Skip to main content

IaaS Security

Please respond to our RFI so we can assess whether we need a new cloud contract vehicle. Read the Cloud Request for Information (RFI) to learn how we're making cloud technologies and services available to government more effectively and efficiently.

Below are some highlights of how the IaaS BPA supports secure cloud infrastructure solutions:

  • All IaaS BPA industry partners support 2-Factor Authentication from both the provider’s and agency’s perspective.

  • Before accepting an award from an ordering activity, the BPA industry partners must complete the Assessment & Authorization (A&A) process at the Federal Information Security Management Act (FISMA) Moderate Impact Data Security Level, as administered by GSA or provide a FedRAMP provisional Authority to Operate.

  • Cloud Service Providers (CSPs) are responsible for costs associated with implementing, assessing, documenting and maintaining the FedRAMP control baseline.

  • Most IaaS BPA industry partners have elected to submit their security packages to the FedRAMP program in order to obtain FedRAMP certification as well.

  • The Assessment and Authorization (A&A) processes for IaaS BPA industry partners and FedRAMP are similar; authorizations achieved through FedRAMP will incorporate the IaaS security controls.

  • Location of work - All IaaS BPA industry partners are required to have a minimum of two geographic locations in the Continental United States of America (CONUS) and all services acquired under the BPA will reside in CONUS.