IaaS Security

Although the ordering period for this Cloud IaaS BPA has closed, there are many more cloud acquisition vehicles available from GSA and other resources. Please contact the GSA cloud program management office (cloudpmo@gsa.gov) for more information and help with acquiring cloud services for your agency.

Below are some highlights of how the IaaS BPA supports secure cloud infrastructure solutions:

  • All IaaS BPA industry partners support 2-Factor Authentication from both the provider’s and agency’s perspective.

  • Before accepting an award from an ordering activity, the BPA industry partners must complete the Assessment & Authorization (A&A) process at the Federal Information Security Management Act (FISMA) Moderate Impact Data Security Level, as administered by GSA or provide a FedRAMP provisional Authority to Operate.

  • Cloud Service Providers (CSPs) are responsible for costs associated with implementing, assessing, documenting and maintaining the FedRAMP control baseline.

  • Most IaaS BPA industry partners have elected to submit their security packages to the FedRAMP program in order to obtain FedRAMP certification as well.

  • The Assessment and Authorization (A&A) processes for IaaS BPA industry partners and FedRAMP are similar; authorizations achieved through FedRAMP will incorporate the IaaS security controls.

  • Location of work - All IaaS BPA industry partners are required to have a minimum of two geographic locations in the Continental United States of America (CONUS) and all services acquired under the BPA will reside in CONUS.

Last Reviewed 2015-10-14