An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
(
)
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
On this page: Buying Cloud | Roles and responsibilities | How to order | Acquisition resources | Related policy and documents
This guidance walks agencies through the essential phases of cloud procurement — from early planning and market research to long-term operations — ensuring compliance with standards and review of the general cloud acquisition process. It details the essential phases of the solicitation cycle and provides “pro tips” to ensure long-term success.
| Topic | Consideration | Tip |
|---|---|---|
| Cybersecurity Supply Chain Risk Management | Agencies must evaluate the entire cloud supply chain, including the provenance of sub-components and the Foreign Ownership, Control, or Influence of subcontractors. Ensure your C-SCRM plan addresses risks from hardware origins to third-party software dependencies that could compromise your FedRAMP-authorized environment. | Mandate a Software Bill of Materials in your RFQ. This provides a transparent inventory of all third-party components within the cloud stack, allowing your security team to proactively identify and mitigate vulnerabilities before they impact the mission. |
| Enforceable Service Level Agreements | To ensure cloud accountability, agencies must replace generic uptime metrics with enforceable, mission-aligned SLAs that include automated service credits for performance failures. Contracts can define granular roles for data integrity and security monitoring to maintain continuous oversight of the cloud environment. | Shift from “uptime” to “mission availability” SLAs. Tie service credits to specific mission impacts—like API responsiveness or security patch timelines—rather than just server pings. This ensures the contractor is financially accountable for the functional performance of the application, not of just the underlying infrastructure. |
| Comprehensive Exit Strategy | A resilient acquisition includes a predefined “exit plan” to mitigate concentration risk—the danger of relying too heavily on a single provider. This strategy should detail criteria for execution, identified alternative solutions, and data recovery/exit procedures methodology in the RFQ. This prevents egress fee surprises and ensures your data is returned in a non-proprietary format, making the “exit plan” financially and technically actionable. | Require a “Data Exit Price” or predefined extraction. |
| Multi-Cloud Readiness | Prioritize solutions that use open standards and allow for seamless integration with other cloud platforms. This preserves the agency’s ability to adopt a hybrid or multi-cloud approach as mission needs evolve. | Consider mandating Open API compliance and containerization (e.g., Kubernetes) in your RFQ to ensure workloads can migrate between providers without expensive code rewrites. |
| Multi-Cloud & Hybrid Strategy | Agencies can utilize a BPA approach to consolidate access to multiple cloud service provider catalogs through a single reseller, resulting in a single contracting action rather than several. | Use a “Brand Name or Equivalent” approach for your primary environment while mandating access to secondary CSPs; this secures current mission stability while providing a pre-competed pathway for future hybrid-cloud scalability. |
| Upfront Payment Structures | Upfront annual SaaS payments are not prohibited “advance payments” because the SaaS is “delivered” upon provisioning. Unlike perpetual licenses, SaaS provides term-based access that terminates immediately at the end of the billing term increment. This requires proactive planning to synchronize terms to prevent mission-critical service gaps. | Use the GSA Consumption-Based Ordering Guide to align your PoP with actual usage patterns to avoid paying for unutilized access. |
| Requirements Task Order | Per GSA Acquisition Letter MV-21-06, the RTO is the preferred vehicle for consumption-based cloud buying. By including GSAR Clause 552.238-199 in your solicitation, you can obligate funds into a high-level “Requirements” CLIN and enact monthly sub-CLINs to pay only for actual usage, and ensure that the acquisition is classed as fixed price. | Use the RTO model to eliminate “use-it-or-lose-it” waste; it provides the incremental funding flexibility of a BPA while maintaining the contractual discipline of a task/delivery order CLIN. |
| Transactional Data Transparency | As a mandatory Transactional Data Reporting SIN, 518210C provides agencies with granular data on actual government paid prices, moving market research beyond list-price comparisons to real-world benchmarks. | Request a “TDR-Aligned Quote” to compare pricing against GSA’s market data and secure competitive rates. |
| Period of Performance | Cloud buying requires balancing fixed SaaS subscriptions via allowable upfront annual payments with fluctuating IaaS/PaaS usage via Fixed Price with Prospective Price Redetermination. All models must include enforceable SLAs with service credits and “subject to availability of funds” clauses for multi-year commitments to ensure fiscal compliance. | Use Prospective Price Redetermination for IaaS/PaaS to adjust budgets every 12 months based on actual consumption, preventing “use-it-or-lose-it” waste while maintaining fixed-price contract discipline. |
| Total Solution - Multi SIN Approach | When mission requirements exceed the NIST cloud definition, agencies should utilize a multi-SIN approach. While SIN 518210C remains the primary vehicle, the RFQ can encourage contractors to include complementary SINs — such as 54151S (IT Professional Services) or 54151HEAL (Health IT) — to deliver a seamless, comprehensive solution. | In eBuy, always list SIN 518210C as the primary SIN to ensure your requirement hits the specialized cloud vendor pool, while explicitly stating in the SOW that cross-SIN solutions are permitted for non-cloud incidental tasks. |
| OLM Flexibility | Include the OLM SIN in your cloud RFQ to capture incidental, unforeseen items—like specialized training or utility tools—not pre-priced on the contractor’s Schedule. This streamlines procurement by keeping supporting items under the same FAR-compliant terms as your primary cloud services, avoiding the need for separate open-market actions. | Use the OLM SIN to handle variable egress fees or unexpected data migration tools; just ensure the OLM portion stays incidental and is evaluated for price reasonableness via at least three competitive quotes at the order level. Expenses must be unknown at the time of award and be capped at 33% of the total award. |
Proactive planning ensures workloads are deployed where cost, performance, and compliance intersect. By prioritizing these areas, agencies reduce the risk of “cloud sprawl” and maximize the returns on investment.
To maximize return on investments for cloud buying, agencies should transition from traditional procurement to a dynamic Cloud-as-a-Utility model. Consider how elasticity and rapid provisioning can reduce operational bottlenecks and allow for automated, “pay-as-you-go” up/down scaling cost savings. Mitigate risk by requiring vendors to define protocols for automated scaling, cost-attribution tagging, and unrestricted administrative access. These requirements ensure fiscal transparency and maintain direct government oversight of cloud performance and security.
Agencies must define scope around utility-based consumption and precise service-level agreements.
Assess quotes using your stated evaluation criteria, such as:
Document your best‑value determination and fair‑and‑reasonable price decision in the order file, consistent with FAR 8.4 and your agency’s procedures.
Error, The Per Diem API is not responding. Please try again later.
No results could be found for the location you've entered.
Rates for Alaska, Hawaii, and U.S. territories and possessions are set by the Department of Defense.
Rates for foreign countries are set by the Department of State.
Rates are available between 10/1/2023 and 09/30/2026.
The End Date of your trip can not occur before the Start Date.
Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.
Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."
Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."
When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.
U.S. General Services Administration