Re: Proposed Change to Add a Cloud Computing Special Item Number (SIN) on IT Schedule 70



Similar documents
Subject: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Seeing Though the Clouds

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Cloud Assessments. Federal Computer Security Managers Forum. John Connor, IT Security Specialist, OISM, NIST. Meeting.

Why Migrate to the Cloud. ABSS Solutions, Inc. 2014

December 8, Security Authorization of Information Systems in Cloud Computing Environments

March 13, Samuel Barksdale U.S. General Services Administration 1800 F St NW, 4th Floor Washington, DC 20405

Information Assurance in the Cloud

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Fundamental Concepts and Models

industry perspective: MAKING SMARTER IT INVESTMENTS: Customizing the Cloud

Overview. FedRAMP CONOPS

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Hans Bos Microsoft Nederland.

SIGNIFICANT CHANGES DOCUMENT

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

GAMP 5 as a Suitable Framework for Validation of Electronic Document Management Systems On Premise and 'In the Cloud' Keith Williams CEO GxPi

A Flexible and Comprehensive Approach to a Cloud Compliance Program

U.S. HOUSE OF REPRESENTATIVES SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HEARING CHARTER

RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users

Rose Business Technologies

Before the. United States Department of Commerce. and the. National Institute of Standards and Technology

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

CLOUD IN HEALTHCARE EXECUTIVE SUMMARY 1/21/15

Cloud Infrastructure as a Service Market Update, United States

Cloud Computing and the Regulatory Compliance Labyrinth

WRITTEN TESTIMONY OF NICKLOUS COMBS CHIEF TECHNOLOGY OFFICER, EMC FEDERAL ON CLOUD COMPUTING: BENEFITS AND RISKS MOVING FEDERAL IT INTO THE CLOUD

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

Federal Cloud Computing Initiative Overview

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

Cloud Computing. Report No. OIG-AMR UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

January 28, Re: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Comment, Docket No.

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

OAGM Contractors Conference

Why Private Cloud? Nenad BUNCIC VPSI 29-JUNE-2015 EPFL, SI-EXHEB

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

Cloud Computing. Chapter 1 Introducing Cloud Computing

Cloud Services. More agility. More freedom. More choice.

Cloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA

Industry Engagement Event. CLOUD COMPUTING SOLUTIONS CONSULTATION EN /A November 13 th, 2014 Delta Hotel, Ottawa.

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Cloud Computing. Chapter 1 Introducing Cloud Computing

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Re: Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition [Notice- OMA ; Docket No ]

Cloud Security Trust Cisco to Protect Your Data

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

RE: ITI s Comments on Korea s Revised Proposed Bill for the Development of Cloud Computing and Protection of Users

FISMA Cloud GovDataHosting Service Portfolio

Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA. Page 1

Esri Managed Cloud Services and FedRAMP

Office of Inspector General

IT-CNP, Inc. Capability Statement

Cloud Security for Federal Agencies

Public Cloud Workshop Offerings

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Legal Issues in the Cloud: A Case Study. Jason Epstein

Data, Data, Who Has The Data?

FAA Cloud Computing Strategy

CLOUD BASED SCADA. Removing Implementation and Deployment Barriers. Liam Kearns Open Systems International, Inc.

Cloud Computing Guide & Handbook. SAI USA Madhav Panwar

INTRODUCING CLOUD POWER

Cloud Computing. What is Cloud Computing?

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Re: Big Data: A Tool for Inclusion or Exclusion? Workshop Project No. P145406

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

How To Use Cloud Computing For Federal Agencies

Despite the hype, cloud adoption is still in its early days for most companies, but cloud is coming.

Highlights & Next Steps

Information Security Guideline: Cloud Computing Services. Information Security and Privacy Committee Draft version 8/1/2012

Private Information Protection in Cloud Computing laws, Compliance and Cloud Security Misconceptions

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services

Making Sure Cloud Security is Not Up in Smoke: Integrating Protection in the Acquisition Process Digital Government Institute Cloud-Enabled

Governing Changes in a Cloud, Cloud, World. EEI-AGA Accounting Leadership Conference. james.r.hanlon@us.pwc.com. New Orleans, Louisiana

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Accelerate Your Enterprise Private Cloud Initiative

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud

Achieve Economic Synergies by Managing Your Human Capital In The Cloud

NATO s Journey to the Cloud Vision and Progress

Flying into the Cloud: Do You Need a Navigator? Services. Colin R. Chasler Vice President Solutions Architecture Dell Services Federal Government

GOVERNMENT USE OF MOBILE TECHNOLOGY

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Implementing Clinical Solutions in the Cloud

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Whitepaper Help Your Development Team Deliver

Cloud Computing in a Regulated Environment

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

White Paper: Vendor Selection for Your Life Science Company Cloud

Global Headquarters: 5 Speen Street Framingham, MA USA P F

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

Transcription:

August 21, 2014 Dennis Harrison Division Director, IT Schedule 70 U.S. General Services Administration 1800 F St NW Washington, DC 20006 Re: Proposed Change to Add a Cloud Computing Special Item Number (SIN) on IT Schedule 70 Dear Dennis, The Coalition for Government Procurement appreciates the opportunity to provide comments on the General Services Administration s Request for Information Proposed Change to Add a Cloud Computing Special Item Number (SIN) on IT Schedule 70. We also appreciate the extension that GSA provided in response to our request. The Coalition for Government Procurement ( the Coalition ) is a non-profit association of firms selling commercial services and products to the Federal Government. Our members collectively account for approximately 70% of the sales generated through the GSA Multiple Award Schedules (MAS) program and about half of the commercial item solutions purchased annually by the Federal Government. Coalition members include small, medium and large business concerns. The Coalition is proud to have worked with Government officials over the past 35 years towards the mutual goal of common sense acquisition. The following are the Coalition s comments regarding implementation of a new cloud services SIN under IT Schedule 70. The theme of our comments is flexibility. IT Schedule 70 contracts that incorporate the new cloud services SIN must provide flexibility in pricing and solution structure to ensure customer agencies can effectively meet their cloud service requirements.

1. There are two critical acquisition policy reforms that are imperative if the Cloud SIN is to be successful in providing customer agencies with innovative, best value solutions: A. Waive the Price Reduction Clause (PRC) to the Cloud Services SIN: i. Waiving the applicability of the PRC to the Cloud Computing SIN will accelerate best value cloud computing solutions and increase access to commercial innovation via IT Schedule 70. ii. Given that commercial offerings for cloud service many times involve uniquely structured solutions that may include one or more bundled subcategories of services identified in the RFI (IaaS, PaaS, SaaS, XaaS), it is impracticable to establish a tracking customer for purposes of PRC compliance. Fundamentally, pricing for cloud services is driven by customer needs making an objective, apples to apples comparison of pricing under the PRC irrelevant. iii. The PRC essentially requires archaic, high risk price certifications that limit a contractor s ability to offer new technologies, services and solutions. Moreover, the administrative costs and overhead associated with PRC compliance increase costs for government and industry. B. Allow ODCs under the Cloud Services SIN: i. By utilizing the vetted, FAR-based commercial item clauses for acquisition and reimbursement of ODCs, materials and indirect costs, FAS can enhance customer agencies ability to efficiently and effectively acquire robust, sound and comprehensive cloud solutions to requirements under IT Schedule 70. 2

ii. Inability of customer agencies to include ODCs, materials and indirect costs on Schedule orders effectively blocks companies from providing their latest technologies and comprehensive solutions. Moreover, the lack of ODC capability on IT Schedule hurts small schedule contractors who cannot specifically include and price all potential cloud service elements and/or products under their contracts. ODCs would allow small businesses to fill gaps in service elements/products at the task order competition level. ODCs would also provide greater opportunity for small businesses seeking subcontracts under schedule contracts. 2. The contract level terms and conditions should reference a core set of requirements for the cloud services SIN (e.g. NIST, FedRAMP and FISMA) in a flexible manner that allows for robust access to commercial solutions. Some key considerations include: A. The NIST definitions referenced in Table 1 are guidelines and are not intended to be prescriptive. NIST 800-145 notes that cloud technology is rapidly evolving with fluid definitions. B. Specific requirements (e.g. timing of FedRAMP ATO and storage location) should be determined by the acquiring agency at the task order level. 3. The Sub-SIN structure is confusing for both contractors and customer agencies. The Sub-SIN could have the unintended consequence of creating stovepipes that limit flexibility, innovation and total cloud solutions. A. Cloud solutions commercially available today often span the proposed Sub-SINs (SaaS, PaaS, IaaS, XaaS). As an example, an IaaS provider may provides PaaS features (managed relational databases). GSA s Cloud Sub-SIN structure should reflect this overlap, especially given that the lines distinguishing current Service Models are likely to become even more blurred in the future. GSA should also include a more general 3

category for new and emerging cloud services as proposed by the XaaS option. 4. Allow for more flexibility under the Cloud Services SIN vs. other Schedule 70 SINs that offer more traditional products and services. A. Cloud in the commercial market is an on-demand pay-as-you-go type of service. The Cloud Services SIN should allow agency customers to change/purchase any services at any time in order to customize on the fly to meet their mission. B. Contracts offered under the Cloud Services SIN should not restrict the customization and flexibility of typical cloud services. The need to issue a modification every time the end user adjusts available features is contrary to the concept of the cloud which is a real time, dynamic model. Allowing cloud service contractors to use their standard commercial price lists will reduce the need to issue modifications for adds/deletes and price increases. C. Terms and conditions should map as closely as possible to commercial best practices. Any special terms and conditions should allow for cloud solutions that maximize competition in order to provide best value to the government. GSA should also ensure that any specific terms and conditions minimize administrative process and paperwork burdens that increase costs, result in delays and stifle innovation. It is also critical that intellectual property rights are protected. 5. Clarify GSA s plans to screen vendors for the Cloud Computing SIN. A. The Coalition believes more clarity is needed on this issue. We recommend that the Cloud SIN be structured so that the maximum number of vendors can participate rather than limiting the vendor pool due to restrictive requirements and exerting pricing pressure on vendors that already provide cloud services under Schedule 70. 4

The Coalition appreciates the opportunity to provide input on the Proposed Change to Add a Cloud Computing Special Item Number (SIN) under IT Schedule 70. We look forward to continuing the dialogue on this important initiative. If there are any questions, please contact me at (202) 315-1051 or rwaldron@thecgp.org. Sincerely, Roger Waldron President 5

RFI Template Table 1: Administrative Information # Question Response a Company Name The Coalition for Government Procurement b File Name Coalition_IT70-Cloud-SIN-RFI-Response_final c Page Count (including cover) 9 Table 2: B. Questions for Industry - Feedback on Proposed SIN Addition # Question Response 1.a. Proposed SIN Scope - Does your company have any feedback on the draft scope as stated in Table 1? Please provide a response of any concerns as well as any proposed changes to the scope. The proposed SIN scope is a reasonable starting point in terms of describing current cloud offerings. However commercial cloud offerings often span the sub-sins categories proposed. For example, as a company employs an SaaS solution, PaaS may be used as a way to enhance the solution that GSA is offering under the SaaS sub-sin. The SIN scope should take into account more comprehensive approaches that vendors offer in the commercial market. 1.b. Proposed SIN Scope - NIST Characteristics - The National Institute for Standards and Technology (NIST) has defined the essential characteristics of Cloud Computing. (NIST Special Publication 800-145). For the purposes of providing commercially available cloud services on a Cloud SIN, should all offerings meet these essential characteristics or are there any that should be specifically excluded from the list? Please provide your rationale. 1.c.i. Proposed SIN Scope - Sub-SINs - The current proposed Sub-SINs are IaaS, PaaS, SaaS, and XaaS (See Table 1 in the RFI). i. Do you see value in requiring industry partners to identify this service model distinction at the Sub-SIN level? The NIST definitions are guidelines and should not be prescriptive. The definitions of the essential services in NIST SP800-145 do not encompass all possible cloud services and their characteristics. The Sub-SIN approach may inadvertently inhibit a vendor s ability to offer comprehensive cloud solutions. As mentioned earlier, comprehensive commercial cloud services often span the proposed Sub-SIN categories. Additionally, there is an assumption through the Sub-SIN structure that cloud services (IaaS, PaaS, SaaS, XaaS) provided by various vendors will function seamlessly together. Utilizing one vendor for IaaS and another vendor for SaaS could be problematic. An agency would not be assured that the software provided by the SaaS vendor 6

# Question Response functions correctly on an upgrade implemented by the IaaS vendor. This could leave the agency s systems inoperable as both vendors, not in violation of their contract, are not compelled to fix the problem. 1.c.ii. Proposed SIN Scope - Sub-SINs - The current proposed Sub-SINs are IaaS, PaaS, SaaS, and XaaS (See Table 1 in the RFI). ii. Do these four categories address the range of expected cloud services, or would you suggest any other relevant Sub- SINs? If so, explain why this would logically fall into the category of Cloud Computing and not any other existing SINs. 1.c.iii. Proposed SIN Scope - Sub-SINs - The current proposed Sub-SINs are IaaS, PaaS, SaaS, and XaaS (See Table 1 in the RFI). iii. Do you see value for GSA to vet that the services meet specific qualifications for each Sub-SIN category? 2. Vendor Pricing Methodology: What are your commercial pricing methodology structures for a proposed Cloud SIN? (Provide a link to a web page if possible.) A contemplated structure would include firm-fixed price units, for example - components priced by time units such as minutes, hours, months or years (such as per user per month, storage cost per unit (e.g. GB) per hour). 3. Industry SIN Management: Given that cloud services are currently offered under SINs 132-32, 132-52 and 132-51 (if not potentially others), identify any challenges you foresee with adding the To mitigate confusion, the Coalition recommends that GSA update the current SIN definitions (132-32, 132-52 and 132-51) to note that cloud solutions/services are no longer included and that these technologies will be offered under the new cloud SIN. 7

# Question Response proposed SIN, and identify any proposed mitigating actions. 4. Potential Service Offerings: Please provide a brief indication of service offerings your company would like to offer in a proposed SIN including sub SIN categories. 5. Terms and Conditions: As with other IT Schedule 70 SINs, a future Cloud Computing Services SIN would have special Terms and Conditions. 1 These Terms and Conditions would address both industry partner requirements as well as information useful to Ordering Activities. Please identify any feedback on the proposed topic areas and suggest any additional terms and conditions topic areas that GSA should consider for this SIN. As mentioned in the Coalition s outline above, our members recommend that any special terms and conditions for cloud services allow the government and contractors the flexibility to solicit and offer cloud solutions that enhance competition in order to provide the best value to the government. These terms and conditions should include sufficient protection of the intellectual property rights of prospective contractors, the use of commercial products and services and the reduction of administrative processes and paperwork burdens that increase costs and hamper innovation. 5.a.i. 5.a.ii. Security/Information Assurance: FedRAMP: It is contemplated that FedRAMP will be referenced in the Terms and Conditions. The scope does not currently propose that industry partners hold a FedRAMP JAB provisional ATO or an agency-granted FedRAMP compliant ATO because FedRAMP compliance is already the de facto standard and issuing an ATO is the ultimate responsibility of the ordering agency. Does your company see any value in requiring a FedRAMP-compliant ATO or any other specific FedRAMP compliance language? FISMA: It is contemplated that The Coalition recommends that the requirement of a FedRAMP compliant ATO be issued at the Task Order level. 1 Refer to the 13 - Critical Information Specific to Schedule 70 package attachment on the IT Schedule 70 Solicitation published on FedBizOpps at the following URL: https://www.fbo.gov/index?s=opportunity&mode=form&id=d24cd9e270944b554632f37b34866aa6&tab=core&_cview=1 8

# Question Response the Federal Information Security Management Act (FISMA) of 2002 will be referenced in the Terms and Conditions 5.a.iii. 5.a.iv. 5.b. 5.c. 5.d. Data Requirements: It is contemplated that a set of high level data requirements may be included in the Terms and Conditions. Identify any data requirements you believe should be included as Terms and Conditions (for example, requirements related to data privacy, HIPAA, interoperability, etc.) Information Assurance: Identify any information additional assurance requirements you believe should be included in the Terms and Conditions. Legislative Requirements: Identify any legislative requirements you believe should be referenced. Service Model and Delivery Model: It is expected that industry partners should provide at minimum the service model (e.g. IaaS, PaaS, SaaS) and deployment model (public, private, community, hybrid, etc.) of cloud services provided. NIST Characteristics: As described in question 1b, it is anticipated that in some capacity the NIST characteristics will form the basis of determining whether the service provided is truly a cloud service, and therefore reflected in the Terms and Conditions. The inclusion of any data requirements should consider the costs involved and the associated return to the taxpayer. For HIPAA compliance GSA may want to consider reference to the HIPAA Business Associates Agreement. The recently published ISO 27018 standard may be helpful in prohibiting the use of customer data for advertising or marketing purposes. 9

# Question Response 5.e. Pricing: Specific pricing requirements may be included in the Terms and Conditions; for example pricing and/or billing requirements to ensure that government agencies can take advantage of the scalable and metered nature of cloud services. 5.f. Data Center Location: Location of the data centers can be a high priority concern for many government customers. It is contemplated that the data center locations will not be restricted at the SIN level, but must be identified at the Task Order level. Based on a wide variety of customer requirements it is expected that it will be the responsibility of the Ordering Activity to make a determination of acceptable data center locations and set any locationspecific requirements. The Coalition maintains that data center location should be identified by the ordering agency. Only a high level set of requirements for data center locations should be required by the Cloud SIN. 6. General Feedback: Does your company have any other general feedback about the proposed SIN? 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information