The General Services Administration has released a draft of the terms and conditions for its proposed special item number of cloud acquisition under IT Schedule 70 to make agency cloud procurement simpler and more transparent.
Built off the response to a July request for information, the draft terms and conditions are meant to seek further comment from industry on GSA’s proposed movement to a special category for offering cloud services to other agencies. While the terms and conditions could certainly change depending on industry response, the draft sets a framework for the scope of what cloud services will be covered by the SIN.
“This SIN provides ordering activities with access to technical services that run in cloud environments and meet the [National Institute of Standards and Technology] Essential Characteristics,” the document states. “Services relating to or impinging on cloud that do not meet all NIST essential characteristics should be listed in other GSA SINs or categories.”
By NIST definition, cloud services exhibit five characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. Not only does this requirement create a standardization for cloud services — at least for those listed under the IT Schedule 70 Cloud SIN — but it also emphasizes the importance of a pure cloud procurement.
“[I]t is an approximation of the cloud model that is coming out of most of our contracts,” Mark Day, deputy assistant commissioner of GSA’s Integrated Technology Service, said last week at an industry discussion on the cloud SIN. “It’s not really the pure cloud model [found] in the commercial space.”
This special item number will give industry and agencies a firm understanding of what exactly cloud is for procurement purposes. The SIN also designates three subcategories under which cloud services can be listed — software-as-a-service, platform-as-a-service and infrastructure-as-a-service — taking from NIST’s list of service models. Services, however, can choose not to list under any of the subcategories.
On top of those requirements, cloud services in the SIN will also be evaluated on other standards, such as the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA), but only for completeness. So, for instance, if a vendor’s service is not FedRAMP authorized, it can still be listed as long as it shows some strategy to reach that status. This will make it much simpler for agencies procuring cloud to see exactly what they’re buying.
Lastly, the draft terms and conditions ask industry to respond to the following concerns:
- Do the terms and conditions appear flexible, fair and competitive, while retaining the intent of having vetted cloud services?
- Do the terms and conditions support the ability for customers to easily locate and distinguish cloud-computing services from other IT services and conveniently view services by relevant criteria?
- Will the terms and conditions support a broad range of potential industry partners, including cloud service providers and resellers, and small and large businesses?
- Do the terms and conditions address the industry best practices and standards?
- Are there additional areas that we need to address in the terms and conditions?
- Does the factor for evaluation provide a clear and straightforward manner of evaluating cloud-computing services?
Read the draft terms and conditions here. GSA will accept comments until Jan. 15.