GSA wants feedback on cloud contract language

When federal agencies acquire cloud services and products, they write requirements set under the Federal Risk and Authorization Management Program into their contracts. Unfortunately, sometimes those requirements are inconsistent or unclear.

To help agencies improve their cloud services contracts, the General Services Administration's Secure Cloud Portfolio division wants feedback from industry on agency attempts to enforce requirements via contract language.

General cloud service acquisitions can be derailed by confusion over deployment, portability, interoperability, data ownership, migration issues and integration with legacy systems. The request for information asks for specific examples of both effective and problematic contract language as well as suggestions on how to incorporate cloud services into different contract vehicles for direct solicitations, resellers and system integrators.

The FedRAMP process faces some similar issues but also suffers from confusion regarding the roles and responsibilities of vendors and their sponsoring agencies. Issues can arise when dealing with security assessments, FedRAMP requirements timelines and communication with agency officials over problems that develop. GSA wants examples that clearly delineate the roles and responsibilities and requirements federal agencies and vendors play when addressing FedRAMP requirements.

GSA also wants examples of clear and problematic language related to other security requirements, such as integration of personal identity verification and common access cards, background investigations of key personnel, encryption and data locations.

Some of the information collected from the RFI will be posted publicly to serve as a resource for agencies looking to leverage cloud services. Responses are due by Dec. 15.

More details from the RFI can be found here.

This article first appeared in FCW's sibling publication GCN