Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
70 lines (48 sloc) 11 KB

Background

In our efforts to help agencies continue to adopt secure cloud technologies, the GSA Secure Cloud Portfolio has been working to identify appropriate ways to create contract language agencies can use in the acquisition process for cloud services and in meeting FedRAMP requirements.

Federal policy has pushed forward a “Cloud First” mandate for agencies to default to purchasing cloud products and services for all new IT acquisitions. Additionally, agencies are required to ensure cloud providers meet the FedRAMP requirements when procuring and subsequently authorizing cloud services[^1]. We would like to help agencies acquire cloud services that can meet the FedRAMP requirements in a way that it is not prohibitive to competition and innovation.

In partnership with OMB, we developed FedRAMP Acquisition FAQs based on common questions we received from vendors and agencies about how FedRAMP language should and shouldn’t be incorporated into solicitations. These FAQs are largely based on contracting best practices and standard Federal Acquisition Regulation rules around fair and open competition principles. Our hope is a similar partnership with industry would help all of us better scope and scale the adoption of cloud technologies and associated services with even more detailed guidance.

The GSA Secure Cloud Portfolio is seeking feedback regarding industry experience with how agency attempts to enforce requirements via contract language. We hope to receive examples of both positive and problematic clauses so that we may develop better guidance that leads to better outcomes for both government and industry. We’re also looking for new and creative examples of industry suggested contract language that could be leveraged as well.

RFI Instructions

  1. Please directly respond to any or all of the below questions with information you feel as though your company has the best information to share.

  2. Note, all responses will be considered public information, either those directly in github, or comments submitted via email will be publicly posted as well.

  3. There is no limit to the response, as we want vendors to be able to copy/paste clauses without concern of losing space for context. However responses should directly answer the questions and seek to provide experiential insights.

    • Remember, RFI’s and RFQ’s typically have limited page amounts for providing information so that they are consumable and digestible by the government in a timely manner and to limit the burden for responses.
    • The intent behind not limiting the response to this RFI is to ensure we are not limiting the ability of vendors to provide information that would be useful by putting an arbitrary limit on responses. We hope vendors use this to provide examples of contract language that you’ve encountered from agencies that highlights your feedback.
    • We hope the amount of original content that might be created in response to this RFI is limited, to keep the burden on responding low, and ensure our ability to consume and digest the information more readily.
  4. We encourage respondents to post comments as an issue, using the issue template in the RFI Directory. Alternatively, you can submit responses to info@fedramp.gov with the subject line: "Response to Acquisitions RFI Provided by [COMPANY NAME]", however please note all submitted comments will be publicly posted. Also, please note you do not need to submit responses via both channels, and using github is the preferred method as it will will greatly reduce our processing burden.

  5. Using the issue template, all comments should be posted no later than Friday, December 15th.

Questions

General Cloud Language

We hear a lot from industry that agencies do not provide clear requirements for cloud services or ascribe legacy requirements to this new paradigm. These discrepancies seem particularly pronounced around things like deployment models, portability, interoperability, data ownership, SLAs, migration requirements, integration requirements with agency systems, etc. We’re looking for examples of general cloud requirements that fit the following questions:

  • Please list examples of contract language that you’ve encountered from Federal Agencies that positively incorporates cloud requirements and improves the availability and acquisition process of cloud products by the federal government.

    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.
  • Please list examples of contract language that you’ve encountered from Federal Agencies that negatively incorporates cloud requirements, and limits the availability and acquisition of cloud products by the federal government.

    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a bad example.
  • Please provide a suggestions for how to incorporate cloud into the procurement process in ways that would differ depending on whether the awardee is a (a) prime contract holder, (b) a reseller, (c) system integrators, or (d) some other type of contract that might be correctly or incorrectly covered in an agency solicitation.

    • As a note, this would likely include information related to responsible parties, ownership of information, and how vendors will engage with the government.
    • This also would be helpful to understand from a security / FedRAMP requirements perspective as well.
    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.

FedRAMP and ATO Process

We hear a lot from agencies and industry that many contracts do not include the FedRAMP requirements in an effective way. Many issues that we’ve seen arise from unfairly limiting competition, unclear roles and responsibilities, confusion on who will pay for a security assessment for FedRAMP, timelines for achieving a FedRAMP authorization, who from the government will work with the vendor to achieve a FedRAMP authorization, etc. We’re looking for examples that clearly delineate the roles and responsibilities and requirements for Federal agencies and vendors to meet the FedRAMP requirements.

  • Please list examples of contract language that you’ve encountered from Federal Agencies that positively incorporates FedRAMP and improves the availability and acquisition process of cloud products by the federal government.

    • As a note, we’re looking for ways that language appropriately conveys the partnership and level of effort related to obtaining a FedRAMP authorization through the security authorization process.
    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.
  • Please list examples of contract language that you’ve encountered from Federal Agencies that negatively incorporates FedRAMP requirements, and limits the availability and acquisition of cloud products by the federal government.

    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a bad example.
  • Please provide a suggested written example of contract language that incorporates FedRAMP into the procurement process in the best possible way for a cloud service where market research demonstrates there is not a competitive range of similar vendors with existing FedRAMP authorizations.

    • As a note, since this grouping includes vendors that would need to obtain a FedRAMP authorization, we’re looking for ways that language appropriately conveys the partnership and level of effort related to obtaining a FedRAMP authorization through the security authorization process.
    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.
  • Please provide a suggested written example of contract language that incorporates FedRAMP into the procurement process in the best possible way for a cloud service where market research demonstrates there is a competitive range of similar vendors with existing FedRAMP authorizations.

    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.

Specific Security Requirement Questions

There are many security requirements that are tangentially related to FedRAMP, not FedRAMP specific, or might be specific to an agency’s security requirements. Examples could include encryption standards, PIV/CAC card integration, types of acceptable background investigations of key personnel, availability SLAs, data location, etc.). We’re looking for examples for specific security requirements that meet the following questions:

  • Please list examples of contract language that you’ve encountered from Federal Agencies that positively incorporates various specific security requirements that relate to FedRAMP (e.g., encryption, background investigations) or additional non-FedRAMP related security requirements (such as availability SLAs, data location) and improves the availability and acquisition process of cloud products by the federal government.

    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a good example.
  • Please list examples of contract language that you’ve encountered from Federal Agencies that negatively incorporates various specific security requirements that relate to FedRAMP (e.g., encryption, background investigations) or additional non-FedRAMP related security requirements (such as availability SLAs, data location) and limits the availability and acquisition process of cloud products by the federal government.

    • Please also provide a succinct explanation supporting your assertion as to why your company views this contract language as a bad example.

Output

The information gathered in this RFI will be used to identify the examples of contract language that agencies should and should not use to incorporate FedRAMP security standards in their solicitations. These examples will be used to generate guidance and education to agencies.

Reference - Acquisition FAQs

Access FAQs here.

[^1]:FedRAMP Policy Memo Section 4d, i & iii: “Each Executive department or agency shall: i. Use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services,” iii. “Ensure applicable contracts appropriately require CSPs to comply with FedRAMP security authorization requirements”