B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at
Just select the "B2G Essentials" blog to continue to receive this valuable content.
New GSA Pricing Rule Met with Wariness from Industry

The General Service Administration’s (GSA) proposal to amend acquisition rules to collect contractor pricing information is raising concerns across industry. The change was proposed in March 2015, and a public meeting was held mid-April to discuss the impact. 

The March 2015 Federal Register announcement explained that, “GSA is creating a Common Acquisition Platform (CAP), an online marketplace to identify best-in-class contracts issued by GSA or other agencies, best practices, and other information agencies need to reduce the proliferation of duplicative contract vehicles and deliver the best value possible to federal customers and the American people. A critical component of the CAP, and smarter buying in general, is the availability of the prices previously paid by other government buyers for a similar product or service under similar terms and conditions. Government buyers will be able to use that data, in combination with other relevant information—such as customer satisfaction with the performance of the contractor-furnished solution—to determine fair and reasonable pricing as part of a best value solution.”

The proposed rule would introduce a transactional data reporting clause that would support GSA’s price analysis and better determine reasonable pricing for Federal Supply Schedule (FSS) and non-FSS vehicles. This clause would take immediate effect for GSA’s government-wide non-FSS vehicles. FSS vehicles would introduce the change in phases. Although government customers have benefited from price reductions in the past, these have typically resulted from voluntary clauses like market rate pricing, rather than from mandatory customer tracking. GSA completed analysis of modifications for nine of its FSS contracts from October 1, 2013 until August 4, 2014. These contract vehicles included several favored by agencies for IT products and services: Schedule 70, Mission Oriented Business Integrated Solutions (MOBIS), and Professional Engineering Services. Findings from this analysis revealed that only about 3 percent of price reductions were linked to the customer tracking. Most decreases (around 78 percent) resulted from adjustments to commercial pricelists and market rate changes. GSA concluded that the findings supported attempting a different approach to making better pricing available.

During the public meeting on April 17, leadership from GSA indicated that the changes to acquisition rules would help the agency clear hurdles it faces with growing contracts, price variation across vehicles, lack of transparency and outdated guidelines. Once the transactional data reporting clause is implemented, the organization anticipates benefits including better pricing, administrative savings, increased opportunities for small business participation, and standardization of practice. GSA’s Kevin Youel-Page informed attendees that in early May the Federal Acquisition Service will launch an improved automated price reductions tool for schedule contract holders. 

Federal News Radio and FCW reported on reactions from industry, suggesting a mixed reception. Despite cautious optimism, concerns persist around the security of vendor data, the cost of information collection systems, as well as potential unintended consequences related to new policies. The Common Acquisition Platform is one of several efforts GSA has introduced to improve federal acquisition. Other initiatives including activities aligned with contract data analysis and category management. As these projects work to deliver greater savings to government buyers, GSA leadership has expressed interest in working with industry to better understand the burdens and implications of adopting an increasingly data-driven approach to acquisition.


Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.


Half-way Through FY 2015, How Much Are Agencies Spending on Contracts?

It’s April, and that means we are half way through fiscal year (FY) 2015. So I thought I would take a look at the available federal contracting data to see what can we tell so far about how much federal departments have spent on contracts at the mid-point in the year and see what might be in store for us in the second half of FY 2015.

For comparison and context I looked the federal contract obligations reported for each federal agency for FY 2014, quarter by quarter, and then the first two fiscal quarters of FY 2015, which just closed at the end of March. Then, to get what I thought would be a conservative approach to estimating what spending might look like for the remainder of FY 2015 I took 90% of each agency’s total FY 2014 contract spending and subtracted out what agencies have already reported for actual Q1 and Q2 contract spending. In other words, my assumption is that agencies would spend at least 90% of what they did last year. Finally, based on this 90% spending assumption I calculated each agency’s FY 2015 Q1 and Q2 relative percentages of total (90%) estimated obligations.

Contract Obligations Compared

Historically, the twenty top-spending departments accounted for about 98% of all federal contract obligations, so I focused my attention on these departments. In FY 2014, these accounted for $85.9B and $105.2B in total contract obligations for Q1 and Q2 respectively. For comparison, these departments reported $104.7B and $141.7B in contract obligations for Q3 and Q4 respectively for FY 2014. (See table below.)

In FY 2015, these top twenty have reported $89.3B and $34.1B for Q1 and Q2 respectively, although DoD lags in their financial reporting by up to 90 days so Q2 is understated. Still, if these top agencies spend 90% of what they did in all of FY 2014 they will have more than $270B left to obligate in the remaining two quarters of this fiscal year.


  • A handful of departments have Q1 FY 2015 obligations lower than they did in Q1 of FY 2014 (DoD, USAF, State, DoT, Ed, and Labor). Most have marginally higher obligations year-over-year, although Navy reported over $6B (+40%) more in obligations in Q1 in FY 2015 than last year.
  • More departments appear to be lagging in Q2 FY 2015 compared to Q2 of last year and some of these are fairly large relative proportions. For example, HHS shows a $1B (-24%) decrease in Q2. Similarly, VA has reported a $1.1B (-30%) decrease. Finally, State, GSA, and DOT each have reported about a 50% drop in Q2 FY 2015 obligations from Q2 FY 2014. Of course, given the DoD’s three-month reporting delay we will not know the contracting rates among those departments until this summer.
  • Taken together, the four defense branches in Q1 FY 2015 have reported $3B more in obligations than they reported in Q1 of FY 2014, although the DoD and Air Force have reported lower levels year-over-year.  

A graphical representation of the relative proportions of each department’s contract spending gives a sense of seasonality and/or changes from year to year. Due to the sheer number of departments I have split these into Defense and Civilian segments. This further highlights the yearly changes for Navy, HHS, VA, State, GSA, and DOT. (See charts below.)



This kind of macro-level analysis is useful in getting a general sense of quarterly and yearly patterns across the departments. Of course, the remaining FY 2015 obligation estimation depends on its main 90% assumption. Last year, this approach pointed to roughly $285B in combined FY 2014 Q3 and Q4 obligations among the top twenty departments. A year later, the final FY 2014 Q3 and Q4 data shows that actual obligations came in at $246.4B, so at first glance it appears that my 90% assumption was a bit optimistic. However, the difference turns out to be a matter of timing rather than magnitude. The final FY 2014 Q1 and Q2 obligations given above come in at $69B higher than what agencies reported at this time last year, reflecting revisions due to lagging obligation data being added later in the year. So the numbers effectively washed out once the dust settled. Unfortunately, there is no reliable way of predicting how consistently agencies will report their contract spending from year to year.

As most federal business development people will attest, understanding your agency’s spending patterns goes a long way to being able to successfully work with them to get contracts awarded as well as develop your yearly business plan. 

Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWin FIA. Follow me on Twitter @GovWinSlye.


Federal Acquisition Improvement Takes Aim at IT

With over 3,300 contract units across the government, collaborating to share information and best practices can be challenging. Back in December 2014, the Office of Management and Budget’s Office of Federal Procurement Policy (OFPP) described near-term to transform federal procurement. 

OFPP administrator Anne Rung’s memo to federal agencies outlined current priorities to transform government buying. These areas include category management, acquisition workforce and processes, and government-industry communication. Milestones for many of the efforts and actions associated with these areas will be approaching in the next few months. 

Category Management

OFPP aims to shift from managing government purchases and prices individually to establishing categories for common spending and costs. Unnecessary duplication of contracts across government for similar goods and services burdens vendors with proposal preparation costs and administrative expenses, which can have a significant impact on small businesses. This shift in government buying includes promotion of strategic sourcing, in particular looking to optimize the $25 billion the government spends annually on commodity IT. To support this push, the General Services Administration is cataloging prices paid for IT goods and providing access to contract details for related products to highlight best practices. 

Talent Management and Innovation

The Office of Science and Technology Policy (OSTP) and OFPP are taking steps to encourage adoption of best practices within government purchasing of digital services and fostering innovation. These steps have included releasing a draft of the TechFAR Handbook and exploring case studies of resourceful contracting practices. OSTP and OFPP are collaborating on a plan to increase the government’s digital acquisition capabilities. To further support these efforts, the U.S. Digital Services is expected to launch a pilot program for training agency personnel in digital acquisition. One of the areas targeted for these activities is agile development. 

Strengthen Government-Industry Relationships

OFPP is developing an approach to improve communication between government and industry. Guidance is in the works to allow open feedback from industry on acquisition process improvement and to identify trends and issues. The guidance will shape Acquisition 360, an effort to formalize the agency collection of feedback related to acquisition processes and identify areas for improvement. The focus on strengthening relationships includes establishing enterprise-wide vendor managers, a step that will begin with recruiting vendor managers to support relationships with key IT commercial contractors. 

While these efforts will address all government buying, near-term efforts are zeroing in on agency IT. In particular, activities related to category management are expected to really dig into how agencies are buying technology products and services. It is worth noting, however, that the plans associated with this transformation initiative do not paint a picture of a sudden, new reality. Rather, they suggest ongoing activities to strategically reshape the landscape of government acquisition. As these current transformation efforts continue, pockets of advancement in different contracting organizations will contribute to gradual change across the government.


Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.


Defense Cloud Security Guidance Aims to Empower Military Services

Mid January 2015, Defense Department’s (DOD) Defense Information Services Agency (DISA) released guidance for use of commercial and non-DOD cloud providers within the DOD.

Since the DISA publication is a Security Requirements Guide (SRG), it offers non-product specific requirements to mitigate risks associated with commonly encountered IT system vulnerabilities. While SRGs provide high level direction, Security Technical Implementation Guides (STIGs) offer product-specific details for validating, attaining, and maintaining compliance with the SRG requirements.

The previously published Cloud Security Model outlined 6 Information Impact Levels. Although the DOD cloud computing SRG has reduced the number to 4 impact levels, the numeric designators remain consistent with the previously published model. DOD provisional risk assessments for cloud services focus on evaluating the requirements for the impact levels at which a cloud service offering is supported by a provider.  Provisional authorization is then leveraged by the mission owner in granting authority to operate (ATO) for mission systems operating in the cloud.

The security control baseline for all levels aligns with the FedRAMP moderate baseline’s definition for confidentiality and integrity. This shift from high confidentiality and high integrity intends to support the categorization of customer systems targeted to be deployed to commercial CSP facilities. The 15 December 2014 CIO memo called out FedRAMP as the minimum security baseline for all DOD cloud services and advised that defense components “may host unclassified DOD information that has been publicly released on FedRAMP approved cloud services.”

The DISA cloud computing SRG covers systems up to the Secret level of classification. Services running at a classification levels above secret, including compartmented information, are governed by other policies and fall outside the scope of the guidance DISA released. General Service Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) aims to have a cloud security baseline established for FISMA high requirements within the next six months. DISA plans to consider incorporating the FedRAMP High Baseline into its guidance once it becomes available.

Ultimately, CSPs have three paths to choose from in pursuing a DOD provisional authorization. One option is to achieve a provisional authorization through FedRAMP’s Joint Authorization Board (JAB). Another option is to achieve FedRAMP Agency ATO by completing the FedRAMP compliance process as well as meeting any additional security control requirements from the authorizing agency. The third option is for a system to be comply with requirements fo DOD Self-Assessed Provisional Authorization. The concept of FedRAMP Plus (FedRAMP+) applies to situations where an agency has specific security requirements beyond the FedRAMP baseline. Within the DOD SRG, these additional security controls and requirements are necessary to meet and assure DOD’s mission requirements.

Like FedRAMP’s intention to allow agencies to take a greater role in steering commercial cloud authorizations, DISA’s guidance will empower the military services to procure their own solutions and leverage the government’s work through FedRAMP. Considering the trend toward shared service adoption, after a cloud solution is adopted by one service branch, other defense components may look to implement FedRAMP+ solutions or DISA may evaluate that solution for potential formal shared service use.


Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.

Federal Cloud Security Program Charts Course for Ramp Up

The program in charge of the government's cloud security baseline has outlined its plan to target key issues in the months ahead.

It’s been several years since the government started to address challenges around cloud security by establishing a cloud security baseline. The General Service Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) set out with the goal to “do once, use many times” when it comes to security authorizations. During the first two years of FedRAMP activities, achievements:

-       More than 50 Cloud Service Providers (CSPs) are engaged in the FedRAMP process.

-       27 CSPs have completed the FedRAMP compliance process

-       These authorizations address over 160 FISMA implementations

-       The Third Party Assessment Organization (3PAO) accreditation program has been established and 31 independent auditors have received accreditation. Two thirds of these auditors are small businesses.

-       Nearly every federal agency is participating in FedRAMP.

Mid December 2014, FedRAMP revealed its new logo and program roadmap for the next two years. The document outlines the program’s priorities. The goals include:

1)    Increase stakeholder engagement

o    Expand agency implementation of FedRAMP.

o    Increase cross-agency collaboration

o    Promote greater understanding of the FedRAMP

2)    Improve efficiencies

o    Greater consistency and quality of 3PAO assessments and deliverables

o    Create flexible framework for data and workflow management

o    Align with and leverage existing security standards

3)    Continue to adapt

o    Continuous Monitoring will advance and evolve

o    Establish additional baselines

o    Integrate further with cybersecurity initiatives and contribute to policy reform 

Over the next six months, program activities in pursuit of these objectives will include establishing a baseline for FedRAMP use across the federal government, provide implementation guidance for agency authority to operate (ATO), outline multi-agency authorization methodology, launch an online training program, re-launch the website, collaborate with the Office of Management and Budget and Office of Federal Procurement Policy to develop and publish procurement guidance, release a draft baseline for FISMA high security controls, and publish a roadmap for evolving continuous monitoring. The list goes on to include laying out guidelines for addressing inconsistencies in security assessments and providing key indicators for officials performing risk analysis. In line with these goals, just before the end of the year, FedRAMP issued updated guidance for agency review of authority to operate (ATO). As a whole, these initiatives lay the ground work that will be built up on over the next two years to make the cloud security program more robust. From its outset, FedRAMP described its gradual approach as “crawl, walk, run,” and the program does indeed seem to be picking up the pace.


Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about GovWinIQ. Follow me on twitter @FIAGovWin.


GSA Progresses with Implementation of Category Management Method of Acquisition

GSA is piloting a Common Acquisition Portal (CAP) as part of its Category Management Initiative launched in April. 

Category Management is the concept of grouping products and services into categories or “hallways” for access by contracting officers and program managers.  Category management is how the most successful Fortune 500 companies approach acquisition.   It focuses on five key areas:  

  • Optimizing contract vehicles and managing the landscape  
  • Managing data collection and analysis  
  • Leveraging supplier relationships  
  • Maximizing customer relationships  
  • Growing and sharing expertise

For GSA’s Federal Acquisition Service, this will mean identifying core categories of business they will develop a higher level of expertise and manage like a strategic business unit.  The expertise will be leveraged to direct buyers to the best solutions for them while streamlining the procurement process. 

GSA officials gave a briefing on the CAP project at the recent ATC/IAC Executive Leadership Conference.   “Right now there are tens of thousands of contracts across our government,” said Tom Sharpe, commissioner of GSA’s Federal Acquisition Service. “One company alone can have hundreds of contracts with the federal government; there is a way to radically change federal procurement, and it’s as simple as working and acting as one.”

Online access to CAP will occur through an “acquisitions gateway,” which will guide users through their category and procurement options.  The gateway is currently under development.   A beta version of the gateway was launched in early October with three hallways:  IT hardware, IT software and office supplies.   

Over time, the hallways will be developed with information and services to continuously improve acquisition outcomes.  Ultimately, the solution will provide the following capabilities:  

  • Procurement Optimizer:  A comprehensive contract-comparison search engine that enhances competition for government acquisition 
  • Market Intelligence Center:  Category-centric market research materials that guide purchase decisions based on category manager’s government-wide expertise  
  • Clear View:  Real-time data on pricing and purchasing, as well as assessment tools that help provide a big-picture view of government and individual agency spending behavior  
  • Collaborative Contracting Library:  Provides a resource to jump-start procurements with a central repository of exemplary contract work for complex buys compiled by community experts.  
  • eMarketplace:  An eCommerce transaction platform for simple purchases

GSA’s goal is to streamline and simplify the federal acquisition process, and to help agencies be more efficient and make smarter buying choices.


FedRAMP Adds “Ready” Category

The goal behind Federal Risk and Authorization Management Program (FedRAMP) is to streamline the cloud security authorization process. In support of this goal, it established a government wide cloud security baseline (for FISMA low to moderate levels) and established a process for evaluating cloud solutions. While the initiative described a crawl-walk-run approach from the outset, delays around reviews and authorizations seems to have triggered an adjustment to the strategy. 

The Office of Management and Budget (OMB) set June 5, 2014 as a deadline for cloud vendors to comply with federal cloud security certification. Since FedRAMP launched initial operations in June 2012, fewer than 20 total authorizations for cloud solutions to operate have been awarded by the FedRAMP Joint Authorization Board (JAB) and federal agencies. The need to transition to a new security baseline (as a result of updated guidance from NIST) adds another piece to the bottleneck around getting solutions through the FedRAMP review process. 

To help speed the process along, mid-October 2014, a category has been added to the queue to call out cloud solutions that have completed their documentation and gone through a readiness review by the FedRAMP PMO. According to Matt Goodrich, the acting FedRAMP director, “FedRAMP Ready systems have documentation that has been reviewed by the FedRAMP PMO and at a minimum have gone through the FedRAMP PMO readiness review process.”  Since the bar for being included in the FedRAMP Ready roster is set low, cloud service providers (CSPs) are able to be listed even with work remaining to become FedRAMP compliant. Although authority to operate (ATO) must come from the FedRAMP JAB or an Agency, the FedRAMP office has also described a third, “CSP supplied” path to authorization, which could feed easily into the FedRAMP Ready ranks should vendors submit prepared documentation and testing for readiness review.

This new category provides increased visibility to CSPs pursuing FedRAMP compliance. It also allows the FedRAMP PMO to draw attention to open source solutions and build specifications that agencies can deploy. A week after announcing the new category, there are four systems listed as FedRAMP Ready. If agencies need to explore beyond the solutions that have completed the FedRAMP process, this category offers them a starting point and provides information about how far a solution is from compliance. This development strengthens the case for vendors to target achieving FedRAMP compliance in cooperation with an agency. Any additional activities planned to further support agency procurement may be announced at the beginning of November 2014, when the FedRAMP office is expected to release its roadmap for the next year.



Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.


Cybersecurity Meets Soap Opera in CDM Dashboard Competition

In a budget-constrained federal IT market the competition for cybersecurity work is bound to become increasingly competitive, even cut-throat. And when things get this way a certain amount of drama is sure to follow. Such is the case with a Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Dashboard tools competition where a premature award announcement has combined with accusations of acquisition rule-breaking to add controversy to the process.

DHS announced last summer the creation of its $6 billion Continuous Diagnostics & Mitigation (CDM) program BPA with awards to 17 primes and more than 20 subcontractors. The government-wide effort is in partnership with the General Services Administration (GSA) which is acting as the procurement agency and has established a portal to facilitate CDM program purchases. Last March, GSA awarded a contract for the CDM Dashboard design and implementation effort to Metrica Team Venture. So far, so good.

The drama started when an official with RSA announced in a blog post that DHS has selected RSA Archer's GRC solution for its CDM Dashboard effort. FCW first reported on the unofficial award announcement before the story was later clarified that RSA’s product is a finalist for the contract, but the selection process is not yet complete.  (The RSA official’s blog post has since been deleted.)

The story gained further drama when it came to light that the firm that had won the Alliant Small Business contract to evaluate the CDM Dashboard tools bid, Metrica Team Venture, is being accused of allowing one of its team members, InfoReliance, to market the RSA products (another team member) during the period between GSA's awarding the Alliant Small Business contract to Metrica and the agency's decision on the Dashboard vendor.  Agiliance, the firm that has brought the complaint to GSA, is asserting organizational conflict of interest (OCI) and marketing practices that are forbidden under federal acquisition rules, according to a subsequent article in which FCW appears to have seen their letter to GSA.

To make things even more colorful, Agiliance’s letter to GSA is not a formal protest. It is unclear whether the move was made to preempt the need for Agiliance to protest the forthcoming DHS Dashboard tool award or if it was because Agiliance is not an Alliant Small Business contract holder, or both. Either way, it’s clear that they are trying to get GSA to take a closer look at the process that is unfolding and to take action.

These events underscore how competitive the market has become and will continue to be in the close-knit world of cybersecurity. In an era where winning or losing a contract can mean life of death for your company it is crucial that vendors know the acquisition rules and keep solid documentation of your processes out of self-protection.  Further, any appearance of possible impropriety – even if none exists – will raise hackles in an increasingly competitive market where awards are often “winner takes all.”

Also, Agiliance’s letter to GSA could be considered a form of “protest by another name” where a company sees anomalies that raise their concern enough to look for ways to raise a flag in a formal way. Such methods may grow in frequency as federal agencies look for efficiencies in their acquisition processes like turning to GSA or another agency to facilitate procurements.

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Raising the Stakes of Contractor Past Performance Information

Contractor past performance information is one tool federal agencies are being pressed to use more effectively to guard against acquisition risk and recent White House acquisition policy and a Government Accountability Office (GAO) assessment signals that the pressure in this area will only continue to grow. Some efforts are fairly standard government approaches, but others expand into new areas and have implications for both agencies and their contracting companies.

The Office of Federal Procurement Policy (OFPP) has issued numerous reporting compliance guidelines and recommendations over the last half-decade or more to move agencies to improve their reporting of contractor past performance. Further, Congress has included past performance reporting mandates in the last several National Defense Authorization Acts (NDAA). In typical fashion, GAO is looking for continued signs that these efforts are materializing so that agencies have this information available to make informed acquisition decisions.

Most Agencies Fall Short of Contractor Past Performance Reporting Compliance Targets

In August, the GAO released an assessment of how federal agencies were doing with regard to improving their reporting of contractor past performance information. According to OFPP’s annual reporting performance targets, agencies should have been at least 65 percent compliant by the end of fiscal year 2013. GAO found that agencies generally have improved their level of compliance with past performance reporting requirements issued by OFPP. However, the rate of compliance varies widely by agency and most have not met OFPP targets. As of April 2014, for the top 10 agencies, based on the number of contracts requiring an evaluation, the compliance rate ranged from 13 to 83 percent and only two of the top 10 agencies were above 65 percent compliance. (See chart below.)


OFPP Expanding Scope of Contractor Past Performance Information

In July, the OFPP directed agencies to research past performance more deeply before awarding complex IT development, systems and services contracts greater than $500 thousand in value. Further, OFPP directed agencies to expand the scope of the research processes used to collect contractors’ past performance information during source selection.

In order to have the most relevant, recent, and meaningful information about potential contracting partners considered in the pre-award phase of the acquisition process agencies were instructed to have their acquisition officials perform the following steps:

  • Recent Contracts - Contact contracting officers (COs) and/or Program Managers (PMs) on at least 2 of contractors’ largest, most recent contracts to review work history.
  • News Searches – a Review articles and publications (include. GAO and IG reports) on contractor performance and business integrity.
  • Commercial Sources - Review public sources and databases for business reviews, customer evaluations, contractor management reports, etc.
  • References – a Request 3-5 references from public and commercial customers, partners, subcontractors, etc. for work done in past 3-5 years.
  • Teaming Partners – Request past performance information on subcontractors and team arrangements.


The impacts on agencies and contractors alike include greater time and effort (i.e. expense) in collecting and providing this performance information. This will stretch an already-overly-tasked federal acquisitions workforce even further and will require that contractors pay broader attention to their performance reputations and those of their teaming partners.

The new OFPP directives and others like them will also likely extend the time it takes to complete the source selection process on applicable acquisitions, at least until all sides of the acquisition process build some repeatable processes and efficiencies into their systems.

What we can hope for in the end is more transparency, better managed acquisitions with fewer protests, and overall better performing contracts that meet the government’s goals with economy and efficiency and provide business growth opportunities along the way.

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

GSA Seeks Industry Input on Updates to Cloud Security Reporting

On August 21, 2014, the Government Services Administration (GSA) Federal Risk and Assessment Management Program (FedRAMP) office released draft guidance on several aspects of cloud security including continuous monitoring and test cases for incident response. The program office is seeking feedback from industry as FedRAMP works towards consistent monitoring and reporting requirements for providers. 

The four FedRAMP documents for which GSA is currently seeking industry input address continuous monitoring requirements and incident response process. They are also looking for feedback on updated test cases for incident response and vulnerability scanning.

Evolution of FedRAMP Continuous Monitoring Framework: The program office is looking for suggestions on how the continuous monitoring program should evolve. In particular, they are looking for improvements to the current continuous monitoring process and ways to support security authorizations in cloud environments using a risk-based approach.


FedRAMP Continuous Monitoring Reporting and Plan of Action and Milestones (POA&M) Templates: Looking to standardize continuous monitoring reporting across FedRAMP, the program office is accepting public commentary on draft definitions and requirements to address monthly reporting summaries and milestones. This guidance aims to assist cloud service providers in standardizing and submitting their monthly reporting data.


Incident Response Requirements and Process Clarification: Noting weaknesses in some cloud service providers report (actual or potential) security incidents to stakeholders, the FedRAMP office is revising the IR-6 test case language and submitting the changes for public comment. New language has been added to help ensure that provider incident reporting policies, procedures, and plans include notification of the FedRAMP office and US-CERT, and that tests are run to verify that these stakeholders would receive notification.


Vulnerability Scanning Requirements and Process Clarification: Two issues related to the RA-5 test case have prompted language revisions. The first issue involves needing to confirm links between the scanning process and related processes like configuration management and change management. Establishing this link helps to prevent introducing a new component with known vulnerabilities. The other issue is related to potential inconsistencies in system assessments that could result from independent assessors using different vulnerability scanning tools (or the same tool with different configurations) than the vendor uses for continuous monitoring and reporting. To address these issues, language has been added to the RA-5 control requirements.


The documents will remain open for public comment for a 30 day period ending September 19, 2014. 

FedRAMP Program Update

So far, seventeen services have completed the process and achieved FedRAMP authorizations. Twelve cloud services have received FedRAMP Joint Authorization Board (JAB) provisional authorization, and five cloud services have FedRAMP agency authorizations. The FedRAMP office continues to work through evaluations of provider applications. According to the program office, nearly thirty services are in process. Fifteen cloud services are in the process of obtaining a JAB provisional authorization, and twelve cloud services are in process for agency authorization. 

In the past several months, the FedRAMP office has hosted information sessions for government and industry. Back in June 2014, the FedRAMP PMO released document and template updates on the transition to a baseline of revised security controls. Presentation material and recordings of webinars addressing these topics are now available on demand.


Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.


More Entries