned and based outside the United States (House offices may not be subject to foreign governing laws).
  • Data is stored in a foreign country and poses data sovereignty concerns.
  • Application is not fully developed (or in beta).
  • Discovery of significant security risks and vulnerabilities.
  • Poor security controls, policies, and practices.
  • Lack of strong data encryption.
  • Lack of multi-factor authentication.
  • Absence of documentation to allow for an evaluation of security controls.
  • Company is unwilling to modify its terms and conditions for House users that address indemnification, Speech and Debate, and data ownership.
  • Company is unwilling to provide information necessary to determine technical requirements and capabilities.
  • Company is unable or unwilling to integrate its services with the House network and/or infrastructure.
  • Lack of Artificial Intelligence (AI) model integrity to include unvetted/manipulated models or insufficient controls related to model drift.
  • Complex AI supply chains where there exist poorly captured package dependencies.
  • Lack of evidence of AI product testing for overall performance degradation.
  • Lack of evidence speaking to characteristics for trustworthy AI (e.g., transparency, reliability, fairness).