Response GUIDANCE and Checklist

FOR IT SCHEDULE 70 HOLDERS TO ADD

CLOUD COMPUTING SERVICES SIN

SPECIAL ITEM NUMBER 132-40

Instructions

Please Note: The following instructions should be followed for each of the cloud computing products/services/brands you are submitting for consideration for SIN 132 40.

Please Note: Submissions from industry partners that exceed any of the page limitations listed below will be rejected without being evaluated further.

Those page limits are:

1)Two pages for each cloud product/service/brand describing how it meets each of the five essential cloud computing characteristics asdefined in National Institute of Standards and Technology (NIST) Special Publication 800-145.(See Table 1.)

2)A ½ page limit for a description of how the product/service/brand fits each proposed Service Model and a ½ page for how it fits each proposed Deployment Model. (See Table 1.)

Please remember that none of the text of your submission will appear in public government descriptions of your products/services and that the purpose of your submission is only to qualify for your product/service to be listed on the Cloud SIN.

This guidanceis intended for industry partners who are current contract holders on GSA’s IT Schedule 70 that would like to modify their service offerings to add the Cloud Special Item Number (SIN) 132-40. It addresses the evaluation factors found in the Terms and Conditions for the Cloud SIN found in Attachment 14 of the IT Schedule 70 Solicitation, “Critical Information Specific to Schedule 70.”

Separate guidance for industry partners who are submitting offerings to IT Schedule 70 and the Cloud SINfor the first time can be found on GSA’s Cloud SIN website.

Responses should be submitted through the GSA eMod portal. Please submit any questions to .

Updated April 20161

Response Guidance and Checklist for IT Schedule 70 Cloud SIN 132-40

References:

  1. FedBizOpps: IT Schedule 70 Solicitation:
  2. Solicitation Attachment14 - “Critical Information Specific To Schedule 70”
  3. This solicitation attachment contains Terms and Conditions for the Cloud SIN, beginning on page 30.
  4. Refer to Section 5 (GUIDANCE FOR CONTRACTORS) on page 37 for detailed information and instructions on how to interpret each requirement. This section has been developed for suggestion and guidance only and does not alter NIST definitions or publications.
  5. Solicitation Attachment 15–“Technical Evaluation Criteria SIN 132-40 Cloud Computing”
  6. This solicitation attachment outlines the technical evaluation criteria for the Cloud SIN.
  7. NIST SP 800-145:
  8. Definitions of cloud computing, service models and deployment models.

Use the following guidelines while completing the response template:

  • Submit an individual and separate response for each proposed product/service/brand. For example, if you choose to submit separate offerings for a SaaS product and a PaaS product, submit one response for each through eMod.
  • Review each requirement for whether it is (1) Mandatory or (2) Optional (Not Mandatory) (see Terms and Conditions for definitions) and provide responses as appropriate.
  • Review Section 5 (GUIDANCE FOR CONTRACTORS) in the Terms and Conditions on page 37 for a detailed description and guidance for meeting the requirement.
  • Keep responses brief and to the point of how the product/service/brand meets the requirement, within the indicated page limit.
  • A checklist is provided below for your convenience.

Table 1: Checklist for Response(delete this table before submission)

(Total of a two page limit for response to NIST 5 characteristics in Section 1.1)

(A ½ page limit for each proposed Service Model in Section 1.2)

(A ½ page limit for each proposed Deployment Model in Section 1.3)

# / Requirement / Mandatory? / Complete?
1.1.1 / NIST Characteristic - On-Demand Self-Service: Provide a brief written description of how the cloud service proposed satisfies this individual essential NIST Characteristic. Attest capability and briefly describe how self-service technical capability is met. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.2 / NIST Characteristic - Broad Network Access: Provide a brief written description of how the cloud service proposed satisfies this individual essential NIST Characteristic. Attest capability and briefly describe how network access is provided. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.3 / NIST Characteristic - Resource Pooling: Provide a brief written description of how the cloud service proposed satisfies this individual essential NIST Characteristic. Attest capability and briefly describe how resource pooling technical capability is met. Be sure to indicate the location(s) of your data center(s), i.e., on customer premises or remote. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.4 / NIST Characteristic - Rapid Elasticity: Provide a brief written description of how the cloud service proposed satisfies this NIST Characteristic. Attest capability and briefly describe how rapid elasticity technical capability is met. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.5 / NIST Characteristic - Measured Service: Provide a brief written description of how the cloud service proposed satisfies this NIST Characteristic. Attest capability and briefly describe how measured service technical capability is met. Provide a brief description on how your product/service fits the pay as you go model. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.2 / Service Model: Optionally select the most appropriate NIST service model(s) that will be the designated sub-category, or may select no sub-category.
Contractor may select a single NIST Service model to sub-categorize the service. Sub-category selection is optional but recommended. Subcategories are IaaS, PaaS, SaaS. Provide a brief description of howeachservice fits model, per guidance. (1/2 page limit for each service model.) / No
1.3 / Deployment Model: Provide the most appropriate deployment model associated with each proposed cloud service. The Contractor shall select at least one deployment model (e.g. Private Cloud, Public Cloud, Community Cloud, Hybrid Cloud) conforming to the definitions in The NIST Definition of Cloud Computing SP 800-145 page 3. Provide a brief description on how service meets each selected deployment model. (1/2 page limit for each deployment model.) / Yes

Instructions for Completing the Response in eMod System

Vendors should use the eMod system to submit modification requests to add SIN 132-40. Once logged in, the eMod system will automatically include your existing IT Schedule 70 contractual information, thereby reducing the data input required.

Responses to the technical evaluation criteria (e.g. NIST characteristics, service models, and deployment models) should be submitted as attachments in either Word or PDF format. A template for this response and guidance are included in the following section.

Response Template

Proposed Cloud Service Name: <Insert Name of Service or Solution >

1.Cloud Computing Services Adherence to Essential Cloud Characteristics

Within a two-page limitation for each cloud product/service/brand submitted, provide a description of how thecloud computing service meets each of the five essential cloud computing characteristics asdefined in National Institute of Standards and Technology (NIST) Special Publication 800-145and subsequent versions of this publication.

The cloud service must be capable of satisfying eachof the five NIST essential Characteristics as follows (additional guidance for each characteristic is provided in the following subsections):

  • On-demand Self-service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Refer to the ‘Guidance for Contractors’ section of the Terms & Conditions for the CloudComputing Services SIN for guidance on meeting the NIST characteristics. For the purposes of

the Cloud Computing Services SIN, meeting the NIST essential characteristics is concerned

primarily with whether the underlying capability of the commercial service is available, whether

or not an Ordering Activity actually requests or implements the capability.

1.1.On-Demand Self Service

Describe how the cloud computing service meets the essential characteristic of on-demand self-service:

“A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Informationfor this characteristic should include a brief description of the mechanisms the service utilizes to provision computing capability without human interaction with the provider (e.g., through a fully automated interface or through an automated service request). Examples of “computing capabilities” include server time and network storage.

Below is the guidance for “on-demand self-service” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Ordering activities can directly provision services without requiring Contractor intervention.
  • This characteristic is typically implemented via a service console or programming interface for provisioning
/ Government procurement guidance varies on how to implement on-demand provisioning at this time. Ordering activities may approach on-demand in a variety of ways, including “not-to-exceed” limits, or imposing monthly or annual payments on what are essentially on demand services.
Services under this SIN must be capable of true on-demand self-service, and ordering activities and Contractors must negotiate how they implement on demand capabilities in practice at the task order level:
  • Ordering activities must specify their procurement approach and requirements for on-demand service
  • Contractors must propose how they intend to meet the approach
  • Contractors must certify that on-demand self-service is technically available for their service should procurement guidance become available.

1.2.Broad Network Access

Describe how the cloud computing service meets the essential characteristic of broad network access:

“Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Information for this characteristic should include a brief description of the mechanisms the service utilizesto provide service over the Internet or a ubiquitous network as defined by the consumer. The term “standard mechanisms” in the NIST definition implies that the computing capability is available by way of http, xml and/or other internet protocols.

Below is the guidance for “broad network access” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Ordering activities are able to access services over standard agency networks
  • Service can be accessed and consumed using standard devices such as browsers, tablets and mobile phones
/
  • Broad network access must be available without significant qualification and in relation to the deployment model and security domain of the service
  • Contractors must specify any ancillary activities, services or equipment required to access cloud services or to integrate cloud with other cloud or non-cloud networks and services. For example a private cloud might require an Ordering Activity to purchase or provide a dedicated router, etc. which is acceptable but should be indicated by the Contractor.

1.3.Resource Pooling

Describe how the cloud computing service meets the essential characteristic of resource pooling:

“The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.”– NIST Special Publication 800-145, “Definition of Cloud Computing”

Information for this characteristic should include a brief description of the mechanisms the service utilizes to provide the capability to serve multiple tenants, regardless of how many tenants are actually served.

Below is the guidance for “resource pooling” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Pooling distinguishes cloud services from offsite hosting.
  • Ordering activities draw resources from a common pool maintained by the Contractor
  • Resources may have general characteristics such as regional location
/
  • The cloud service must draw from a pool of resources and provide an automated means for the Ordering Activity to dynamically allocate them.
  • Manual allocation, e.g. manual operations at a physical server farm where Contractor staff configure servers in response to Ordering Activity requests, does not meet this requirement
  • Similar concerns apply to software and platform models; automated provisioning from a pool is required
  • Ordering activities may request dedicated physical hardware, software or platform resources to access a private cloud deployment service. However the provisioned cloud resources must be drawn from a common pool and automatically allocated on request.

1.4.Rapid Elasticity

Describe how the cloud computing service meets the essential characteristic of rapid elasticity:

“Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Information for this characteristic should include a brief description of the mechanisms the service utilizes to scale resources dynamically.

Below is the guidance for “rapid elasticity” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Rapid provisioning and de-provisioning commensurate with demand
/
  • Rapid elasticity is a specific demand-driven case of self-service
  • Procurement guidance for on-demand self-service applies to rapid elasticity as well, i.e. rapid elasticity must be technically available but ordering activities and Contractors may mutually negotiate other contractual arrangements for procurement and payment.
  • ‘Rapid’ should be understood as measured in minutes and hours, not days or weeks.
  • Elastic capabilities by manual request, e.g. via a console operation or programming interface call, are required.
  • Automated elasticity which is driven dynamically by system load, etc. is optional. Contractors must specify whether automated demand-driven elasticity is available and the general mechanisms that drive the capability.

1.5.Measured Service

Describe how the cloud computing service meets the essential characteristic of measured service:

“Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction (typically done on a pay-per-use or charge-per-use basis) appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Information in this section should include a description of the mechanisms the service utilizes to measure service in a transparent way and provide monitoring and reporting to the ordering activity. It should also describe how it fits the pay as you go model.

Below is the guidance for “measured service” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 – Critical Information Specific to Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Measured service should be understood as a reporting requirement that enables an Ordering Activity to control their use in cooperation with self service
/
  • Procurement guidance for on-demand self-service applies to measured service as well, i.e. rapid elasticity must be technically available but ordering activities and Contractors may mutually designate other contractual arrangements.
  • Regardless of specific contractual arrangements, reporting must indicate actual usage, be continuously available to the Ordering Activity, and provide meaningful metrics appropriate to the service measured
  • Contractors must specify that measured service is available and the general sort of metrics and mechanisms available

2.Cloud Computing Deployment Model

Under the “Technical Proposal: Corporate Experience” section of the response form in eOffer/eMod, Box (I) asks the vendor for“A description of how your proposed service meets the NIST definition of a particular deployment model (Public, Private, Community, or Hybrid) as described in NIST Special Publication 800-145.”

Provide responses for this cloud computing product/service/brand within a ½ page limitation for each proposed cloud computingdeployment model submitted.Multiple deployment model selection is permitted, but at least onemodel must be indicated.

Below is the table from the ‘Guidance for Contractors’ section of the Terms & Conditions for the Cloud Computing Services SIN to provide guidance on identifying the appropriatedeployment model according to the NIST service model definitions.Refer to this section of the Terms & Conditions for additional guidance.

Deployment Model / Guidance
Private Cloud / The service and associated cloud infrastructure is provided exclusively for the benefit of a definable organization and its components; access from outside the organization is prohibited. The actual services may be provided by third parties, and may be physically located as required, but access is strictly defined by membership in the owning organization.
Public Cloud / The service and associated cloud infrastructure is provided for general public use and can be accessed by any entity or organization willing to contract for it.
Community Cloud / The service and associated cloud infrastructure is provided for the exclusive use of a community with a definable shared boundary such as a mission or interest. As with private cloud, the service may be in any suitable location and administered by a community member or a third party.
Hybrid Cloud / The service is composed of one or more of the other models. Typically hybrid models include some aspect of transition between the models that make them up, for example a private and public cloud might be designed as a hybrid cloud where events like increased load permit certain specified services in the private cloud to run in a public cloud for extra capacity, e.g. bursting.

3.Cloud Computing Service Model

Under the “Technical Proposal: Corporate Experience” section of the response form in eOffer/eMod, Box (I) asks the vendor for“A description of how your proposed service meets the NIST definition of a service model (IaaS, PaaS, or SaaS) as described in NIST Special Publication 800-145.”