18F / tts-buy-bug-bounty

Solicitation and acquisition documents created for the TTS Bug Bounty program that can be reused by other government agencies and organizations.

Other

19 stars 15 forks source link

FedRamp Certification #38

Open BKozisek7 opened 6 years ago

BKozisek7 commented 6 years ago

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek Director Synack Inc.

Section of RFQ documents

RFQ Section 12 - Addendum - https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#120-attachments https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/Addendum%20-%20Commercial%20Contract%20Clauses.md The Commercial Contract Clauses document calls for the vendor to obtain FedRamp certification for their platform.

Question/Comment

Can the government confirm the type of certification that is expected (i.e. PaaS, SaaS)?

Is it the intent of the government to sponsor the vendor in their certification?

Is there any other support provided by the Government for the vendor throughout this process?

MichelleMcNellis commented 6 years ago

As is indicated in the RFQ section 12 Clause Addendum, FedRAMP Tailored or a FedRAMP Low assessment would be sufficient. A FedRAMP Moderate or High assessment would qualify, but is not necessary. GSA will sponsor the vendor for a FedRAMP Tailored certification, which involves working with the vendor to assist in the FedRAMP process. For more information about FedRAMP Tailored, please see https://tailored.fedramp.gov/.