In order to help drive standardization and compliance, DOI has issued a mandatory use policy for the procurement of cloud services. The SOW RFQ templates for SaaS, PaaS and IaaS are recommended in order to provide the most comprehensive set of requirements for your cloud services request. The templates also take into consideration the broadest possible scope of services needed for completing the Independent Government Cost Estimate (IGCE).
Yes, an IGCE or Independent Government Cost Estimate, is required as part of the RFQ package that will be sent out to the Cloud services vendors by the Acquisitions department.
Per the National Institute of Standards and Technology (NIST), Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, such as networks, servers, storage, applications and services, that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The three service models available for Cloud computing are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
Per NIST, SaaS is the acronym for Software as a Service that is the capability provided to the consumer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.
Per NIST, PaaS is the acronym for Platform as a Service that is the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications developed using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
Per NIST, IaaS is the acronym for Infrastructure as a Service that is the capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software that can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP authorization does not encompass privacy requirements that each agency is required to meet for cloud hosting applications.
Each agency is responsible for meeting privacy requirements for cloud-hosted applications under the Federal Information Security Management Act (FISMA) of 2002, E-Government Act of 2002, and OMB M-03-22 policy. These include:
System of Records Notices (SORN),
Privacy Impact Assessments (PIA), and
Privacy awareness and role-based training.
ATO is an acronym for Authority to Operate that is required to be approved and maintained for any portion of a cloud solution outside of the FedRAMP boundary.
The ATO will generally include:
the FISMA Classification,
Customer responsible controls and guidelines for implementation,
Trusted Internet Connection (TIC),
Multi-factor Authentication, and
Internet Protocol version 6 (IPv6).
FISMA is the Federal Information Security Management Act. It is legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA was signed into law as part of the Electronic Government Act of 2002.
TIC is an acronym for Trusted Internet Connection. Per OMB Memorandum M-08-05, the purpose of the TIC is to optimize and standardized the security of individual external network connections currently in use by federal agencies, including connections to the Internet.
IPv6 is an acronym for Internet Protocol version 6 which is the most recent version of the Internet protocol. IPv6 is the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet.