The Defense Information Systems Agency anticipates up to 10 awards on a potential $450 million contract to provide cloud computing services to Defense Department agencies.
But to make the cut, vendors will need to go through two vigorous certification processes in which government officials test whether their cloud offerings meet strict security standards.
One of those certification programs is called the Federal Risk and Authorization Management Program (FedRAMP). Once vendors are FedRAMP-certified, they would then need to comply with additional Defense Department security standards to win a spot on the DISA cloud contract.
As of July 12, only a handful of vendors have gone through the FedRAMP certification process: Hewlett-Packard, Lockheed Martin, Amazon Web Services, CGI and Autonomic Resources.
At an industry event last week in Laurel, Md., agency officials clarified that FedRAMP approval will not be required for a contract award, but winning vendors will eventually have to meet FedRAMP standards to compete for task orders on the contract. DISA will use a questionnaire to assess each bidder’s FedRAMP status.
DISA wants secure, cloud solutions from industry for data storage, web hosting, database hosting services and virtual machine services that can replace the need for multiple physical servers. It expects to release the final request for proposal next month and award seven to 10 contracts in March.
For potential vendors, meeting FedRAMP standards is just the beginning.
Prime contractors must also assure that they have control over the operation and configuration of hardware and software used to store and process government data, according to DISA contracting officials and other Defense Department representatives at the industry event. DISA requested officials not be identified by name.
DoD requires that vendors have control over processes that could affect government data stored in a commercial facility and control over who has access to DoD information.
However, industry concerns about how to adequately meet that requirement forced DISA to clarify what is and is not acceptable. Some small businesses, for example, may not own the facility where government data are stored. DISA officials said vendors who lease or rent data center space could meet the requirement, but they must ensure they have control over the environment where the data are being stored.
“Those are requirements by DoD,” one official said. “They are not currently part of FedRAMP, but it is our expectation these are many things being done by [cloud service providers]. They represent industry best practice.”
DISA’s so-called designated approval authority determines whether cloud providers meet these requirements and are cleared to offer cloud solutions to DoD.
DISA doesn’t seem worried about security being a hurdle for small businesses. An agency contracting officer noted that smaller companies like Autonomic Resources have found ways to ensure control over the environment where government data are stored.
Certain task orders on the contract may be reserved for small businesses, according to DISA. But companies, including a number of small firms, that primarily resell cloud offerings must show they provide enough value or additional capabilities to the cloud offering they’re reselling.
The 2012 Defense Authorization Act required DoD to develop a strategy to move its data and services from department-owned and -operated data centers to cloud computing solutions. Cloud solutions “provide a better capability at a lower cost with the same or greater degree of security” and are generally available in the private sector, the law says.
This has prompted DISA to expand cloud offerings beyond its current private clouds, where services are provided exclusively to DoD and hosted in DISA data centers. But some vendors question whether cloud services provided though DISA will be cheaper than customers dealing directly with cloud service providers. DISA customers will be charged a 2 percent fee for using the contract, in addition to the cost of the service.
When asked by an industry attendee whether DISA was simply reselling industry’s products and services, an agency official said DISA provides the needed contracting language for DoD to acquire cloud services and ensure adequate security is built in.
A portion of the industry day was spent defending DISA’s reasoning for launching its own contract, when agencies like the General Services Administration and Interior Department provide similar services.
A DISA contracting officer argued that DoD has unique contracting language and additional security requirements that make it necessary to launch a new contract. DISA had considered using GSA’s contract, but it would have required a major overhaul to fit DoD’s security needs and provide additional services to help customers move operations to the cloud.