mattkasten
commented
6 years ago Jenny,
Thank you for feedback in response to our December RFI. Please note that the PMO and the Secure Cloud Portfolio are digesting the RFI input from across industry and developing next steps.
FedRAMP PMO
Question/Comment on FedRamp RFI Directory
Name and Affiliation
Jenny Zhan, Business Development Associate for 1901 Group, an IT Managed Services company.
Cloud Services
1901 Group provides Cloud Services contract language in italics, followed by an explanation around how the examples positively incorporate cloud requirements and improves the availability and acquisition process of cloud products by the federal government.
Cloud and Web Services - Upon award of the contract, Contractor shall work with the Agency to understand the current technologies deployed within AWS infrastructure and the new ones positioned to be migrated to AWS over the next three years. The anticipated AWS migration will have an impact with respect to monitoring, management and day-to-day operations of servers, storage, databases and applications. An estimate of the migration for both servers and storage by fiscal year is identified in Table 7 below. This is subject to vary depending on the level of consolidation achieved during migration. These numbers will be reevaluated on an annual basis along with the numbers of physical devices under management on Agency premises. In addition to AWS, the Agency has subscribed to several cloud-based based services. The Contractor shall monitor, maintain and manage each Cloud and Web service listed below working with the providers to maintain operational access, coordination of upgrades, communication of outages scheduled and unplanned and in some cases, escalation of issues to upper management to decide proper course of action though the Change Control management process.
Explanation: The solicitation scope was positive for several reasons: 1) it provided a multi-year estimate of cloud consumption that was listed in their “Table 7”, 2) it created a formal mechanism to reevaluate consumption on an annual basis, and 3) it stated ‘what’ the contractor shall do in very clear lists by device type or functional area but did not dictate ‘how’ the work should be done. Note: the lists of work to be done were included in their Tables 1-Network Infrastructure and WAN, 2-Storage Backup Recovery, 3-Servers and Active Directory, 4-Endpoints, 5-Network Operations, and 6-Cloud and Web Services.
The multi-year estimate of cloud consumption provides a baseline from which all bidders can project levels of effort forecasted, skill-sets required over time, and cloud spend, all of which helps understand the agency’s vision, plan and expectations. The multi-year estimate paired with a legal, contractual, formal mechanism to reevaluate annually reduces risk to the bidder and provides the agency with a deliverable to help refine budgets, funding, and progress within a consistent cadence. The listing of what needs to be done, including “escalation of issues to upper management to decide proper course of action though the Change Control management process” also confirms to the bidder that the agency will be actively involved in decision making which reduces risk of program failure for both parties.
4.2 TASK 2 – Cloud Assessment – Business Critical / Chosen Applications. (Required) (a) The contractor will provide Agency with onsite assessment of the applications and services that have been chosen to be migrated to the cloud (Deliverable 7). This assessment will be utilized to support the design stage and assure the Agency a successful migration. • Security and Compliance Assessment (Deliverable 8) • Technical Assessment (Deliverable 9) 4.3 TASK 3 – Survey – Other Agency Applications/Services. (Required) (a) The contractor will provide Agency with an onsite analysis of its other applications (Deliverable 10) and will document a strategy to migrate these applications to the cloud. • Security and Compliance Assessment (Deliverable 11) • Technical Assessment (Deliverable 12) 4.4 TASK 4 – Design – Application Migration Strategy (Required) (a) The contractor will analyze the applications and their data dependencies before determining the most efficient migration path. The result of this analysis will be used to develop an application migration strategy (Deliverable 13) including all necessary activates to assure application integrity once relocated to the destination environment. • Pilot to validate the migration strategy (Deliverable 14) 4.5 TASK 5 – Data Migration (Required) (a) The contractor will migrate application data to the storage systems with the appropriate connectivity to the proposed cloud-computing instance. Once the data is migrated in its entirety, the contractor will assure that all new data is also written to cloud connected storage systems. (Deliverable 15) 4.6 TASK 6 – Copies/Configuration of Agency Applications (Required) For restore purposes, the contractor will make a copy of the application and will store it within the connected cloud storage environment. This copy of the application will be solely used to support a restore of the services in either a physical or cloud based deployment. (Deliverable 16) 4.7 TASK 7 – Application Migration to the Cloud (Required) To provide true DR capabilities, the contractor will migrate a final copy of the application to the cloud environment and establish connectivity with the application data located on the cloud-connected storage. This copy of the application residing in the cloud can be turned on or off upon customer request to support DR scenarios or can be used to support 24/7 production workloads. (Deliverable 17) Agency Statement Work Cloud Services– Application Disaster Recovery DJA-15-AHDQ-R-0070 SOW/Description of Services Page 8 of 54 4.8 TASK 8 - The contractor will furnish a highly resilient, secure and durable cloud-computing environment sized appropriately for the application requirements. (Required) All cloud computing environments will be customizable and rapidly scalable to meet the immediate and future needs of the applications to accommodate periods of both heavy and light use. (Deliverable 18) 4.9 TASK 9 - The contractor will furnish all required software, tools and expertise essential for successful migration of Agency applications assets. (Required) The contractor will leverage where possible existing government furnished equipment and software. (Deliverable 19)
Explanation: The Agency solicitation was positive for incorporating cloud requirements by: 1) establishing a holistic service scope that required the assessment, design, and migration to be incremental yet interdependent tasks, 2) allowing the bidders to propose specific cloud service providers and cloud architecture to meet the requirements, as well as, 3) allowing bidders to utilize the contractor furnished tools and technology.
By creating a holistic service scope, the agency maximizes success rate of the cloud migration by eliminating the potential for one contractor to develop design requirements that would be eventually implemented by a different contractor. By allowing bidder to select CSP or CSPs, the burden for delivery is on the contractor not the government. By allowing bidders to use their own respective tools and technology, the agency enables an increase in contractor effectiveness due to familiarity of their preferred tools, while reducing prolonged timing, complexity, unfamiliarity, and costs of using government furnished tools only.
Cloud Security
1901 Group provides security contract language in italics, followed by an explanation around how the example positively incorporates security requirements related to FedRAMP i.e. background investigations.
The systems supported under this task are Medium security. The suitability or risk level of this work has been determined to be: Medium. As such, the contractor shall pre-screen their employees to eliminate anyone who does not meet the following criteria: The prospective employees must be U.S. and Foreign Nationals. 48 CFR 1352.237-70 - Security Processing Requirements—High or Moderate Risk Contracts (APR 2010) (a) Investigative Requirements for High and Moderate Risk Contracts. All contractor (and subcontractor) personnel proposed to be employed under a High or Moderate Risk contract shall undergo security processing by the Department's Office of Security before being eligible to work on the premises of any Agency owned, leased, or controlled facility in the United States or overseas, or to obtain access to a Agency IT system. All Agency security processing pertinent to this contract will be conducted at no cost to the contractor. The level of contract risk will determine the type and scope of such processing, as noted below. (1) Investigative requirements for Non-IT Service Contracts are: (i) High Risk—Background Investigation (BI). (ii) Moderate Risk—Moderate Background Investigation (MBI). (2) Investigative requirements for IT Service Contracts are: (i) High Risk IT—Background Investigation (BI). (ii) Moderate Risk IT—Background Investigation (BI). (b) In addition to the investigations noted above, non-U.S. citizens must have a pre-appointment check that includes an Immigration and Customs Enforcement agency check. (c) Additional Requirements for Foreign Nationals (Non-U.S. Citizens). To be employed under this contract within the United States, non-U.S. citizens must have: (1) Official legal status in the United States; (2) Continuously resided in the United States for the last two years; and (3) Obtained advance approval from the servicing Security Officer of the contracting operating unit in consultation with the Agency Office of Security. (Office of security routinely consults with appropriate agencies regarding the use of non-U.S. citizens on contracts and can provide up-to-date information concerning this matter.) (d) Security Processing Requirement. Processing requirements for High and Moderate Risk Contracts are as follows: (1) The contractor must complete and submit the following forms to the Contracting Officer's Representative (COR): (i) Standard Form 85P (SF-85P), Questionnaire for Public Trust Positions; (ii) FD-258, Fingerprint Chart with OPM's designation in the ORI Block; and (iii) Credit Release Authorization. (2) The Sponsor will ensure that these forms have been properly completed, initiate the CD-254, Contract Security Classification Specification, and forward the documents to the cognizant Security Officer. (3) Upon completion of security processing, the Office of Security, through the servicing Security Officer and the Sponsor, will notify the contractor in writing of an individual's eligibility to be provided access to a Agency facility or Agency IT system. (4) Security processing shall consist of limited personal background inquiries pertaining to verification of name, physical description, marital status, present and former residences, education, employment history, criminal record, personal references, medical fitness, fingerprint classification, and other pertinent information. For non-U.S. citizens, the Sponsor must request an Immigration and Customs Enforcement agency check. It is the option of the Office of Security to repeat the security processing on any contract employee at its discretion. (e) Notification of Disqualifying Information. If the Office of Security receives disqualifying information on a contract employee, the COR will be notified. The Sponsor, in coordination with the Contracting Officer, will immediately remove the contract employee from duties requiring access to Departmental facilities or IT systems. Contract employees may be barred from working on the premises of a facility for any of the following: (1) Conviction of a felony crime of violence or of a misdemeanor involving moral turpitude; (2) Falsification of information entered on security screening forms or on other documents submitted to the Department; (3) Improper conduct once performing on the contract, including criminal, infamous, dishonest, immoral, or notoriously disgraceful conduct or other conduct prejudicial to the Government, regardless of whether the conduct was directly related to the contract; (4) Any behavior judged to pose a potential threat to Departmental information systems, personnel, property, or other assets. (f) Failure to comply with security processing requirements may result in termination of the contract or removal of contract employees from Agency facilities or denial of access to IT systems. (g) Access to National Security Information, Compliance with these requirements shall not be construed as providing a contract employee clearance to have access to national security information. (h) The contractor shall include the substance of this clause, including this paragraph, in all subcontracts.
Explanation: The excerpt above positively incorporates security requirements by providing a comprehensive list of “dos” and “don’ts” for the contractors to complete before beginning performance on a contract and to keep in mind throughout the contract. Not only does it list the criteria to be met and type of background investigations the agency requires all personnel to undergo, but it also includes information around smaller details such as which party will cover the costs for security processing. To further ensure the agency’s information and data is protected during contract performance, the excerpt describes what is deemed as unacceptable conduct and violations and how the agency will disqualify contract personnel if there is any type of threatening behavior.
FedRAMP PMO
1901 Group provides FedRAMP PMO contract language in italics, followed by an explanation around how the example positively incorporates FedRAMP and improves the availability and acquisition process of cloud products by the federal government.
Agency’s objective is to obtain services for relocating IT applications hosted from a data center in Silver Spring, MD. Agency is seeking a vendor to evaluate and migrate IT applications as part of a strategy to provide a more robust and stable environment. The vendor shall determine which Agency IT applications are ideal candidates for relocation, identifying the environment to move, develop the strategy, and manage the migrations. Potential hosting environments may include FedRAMP certified cloud solutions, commercial datacenters, and even other federal locations. Agency requires various IT applications to have at least 99.5% availability for agency users and partners to ensure mission goals can be met. Service disruptions associated with environmental conditions, system maintenance, or product upgrades shall have minimum impact on the IT systems availability.
After identifying the applications to be moved, the vendor will evaluate hosting options for the best possible environment for these systems. The primary criteria shall include at a minimum: 1) FedRAMP certification for FISMA moderate systems or similar security controls for traditional data center environments; 2) Ability to support an Agile SDLC Ease of securely migrating data in and out of external environments; 3) Integrate IT operations and maintenance of externally hosted systems (SLAs, patching, monitoring, security, lifecycle, etc.); and 4) Estimation of Capital expense and Operational expense (hardware, licensing, local resources etc.)
Explanation: Although this example does not address level of effort for obtaining FedRAMP Authorization, it does imply that bidders should consider existing FedRAMP products; thereby, placing the burden of obtaining FedRAMP Authorization clearly on Industry as opposed to on Government. By not mandating FedRAMP, but by including FedRAMP consideration as part of the migration options, the agency does not limit bidders from competing for this scope of work.
The Agency issued the RFQ using a Best Value evaluation and award basis, and then cited FedRAMP in two (2) areas of the RFQ: 1) overall objectives, and 2) scope of work description. By citing that “Potential hosting environments may include FedRAMP certified cloud solutions, commercial datacenters, and even other federal locations”, the agency positively conveys that FedRAMP authorized products/services are allowable while not making FedRAMP mandatory. This citation allows the agency to evaluate proposals that include FedRAMP products higher than proposals without, if the agency deems fit. In addition, the agency then cites FedRAMP as a minimum consideration in the vendor’s evaluation of migration options, while not mandating that the final migration plan must include FedRAMP products.
1901 Group provides contract language in italics, followed by an explanation around how the example incorporates FedRAMP into the procurement process in the best possible way for a cloud service where market research demonstrates there is a competitive range of similar vendors with existing FedRAMP authorizations.
The Agency supports the rapid and appropriate delivery of cloud service offerings. The Agency team is charged with provisioning cloud services to authorized Agency consumers based upon their technical and policy requirements and funding relationships. As the next phase in brokerage operation functions, Agency requires a Cloud Service Provider Reseller to assist with the setup and high-level oversight of commercial service provider accounts. Agency currently offers commercial hosting services through Amazon Web Services, and in the future will be open to other Infrastructure as a Service (IaaS) Cloud Service Providers who have a FedRAMP Provisional Authorization (PA).
Explanation: The sources sought is a good example of how an agency can clearly cite the cloud service provider (CSP) being used currently and how the agency is moving forward to include other CSPs that not only have FedRAMP Authorization but also have FedRAMP Provisional Authority (PA). The PA citation allows for even greater number of CSP sources.
Additional Question/Comment
Agencies should incorporate FedRAMP Authorized services/products for a) compute, b) storage, c) network, and d) monitoring and management of the cloud consumption, especially for multi-cloud environments. The value of leveraging multiple FedRAMP-related System Security Plans to issue/obtain ATOs will be critical to effective multi-cloud requirements.