The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for FedRAMP

By

Civilian vendor cybersecurity certification would look very different from DoD

A civilian counterpart to the Pentagon’s Cybersecurity Maturity Model Certification would need to suit the varying missions across government, according to federal deputy CIO Margie Graves.

The Defense Department is working on a new policy that will require its vendors to obtain a certification confirming the contractor’s own systems have strong enough cybersecurity to protect the department’s secrets. A civilian agency counterpart to that would look very different than what the Pentagon is developing, according to the second-ranking civilian IT official.

While the government does have a method for certifying the cybersecurity of vendors’ products — through the authority to operate, or ATO, process and the Federal Risk and Authorization Management Program, or FedRAMP — it does not have a program for assessing the security of the systems used by the vendors.

The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, looks to change that with a set of 18 “key sets of capabilities for cybersecurity,” according to the draft released in September.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/10/civilian-vendor-cybersecurity-certification-would-look-very-different-dod/160982/

By

Cloud resources for government users

The Office of Management and Budget posted the final version of its cloud smart strategy.  First drafted in September 2018, the strategy includes a list of action items “to advance the Cloud Smart agenda.”  It also requires federal agencies to “rationalize their application portfolios” to support cloud adoption by assessing application portfolios and discarding those apps that are “obsolete, redundant, or overly resource-intensive.”  The CIO Council said it will develop best practices and other resources to help agencies with the rationalization process.

The cloud smart work plan will be executed over an 18-month period, and will be updated as the cloud market and technologies evolve.  Read the final policy here.

Campaign security assistance, at a discount

Microsoft announced Microsoft 365 for Campaigns is now available at a discounted price for U.S. federal political campaigns and national-level political parties. The service brings together Office 365, Windows 10 and Enterprise Mobility+Security with Exchange Online for Email, SharePoint and OneDrive and  Teams along with other Office applications such as Outlook, Word, Excel, PowerPoint  and more.

A simple setup process allows admins to implement features like multifactor authentication, Office 365 Advanced Threat Protection, protection of mobile apps and documents and the ability to easily install security patches and updates to Office apps. The security service is available for $5 per user per month. Find out more here.

Keep reading article at: https://gcn.com/articles/2019/06/25/cloud-briefs.aspx

By

GSA to agencies: Don’t use FedRAMP to screen-out potential bidders

Some federal agencies are beginning to require that contracting vendors have FedRAMP authorizations before bidding on cloud computing contracts.

FedRAMPAt first blush, it seems like a good thing that agencies would require contractors to adhere to the Federal Risk and Authorization Management Act, the government’s standardized approach to ensuring security in cloud computing.

Yet because FedRAMP is still only a few years old, making compliance with FedRAMP a prerequisite to bidding on contracts could limit competition.

“Agencies – contracting officers – are starting to require FedRAMP authorizations as a condition for bidding on work,” said Stan Kaczmarczyk, director of the Cloud Computing Services Program Management Office in the General Services Administration’s Federal Acquisition Service.

Keep reading this article at: http://www.nextgov.com/emerging-tech/emerging-tech-blog/2015/06/gsa-agencies-dont-use-fedramp-screen-out-potential-bidders/114256

By

GSA has yet to approve any cloud products under FedRAMP

Up against a self-imposed Dec. 31 deadline, the government’s purchasing arm has yet to endorse any cloud products for quick acquisition. Some applicants and testers say the General Services Administration has been mum about the hoped for announcement on approvals.

Confusion over paperwork has complicated efforts for the Federal Risk and Authorization Management Program, or FedRAMP, according to interviews with cloud vendors and inspectors. FedRAMP, a security evaluation process, is intended to certify services for immediate use in any government agency. Inspections began in June.

Last week, GSA, which runs the program, released rules on the color scheme, placement and permitted uses of the FedRAMP seal of approval. Several auditors said constructive discussions about the contents of their evaluation reports and providers’ security plans have consumed more time than expected.

By

Cloud system contracts dictate updated acquisition strategy

As core enterprise systems move to the cloud, provisioning services in that environment could require revised training for acquisition officers. Existing rules, processes and culture need to be re-thought, said Dave McClure, associate administrator at the GSA’s office of citizen services and innovative technologies.

“The existing way in which we contract both for products and services in the government goes right up against the model for cloud, which is price elasticity, demand elasticity, so there’s still some hiccups there,” said McClure March 3 at the FOSE conference in Washington, D.C.

Some cloud computing contracts don’t have pricing elasticity truly built in, which could be a challenge as programs look to layer their applications and scale out an existing cloud infrastructure, said McClure.

Acquisition officers are “kind of hacking through, right now,” said Rob Carey, Defense Department deputy chief information officer. But it’s something the FedRAMP joint authorization board is acutely aware of, he added.

“In our pilots we have going, we’re finding those challenges,” said Carey. “We’re trying to make sure those lessons learned are poured into the Chief Acquisition Officers Council to say, how do you do this.”

Carey said this is simply what happens with the adoption of disruptive technology.

“You will continue to find challenges as we break through the edges of what some bright engineer thinks he can do or wants to do, and the contracting officer says, ‘Let me figure out how we can actually get that done for you,’” said Carey.

— by Molly Bernhart Walker.  This article appeared in Fierce Government IT on Apr. 4, 2012 at http://www.fiercegovernmentit.com/story/mcclure-cloud-services-require-acquisition-officers-retool/2012-04-04.

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter