New FedRAMP RFI Signals a Path for SMBs

To help agencies improve their cloud services contracts, the General Services Administration's Secure Cloud Portfolio division has requested feedback from industry on agency attempts to enforce requirements via contract language. The request for information (RFI) asks for specific examples of both effective and ineffective contract language as well as suggestions on how to incorporate cloud services into different contract vehicles for direct solicitations, resellers and system integrators.

The information gathered in this RFI will be used to identify the examples of contract language that agencies should and should not use in their solicitations. These examples will be used to generate further or new guidance and education to agencies.

The RFI explains that many of the issues that GSA sees with contracts “arise from unfairly limiting competition, unclear roles and responsibilities, confusion on who will pay for a security assessment for FedRAMP, timelines for achieving a FedRAMP authorization, who from the government will work with the vendor to achieve a FedRAMP authorization, etc.”

As a 3PAO, EmeSec has vast experience supporting cloud providers in navigating the accreditation process and continually meeting and maintaining the requirements for ongoing compliance. We support GSA’s efforts to create more inclusive and fair processes, especially for small and mid-sized businesses (SMBs). Small businesses often bear a greater burden to demonstrate compliance and often need to strain their resources to meet information security mandates while still participating in competitive opportunities.

Our advice to the FedRAMP office is to look for feedback and suggested proposals that would alleviate the burden on SMBs and offer more applicable teaming protocols or fair competitive process for contracts.

For more information, review the RFI here: https://www.fedramp.gov/rfi-for-cloud-fedramp-and-security-contract-language/