Skip to main content

IaaS Security

Review the Vendor ATO (Authority to Operate) Status (PDF, 129 KB) document to see which industry partners have ATOs for the three IaaS BPA service offerings.

Below are some highlights of how the IaaS BPA supports secure cloud infrastructure solutions:

  • All IaaS BPA industry partners support 2-Factor Authentication from both the provider’s and agency’s perspective.

  • Before accepting an award from an ordering activity, the BPA industry partners must complete the Assessment & Authorization (A&A) process at the Federal Information Security
    Management Act (FISMA) Moderate Impact Data Security Level, as administered by GSA or provide a FedRAMP provisional Authority to Operate.

  • Cloud Service Providers (CSPs) are responsible for costs associated with implementing, assessing, documenting and maintaining the FedRAMP control baseline.

  • Most IaaS BPA industry partners have elected to submit their security packages to the FedRAMP program in order to obtain FedRAMP certification as well.

  • GSA IaaS BPA granted ATOs can be leveraged by any federal agency for the FIPS-199 Moderate Impact Level or lower. This makes acquisitions easier, faster and less costly for agencies to take advantage of the benefits of cloud computing.

  • The Assessment and Authorization (A&A) processes for IaaS BPA industry partners and FedRAMP are similar; authorizations achieved through FedRAMP will incorporate the IaaS security controls.

  • Location of work - All IaaS BPA industry partners are required to have a minimum of two geographic locations in the Continental United States of America (CONUS) and all services acquired under the BPA will reside in CONUS.