mattkasten
commented
6 years ago Tina,
Thank you for feedback in response to our December RFI. Please note that the PMO and the Secure Cloud Portfolio are digesting the RFI input from across industry and developing next steps.
FedRAMP PMO
Question/Comment on FedRamp RFI Directory
Name and Affiliation
Tina Scogin, Sr. Proposal Manager, Govplace and Joe Corcoran, VP Federal, Govplace
Cloud Services
Some government agencies look at cloud services from CSPs as straight commodity type transactions, while others look at cloud services as labor category services. Neither of these approaches generally achieve the desired result the Agency requires. It is critical that government agencies consider the full lifecycle, from strategy to management, when procuring cloud solutions as well as the contract vehicle that will be used.
In any solutions-based procurement, the first, most critical section is defining the scope and contract requirements. We recommend contractors be held to achieving Objectives rather than responding only to predefined requirements. This will enable contractors to continue to optimize and innovate as the marketplace evolves throughout the life of the contract.
The first objective should be to develop a realistic strategy to select the best-fit CSP. The strategy includes Deployment Model Selection, Service Model Selection, developing CSP Selection Criteria, Cloud Adoption Roadmap creation, Migration Plan formation, and developing a Procurement Strategy. The next step is ensuring readiness by conducting an assessment to gather information such as physical access requirements, acceptability of hybrid solutions, acceptability of converting virtual workload formats is conducted in parallel, discovery of all workload components and dependencies, recording historical performance and utilization of resources, and discovering non-technical dependencies such as release schedules and human resource availability. We recommend either the government perform the assessment and include the results in procurement request or require the contractor to perform it as part of the proposed solution. This step resolves issues we often see such as; an Agency specifying a FedRAMP security level that it doesn’t need, limiting competition, and significantly increasing the budget unnecessarily. These two activities give the Agency the knowledge to make the best decision to meet their mission needs.
The second objective should be to design the cloud ecosystem and architecture that will result in the shell cloud environment, which could include multiple CSPs if that is the best solution for the government. This step becomes crucial as CSPs typically have strengths in certain areas and weaknesses in other areas. Using the information from the first objective, the contractor will architect the technical components for the target CSP’s Shell Cloud environment; assure availability, performance, and completeness of design components; incorporate security services; and define requirements and expectations via SLAs.
Using the artifacts developed in the previous objectives, the third objective should be to ensure readiness of the applications that will be migrated, the supporting infrastructure to support cloud connectivity, and the support teams to conduct the migration and manage the new environment.
Following the Cloud Adoption Roadmap, created in the strategy phase, the fourth objective begins the workload migrations with limited to zero disruption to the business. We recommend migrating in waves for incremental cloud adoption to reduce significant impact to the latency and allow for earlier recognition of savings produced by moving to the cloud environment.
Finally, the fifth objective should be to manage, monitor, and operate the new cloud environment. The contractor should be held accountable to continually improve steady-state cloud operations to ensure optimal performance. Continual cloud modernization that examines migrated workloads enables the government to benefit from additional features in the cloud for increased end-user satisfaction and reduced costs.
In addition to these objectives, we recommend the government require automated, rather than manual, cloud migration options. This requirement to leverage automated tools and processes mitigates risk and increases cloud migration efficiency, which reduces cost and time to migrate.
We also recommend the government require contractors to propose solutions that include procedures and tools for mitigating CSP Lock-In and allowing cloud-to-cloud migration or a reverse migration back to the datacenter. We further recommend the government require contractors to propose pre- and post-migration optimization to ensure any contract longer than 6 months continue to benefit and improve at the speed of the marketplace.
Beyond the scope of work, the next, most critical aspect for consideration is the contract vehicle requirements. On June 30, 2016, the Small Business Administration issued a final rule with significant impacts to a small business’ ability to sell cloud to the Federal Government. First, they changed the 50% rule from labor to the total price of the contract. Second, they clarified their “current position that cloud based solutions are services that are being provided to the government and not supplies that the government is purchasing.” This is not being applied consistently from agency to agency and, more importantly, this interpretation makes it next to impossible for a small business to leverage proven, cost effective CSPs (e.g., AWS, Azure, IBM) as part of the proposed cloud solution.
Finally, cloud is a fairly new technology and the billing is very much a commercial model and does not lend itself to traditional government procurement models. Current challenges include firm-fixed pricing for consumption based/on-demand billing; locked in pricing for an extended (3-5 years) period of performance; and catalog-based pricing rules and restrictions resulting in a contractor’s inability to update its offering pricing (e.g. GSA’s Economic Price Adjustment clause) in a rapidly-changing market. Another challenge stems from contract defined CLINs that are laborious to modify, especially if the contract is GSA based. These types of procurement lock-ins also create challenges with the CSPs and resellers when the CSPs develop new, or change existing, pricing models to meet customer demand that do not align to the existing contracts. An example of a similar contract challenge could be cellular contracts, whereby commercial demand resulted in significant price reductions and changes to features and plans. The government would face challenges taking advantage of these savings post contract award as they would necessitate completely restructuring the contract until it was up for renewal.
Cloud Security
Most government acquisitions focus on FedRAMP approval levels and not on cloud security as a whole. FedRAMP is a baseline for compliance that should be built up with additional security tools available in the marketplace.
Most often missing from an RFQ, and therefore the resulting contract, is language regarding care and feeding of the migrated applications and workloads transitioned to the cloud. To mitigate this risk, we recommend some form of the following language, which originated from the DHS ECS procurement, be included in any cloud contract:
(4) Continuous Monitoring. All Contractor-operated systems that input, store, process, output, and/or transmit sensitive information shall meet or exceed the continuous monitoring requirements identified in the Agency's Information Security Performance Plan, or successor publication. The plan is updated on an annual basis. The Contractor shall also store monthly continuous monitoring data at its location for a period not less than one year from the date the data is created. The data shall be encrypted in accordance with FIPS 140-2 Security Requirements for Cryptographic Modules and shall not be stored on systems that are shared with other commercial or Government entities. The Government may elect to perform continuous monitoring and IT security scanning of Contractor systems from Government tools and infrastructure.
FedRAMP PMO
The first area where the PMO could support acquisition efforts involves a genuine assessment of an Agency’s security requirements. Often, a procurement is released with a requirement for FedRAMP High, when based on all other information, Moderate would suffice. This leads to increased budgets, limited CSP choices, and often a challenge meeting other requirements that conflict.
Given the current length of time required to obtain FedRAMP approval for an Agency is just under two years, we recommend that all procurements allow for Agency waivers. To support this, we recommend the PMO work with each Department to establish, document, and streamline their individual wavier process.
Each CSP structures their billing uniquely, typically a consumption-based model where services are billed based on usage, which rarely fits within a firm-fixed priced contract model. Therefore, we recommend each contract consider one of the following: 1) T&M structure; 2) not to exceed contract ceiling with partial billing accepted; or 3) firm-fixed price and quarterly or monthly true up with contract modifications as needed. Any of these options would allow for flexibility on billing based on usage and would result in cost savings to the government.
Given the current challenges and cloud marketplace, we recommend each Department/Agency establish their own IDIQ, Master Ordering Agreement, Blanket Purchase Agreement, or similar that would clearly outline the contract requirements and/or allow for existing contracts to utilize one of the three recommendations outlined in the above paragraph. The government shouldn’t lose the opportunity to benefit from the next innovation developed in the marketplace. Therefore, we recommend these contracts include on-ramping/technology refresh to allow for new and emerging technology or additional CSPs. This approach would ensure the government benefited from the cloud marketplace even after contract award such as the ability to obtain CSPs who obtain FedRAMP approval, new security solutions, and new cloud offerings that are developed after the base contract is established.
One challenge contractors have when awarded a contract with an existing CSP account is the significant length of time required to transition from one account owner (contractor) to another. We recommend the government require all cloud contracts require a transition plan where the operational transition occurs on the first day of the new period of performance. This would mean new contracts would need to be awarded at least one month prior to previous contract close.
Additional Question/Comment
{ask away!}