Skip to main content

IaaS Security

Below are some highlights of how the IaaS BPA supports secure cloud infrastructure solutions:

  • All IaaS BPA industry partners support 2-Factor Authentication from both the provider’s and agency’s perspective.

  • Before accepting an award from an ordering activity, the BPA industry partners must complete the Assessment & Authorization (A&A) process at the Federal Information Security Management Act (FISMA) Moderate Impact Data Security Level, as administered by GSA or provide a FedRAMP provisional Authority to Operate.

  • Cloud Service Providers (CSPs) are responsible for costs associated with implementing, assessing, documenting and maintaining the FedRAMP control baseline.

  • Most IaaS BPA industry partners have elected to submit their security packages to the FedRAMP program in order to obtain FedRAMP certification as well.

  • The Assessment and Authorization (A&A) processes for IaaS BPA industry partners and FedRAMP are similar; authorizations achieved through FedRAMP will incorporate the IaaS security controls.

  • Location of work - All IaaS BPA industry partners are required to have a minimum of two geographic locations in the Continental United States of America (CONUS) and all services acquired under the BPA will reside in CONUS.