Response to Acquisitions RFI Provided by BlackBerry

[asiegelblackberry]

Question/Comment on FedRamp RFI Directory

Name and Affiliation

Aviv Siegel, VP Technology, BlackBerry AtHoc

Cloud Services

Some FedRAMP RFPs use provisions from non-cloud RFPs or other types of procured cloud systems. For example, an agency seeking SaaS solution may include in the RFP non-SaaS requirements, such as: workload management, workload-based charging, and low-level monitoring. For a SaaS solution, relevant provisions relate to service level availability and redundant infrastructure.

Exemplar language for relevant cloud system requirements: Software as a Service (SaaS) Availabilities. The Contractor must deliver the following minimum SaaS service level availabilities and Key Performance Parameters (KPP):

• Service Availability Definition. Overall Service Availability of the CSP’s infrastructure environment must be defined as Total Uptime Hours / Total Hours within the Month, excluding planned maintenance.
• Software as a service availability SLA. Each SaaS service component must offer a minimum availability of 99.95%, calculated monthly of the CSP’s SaaS environment, excluding planned maintenance. Solution must be provisioned from geographically separated and redundant data centers, located in the US.

The system must include redundancy at one or more geographically-dispersed (separated by a minimum of five hundred miles) alternate locations having sufficient capacity of the primary site and the ability to provide all system functionality when the primary site is disabled. The data at the alternate site will be on-line synchronized with the primary site.

Cloud Security

A FedRAMP RFP should specify what authorization must be in place. Additionally, any desired impact level and deployment model should be explicitly stated. Service model may be relevant in some cases or for some agencies. By using proper FedRAMP program terminology it will make it easier for the market and the agency to ensure clarity and compliance. For example, FedRAMP authorization vs. certification. Lastly, be clear that authorization is to be maintained by the CSP through the life of the engagement.

Exemplar language -

• Any proposed solution must be Federal Risk and Authorization Management Program (FedRAMP) authorized, at a Moderate impact level.
• The Contractor must have an existing Authority to Operate (ATO) from a Federal Agency or a Provisional-ATO through FedRAMP Program Management Office (PMO).
• The Contractor must obtain a Customer ATO in accordance with the Customer ATO requirements. The Contractor shall support the ATO process by providing requested material.
• The Contractor must maintain their ATO throughout the duration of the contract and any extensions ordered by the Customer.

Specific Security Requirements

Some RFPs have duplicative requirements that are inconsistent with FedRAMP. Such requirements are confusing, add undue burden, or conflict with FedRAMP.

Negative examples of such requirements include:

• Different security process requirements that overlap requirements which are intrinsic to achieving and maintaining a FedRAMP ATO. RFPs that ask the CSP to develop SSP and provide list of required steps ignore the fact that SSP is a critical and central part of every FedRAMP assessment and authorization process and do not add value to the security provisions.
• Lengthy and blanket lists of regulations and security standards that do not add security value but do increase the burden on a CSP that has invested substantial resources in obtaining FedRAMP ATO. This may include, for example, FISMA, ISO 2700x, CSA STAR, NIST and other blanket industry standards or Federal regulations.

It is recommended for an agency to clearly state any special, additional requirements beyond FedRAMP for its special needs.
For example, requiring support for SAML 2.0 to be covered in the offeror FedRAMP ATO, in addition to MFA authentication for privileged users. Another example would be listing a specific NIST publication to be complied with, such as NIST SP 800-53 Rev4, vs. blanket “comply with NIST”.

Positive exemplar language -

• Any proposed solution must be Federal Risk and Authorization Management Program (FedRAMP) authorized, at a Moderate impact level.
• All communication services in the solution must either be included in the boundary, or have an existing FedRAMP authorization at a Moderate or High impact level.
• The Contractor must have an existing Authority to Operate (ATO) from a Federal Agency or a Provisional-ATO through FedRAMP Program Management Office (PMO).

[mattkasten]

Aviv,

Thank you for feedback in response to our December RFI. Please note that the PMO and the Secure Cloud Portfolio are digesting the RFI input from across industry and developing next steps.

FedRAMP PMO