Below are some highlights of how the IaaS BPA supports secure cloud infrastructure solutions:
- All IaaS BPA industry partners support 2-Factor Authentication from both the provider’s and agency’s perspective.
- Before accepting an award from an ordering activity, the BPA industry partners must complete the Assessment & Authorization (A&A) process at the Federal Information Security Management Act (FISMA) Moderate Impact Data Security Level, as administered by GSA or provide a FedRAMP provisional Authority to Operate.
- Cloud Service Providers (CSPs) are responsible for costs associated with implementing, assessing, documenting and maintaining the FedRAMP control baseline.
- Most IaaS BPA industry partners have elected to submit their security packages to the FedRAMP program in order to obtain FedRAMP certification as well.
- The Assessment and Authorization (A&A) processes for IaaS BPA industry partners and FedRAMP are similar; authorizations achieved through FedRAMP will incorporate the IaaS security controls.
- Location of work - All IaaS BPA industry partners are required to have a minimum of two geographic locations in the Continental United States of America (CONUS) and all services acquired under the BPA will reside in CONUS.