FedRAMP wants agencies to speak industry’s language

FedRAMP Director Matt Goodrich.


Written by

When it comes to cloud procurement, not everybody speaks the same language.

That’s why the General Services Administration’s Secure Cloud Portfolio team wants to create contract language guidance for agencies to use in their cloud acquisitions through the Federal Risk and Authorization Management Program.

The FedRAMP team at GSA issued a request for information hoping to “identify examples of preferred contract language agencies should incorporate to convey FedRAMP requirements in their solicitations,” according to a blog post. “These examples will be used to generate guidance and education for agencies.”

The problem is that agencies often struggle to “provide clear requirements for cloud services or ascribe legacy requirements to this new paradigm,” the RFI explains. “These discrepancies seem particularly pronounced around things like deployment models, portability, interoperability, data ownership, SLAs, migration requirements, integration requirements with agency systems, etc.”

FedRAMP wants industry to respond with comments to its GitHub page giving “examples of both positive and problematic clauses so that we may develop better guidance that leads to better outcomes for both government and industry.” The team also seeks “new and creative examples of industry suggested contract language that could be leveraged as well.”

The questions in the RFI focus on general cloud contract language, the FedRAMP and authority to operate process, and other specific security requirements — again asking for both positive and negative examples in each case.

The hope is this “partnership with industry would help all of us better scope and scale the adoption of cloud technologies and associated services with even more detailed guidance.”

Responses are due by Dec. 15.

The FedRAMP program office has spent much of the past two years working to improve the cloud acquisition process for both agencies and industry.

FedRAMP Director Matt Goodrich spoke recently about the evolving FedRAMP process and how the Trump administration’s cybersecurity executive order will make it easier for agencies to adhere to the cloud standards. Also, in September, the office released the FedRAMP Tailored baseline, which spotlights low-impact Software-as-a-Service systems offered by cloud services providers to help give agencies options for flexible cloud adoption.

-In this Story-

FedRAMP, General Services Administration (GSA), request for information (RFI)