Co-authored by: Melinda Lewis

On November 18, 2014, the General Services Administration ("GSA") hosted an Industry Day seeking feedback on its proposal to add a Cloud Computing Special Item Number ("SIN") on  its IT Multiple Award Schedule 70 ("MAS IT-70").  A SIN is GSA's categorization method that groups similar products, services, and solutions together to make the acquisition process easier.  This move is not surprising in light of the Government's "Cloud First" policy (announced in 2011), which requires agencies to evaluate cloud computing options "whenever a secure, reliable, and cost-effective option exists."  Further, GSA's latest proposal noted that a cloud SIN "would ... enabl[e] agencies to take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost."  In the end, by offering a cloud-specific SIN, GSA hopes to drive more value into the schedules program by providing cloud-based options more rapidly and easily than before.  This article will give you a brief overview of the new, proposed SIN.

Currently, cloud services are provided for on IT-70 under three separate SINs: 132-32 (Term Software Licenses), 132-51 (IT Professional Services), and 132-52 (Electronic Commerce and Subscription Services).  These SINs, however, are extremely broad and apply to all IT providers – not cloud providers specifically.  While cloud providers may be permitted to continue using these SINs after the new cloud-specific SIN is opened, the new SIN is intended be the exclusive "marketplace" for cloud providers.  Why is this significant?  Simplicity.  Efficiency.  And perhaps even an increased likelihood that federal buyers will get exactly what they want.  It is the IT-equivalent of a wife sending her husband to a department store to purchase a pashmina versus sending him to a store that sells only pashminas.  Yes, the husband may figure out eventually what a pashmina is and where it is located, but sending him straight to the specialty shop saves him time and stress (likely two-fold after the husband has to return the scarf he probably purchased rather than the requested pashmina).

The Proposed Cloud SIN

As proposed, Cloud Service Providers ("CSPs") would be eligible to sell cloud products under this new SIN provided they meet the five basic capabilities outlined in the National Institute for Standards and Technology ("NIST") Definition of Cloud Computing, SP 800-145:

  1. On Demand Self Service: CSPs must be capable of responding automatically to changes in demand level while maintaining pre-agreed levels of service;
  2. Broad Network Access: The CSP networks must be capable of responding simultaneously to numerous individual efforts to access the network from a variety of platforms, while maintaining pre-agreed levels of service;
  3. Resource Pooling: Computing resources must be pooled using a multi-tenant model to serve multiple federal agencies, assigning and reassigning resources "dynamically" in response to demand;
  4. Rapid Elasticity: CSPs must be capable of responding immediately to upward and downward variations in demand while maintaining pre-agreed levels of service; and
  5. Measured Service: CSPs must be paid on "pay-per-use" basis.

CSPs would be required to certify to all five capabilities (regardless of whether the agency actually requests or implements a particular capability) and would be encouraged to select one of three different sub-categories for each proposed service – (1) Infrastructure as a Service ("IaaS"), (2) Platform as a Service ("PaaS"), or (3) Software as a Service ("SaaS").  While these sub-categories would not be "required," GSA has cautioned that CSPs should not invent other categorizations because that would prevent agencies from comparing similar cloud offerings.

Additional requirements under the proposed SIN would direct CSPs to certify that the Government retains ownership of all data, user-loaded software, and any application or product that is developed and that, at the Government's request and for any reason, the CSP will transfer data according to industry standards.

CSPs would also be required to report on six other areas:

Reporting Requirement

Instructions
1. Deployment Model Select at least one deployment model based on the NIST definition: Private Cloud, Public Cloud, Community Cloud, and/or Hybrid Cloud.
2. FISMA or Information Assurance/Security Requirement Certifications  List relevant security certifications or standards met by the service.
3. FedRAMP Status List the current FedRAMP status of the service. Note: There are no restrictions under the SIN for FedRAMP status.
4. Privacy and Accessibility Indicate any agencies certifying that the service is in compliance with policies on Personally Identifying Information ("PII"), Section 508 Accessibility, and additional optional compliances such as HIPAA (relating to private medical information).
5. Geographic Requirements Certify capabilities for geographic restriction on data and processing location.
6. Data Center Distribution Describe available data center locations and capabilities to distribute processing and data across multiple centers.

Other noteworthy aspects of the proposed SIN are potential restrictions that would limit the scope of the cloud services being offered, such as restricting the hours of availability for consulting services/call-in support.  By limiting the proposed SIN to the product purchase only, GSA appears to want its other IT SINs – not the new, proposed cloud SIN – to serve as the appropriate avenue for an agency to purchase a vendor's consulting services.  If this sentiment is adopted when the SIN takes its final form, industry may need to be proactive and educate agencies on how to structure cloud procurements, ensuring that the agency is receiving all that it hopes to receive in its procurement – that is, to make sure they get the pashmina they want and not the scarf they unknowingly requested.

Remaining Areas of Concern for Cloud SIN

GSA has admitted that it needs to resolve several key issues before the SIN proposal is final and ready for review.  For example, GSA is considering posting vendor accreditation on its site but worries how this may infer favoritism for certain vendors.  Moreover, it might ultimately result in a Sisyphean task because accreditation can change so rapidly.  If GSA is unable to keep up with changes to CSPs' credentials, then the list quickly becomes outdated, unreliable, and counter-productive.  Similarly, GSA is grappling with whether existing cloud BPA vendors will need to re-certify that they meet the five NIST criteria listed above.  As a result, GSA has promised a Transition Plan to address these types of questions for the final SIN.

Before any final decision is made, GSA wants to continue the dialogue with industry and is seeking feedback on its draft Cloud SIN Terms and Conditions (available here).  All questions and comments must be received by the GSA (at cloud-sin-rfi@gsa.gov) by Thursday, January 15, 2015.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.