Service Level Agreements, MOUs, and MOAs
Organizations use different agreement types depending on the formality of the relationship, the level of legal enforceability required, and the scope of the commitment being documented. Service-level agreements, memoranda of understanding, and memoranda of agreement each occupy a distinct position on the formality spectrum.
Service Level Agreement (SLA)
A Service Level Agreement (SLA) is a contractual agreement that defines the minimum acceptable performance standards for a service. SLAs create specific, measurable service expectations and typically include financial penalties if the provider fails to meet them.
- What SLAs define: Uptime guarantees (e.g., 99.9% availability = no more than 8.76 hours of downtime per year), response time requirements (incidents acknowledged within 15 minutes, critical issues resolved within 4 hours), throughput and performance benchmarks, and security obligations (encryption, access controls, breach notification timelines).
- Financial penalties: SLAs typically include service credits, refunds, or liquidated damages when the provider fails to meet the stated levels. A cloud provider with a 99.9% uptime SLA may offer a 10% service credit for any month where availability falls below that threshold.
- SLA and security: Security professionals negotiate SLAs with cloud providers, managed security service providers (MSSPs), and data center operators. An SLA that does not include security-specific commitments (patch timelines, encryption standards, incident notification) is incomplete from a security perspective.
- Relationship to RTO and RPO: When RTO and RPO have been established through BIA, the SLA with a cloud provider or managed services vendor must be consistent with those objectives. A provider cannot help achieve a 2-hour RTO if their SLA only guarantees 8-hour response time.
Memorandum of Understanding (MOU)
A Memorandum of Understanding (MOU) documents the broad goals and intentions of two parties entering a relationship. It establishes mutual understanding of the relationship's purpose but is typically not legally binding as a formal contract.
- Characteristics: Informal compared to a contract. Describes high-level intent ("Party A and Party B agree to cooperate on information sharing"). May include general confidentiality expectations. Does not specify detailed deliverables, SLAs, or financial penalties.
- When used: Early stages of a partnership before full contractual terms are negotiated. Government-to-government agreements. Interagency relationships. Situations where both parties want to document shared intent without incurring full contractual obligations.
- Security note: MOUs may include general confidentiality provisions, but they are not a substitute for a formal NDA. The lack of binding force means a party who violates the MOU may not face legal consequences beyond reputational damage.
Memorandum of Agreement (MOA)
A Memorandum of Agreement (MOA) is one step more formal than an MOU. It documents specific commitments and may be conditionally binding, but is still less formal than a full contract with legal remedies.
- Characteristics: More specific than an MOU — includes defined responsibilities, timelines, and deliverables. Conditionally binding: parties commit to fulfilling the specific terms documented. Does not carry the full legal enforceability of a signed contract.
- When used: Inter-departmental agreements within the same organization, government agency cooperation agreements, partnerships where full contract negotiation is not warranted but more specific commitment than an MOU is needed.
- Comparison: MOU establishes intent and broad goals. MOA establishes specific commitments. Contract (MSA) establishes full legal obligations with remedies.
Master Service Agreements and Work Orders
For long-term vendor relationships involving multiple projects or services, organizations use a two-document structure: a Master Service Agreement that establishes the framework for the entire relationship, and individual Work Orders or Statements of Work that define specific projects under that framework.
Master Service Agreement (MSA)
A Master Service Agreement (MSA) is a legal contract that establishes the overall framework for a long-term business relationship. It covers the terms and conditions that will govern all future transactions and projects between the parties.
- What MSAs cover: General terms and conditions, payment terms, liability limitations and indemnification clauses, intellectual property ownership, confidentiality obligations, dispute resolution procedures, termination conditions, and governing law.
- Purpose: The MSA eliminates the need to negotiate fundamental terms every time a new project or service is initiated. Once the MSA is in place, new work can be initiated quickly using simple Work Orders that reference the MSA.
- Security provisions in MSAs: MSAs with technology vendors should include security obligations: minimum security standards, audit rights (right-to-audit clause), breach notification requirements, data handling restrictions, encryption requirements, and personnel background check requirements for staff who will handle the organization's data.
- Binding force: MSAs are fully legally binding contracts. Violation of MSA terms provides grounds for legal action, contract termination, and financial damages.
Work Order / Statement of Work (WO/SOW)
A Work Order (WO) or Statement of Work (SOW) is a specific document issued under an MSA that defines a particular piece of work to be performed. It translates the general MSA framework into a concrete project or service engagement.
- What Work Orders specify: Scope of the specific engagement (what will be delivered), location of work, schedule and milestones, specific deliverables and their acceptance criteria, personnel assigned to the work, pricing for the specific engagement, and any engagement-specific requirements not covered by the MSA.
- Security scope in SOWs: A penetration testing SOW specifies exactly which IP ranges are in scope, which techniques are authorized, the schedule, and the deliverable (report format and content). A managed services SOW specifies which systems will be monitored, what SLA applies, and what the managed security provider will and will not do.
- Acceptance criteria: SOWs should include clear acceptance criteria that define when a deliverable is considered complete and acceptable. For security assessments, this might include the report format, findings classification methodology, and required remediation evidence.
| Agreement | Type | Purpose | Legally Binding? |
|---|---|---|---|
| SLA | Service contract | Minimum service standards, uptime, penalties | Yes |
| MOU | Intent document | Shared goals and mutual understanding | Generally no |
| MOA | Commitment document | Specific responsibilities, conditionally binding | Conditionally |
| MSA | Framework contract | Governs all future transactions in relationship | Yes |
| WO/SOW | Project document | Specific engagement scope and deliverables | Yes (under MSA) |
Non-Disclosure Agreements and Business Partners Agreements
Two agreement types specifically address confidentiality and partnership governance: the Non-Disclosure Agreement (NDA) protects sensitive information shared between parties, and the Business Partners Agreement (BPA) governs the operational and financial terms of a partnership relationship.
Non-Disclosure Agreement (NDA)
A Non-Disclosure Agreement (NDA) is a legal contract in which one or more parties agree to keep specified information confidential. NDAs are a fundamental security control for protecting sensitive business information shared with vendors, partners, employees, and consultants.
- Types of NDAs:
- Unilateral NDA: One party discloses confidential information to another, and only the receiving party is bound by the confidentiality obligation. Common when an employer onboards an employee or when a company shares product plans with a vendor.
- Bilateral (Mutual) NDA: Both parties share confidential information with each other, and both are bound by confidentiality obligations. Common in partnership negotiations where both sides share proprietary information.
- Multilateral NDA: Three or more parties are involved. All parties share confidential information and all are bound. Used in multi-party joint ventures or consortia.
- Formality requirements: NDAs are formal legal documents. They require signatures from authorized representatives of each party, specification of what information is covered (definition of confidential information), duration of the confidentiality obligation, and exclusions (information that is publicly available or independently developed is typically excluded).
- What NDAs protect: Business plans, product designs, financial information, customer lists, security vulnerabilities and system configurations, pricing strategies, personnel information, and any other information the parties designate as confidential.
- Security context: NDAs should be required before sharing: penetration test reports, vulnerability scan results, network topology diagrams, security architecture documentation, or any other security-sensitive information with third parties.
Business Partners Agreement (BPA)
A Business Partners Agreement (BPA) governs the terms of a partnership relationship — typically where two organizations work together as partners rather than in a customer-vendor relationship. BPAs address the operational, financial, and governance aspects of the partnership.
- What BPAs cover:
- Ownership stake: The percentage of ownership, equity, or revenue each partner holds. Defines how profits and losses are allocated.
- Decision-making authority: Who has authority to make what types of decisions. Joint decisions vs. individual partner authority. Voting rights and dispute resolution mechanisms.
- Contingency planning: What happens if a partner encounters financial difficulties, becomes insolvent, or can no longer fulfill their obligations. How the partnership handles natural disasters, regulatory changes, or other disruptive events affecting one partner.
- Exit provisions: Conditions under which a partner may exit, buyout rights, and how partnership dissolution is handled.
- Security provisions in BPAs: BPAs with technology partners should include data handling responsibilities, security standards each partner must maintain, incident notification obligations between partners, and audit rights consistent with the right-to-audit concepts from third-party risk assessment.