Response GUIDANCE and Checklist

FOR NEW OFFERS ON

IT SCHEDULE 70 CLOUD COMPUTING SERVICES SIN

SPECIAL ITEM NUMBER 132-40

Instructions

Please Note: The following instructions should be followed for each of the cloud computing products/services/brands or technical solutions you are submitting for consideration for SIN 132-40.

Those page limits are:

1)Two pages for each cloud product/service/brand describing how it meets each of the five essential cloud computing characteristics asdefined in National Institute of Standards and Technology (NIST) Special Publication 800-145.(See Table 1.)

2)A ½ page limit for a description of how the product/service/brand fits each proposed Service Model and a ½ page for how it fits each proposed Deployment Model. (See Table 1.)

Please remember that none of the text of your submission will appear in public government descriptions of your products/services and that the purpose of your submission is only to qualify for your product/service to be listed on the Cloud SIN.

This guidanceis intended for industry partners who are first-time applicants to be listed on GSA’s IT Schedule 70 under the Cloud Special Item Number (SIN) 132-40. It addresses the evaluation factors found in the Terms and Conditions for the Cloud SIN found in Attachment 14 of the IT Schedule 70 Solicitation, “Critical Information Specific to Schedule 70.”

Separate guidance for industry partners who are currently on IT Schedule 70 and would like to modify their existing service offerings to add the Cloud SIN can be found on GSA’s Cloud SIN website.

Responses should be submitted through the GSA eOffer portal. Please submit any questions to .

Updated April 20161

Response Guidance and Checklist for IT Schedule 70 Cloud SIN 132-40

References:

  1. FedBizOpps: IT Schedule 70 Solicitation:
  2. Solicitation Attachment14 - “Critical Information Specific To Schedule 70”
  3. This solicitation attachment contains Terms and Conditions for the Cloud SIN, beginning on page 30.
  4. Refer to Section 5 (GUIDANCE FOR CONTRACTORS) on page 37 for detailed information and instructions on how to interpret each requirement. This section has been developed for suggestion and guidance only and does not alter NIST definitions or publications.
  5. Solicitation Attachment 15–“Technical evaluation Criteria SIN 132-40 Cloud Computing”
  6. This solicitation attachment outlines the technical evaluation criteria for the Cloud SIN.
  7. NIST SP 800-145:
  8. Definitions of cloud computing, service models and deployment models.

Use the following guidelines while completing the response template:

  • Submit an individual andseparate response for each proposed product/service/brand. For example, if you choose to submit separate offerings for a SaaS service and a PaaS service, submit one response for each service through eOffer.
  • Review each requirement for whether it is (1) Mandatory or (2) Optional (Not Mandatory) (see Terms and Conditions for definitions) and provide responses as appropriate.
  • Review Section 5 (GUIDANCE FOR CONTRACTORS) in the Terms and Conditions on page 37 for a detailed description and guidance for meeting the requirement.
  • Keep responses brief and to the point of how the service meets the requirement, within the indicated page limit.
  • A checklist is provided below for your convenience.

Table 1: Checklist for Response(delete before submission)

Table 1: Checklist for Response (delete this table before submission)

(Total of a two page limit for response to NIST 5 characteristics in Section 1.1)

(A ½ page limit for each proposed Service Model in Section 1.2)

(A ½ page limit for each proposed Deployment Model in Section 1.3)

Requirement / Mandatory? / Complete?
1.1.1 / NIST Characteristic - On-Demand Self-Service: Provide a brief written description of how the cloud service proposed satisfies this individual essential NIST Characteristic. Attest capability and briefly describe how self-service technical capability is met (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.2 / NIST Characteristic - Broad Network Access: Provide a brief written description of how the cloud service proposed satisfies this individual essential NIST Characteristic. Attest capability and briefly describe how network access is provided. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.3 / NIST Characteristic - Resource Pooling: Provide a brief written description of how the cloud service proposed satisfies this individual essential NIST Characteristic. Attest capability and briefly describe how resource pooling technical capability is met. . Be sure to indicate the location(s) of your data center(s), i.e., on customer premises or remote. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.4 / NIST Characteristic - Rapid Elasticity: Provide a brief written description of how the cloud service proposed satisfies this NIST Characteristic. Attest capability and briefly describe how rapid elasticity technical capability is met. (Total of 2 pages to cover all 5 NIST characteristics in Section 1.) / Yes
1.1.5 / NIST Characteristic - Measured Service: Provide a brief written description of how the cloud service proposed satisfies this NIST Characteristic. Attest capability and briefly describe how measured service technical capability is met. (Total of 2 pages covering all 5 NIST characteristics in Section 1.) / Yes
1.2 / Service Model: Optionally select the most appropriate NIST service model(s) that will be the designated sub-category, or may select no sub-category.
Contractor may select a single NIST Service model to sub-categorize the service. Sub-category selection is optional but recommended. Subcategories are IaaS, PaaS, and SaaS. Provide a brief description of howeachservice fits model, per guidance. (1/2 page limit for each service model.) / No
1.3 / Deployment Model: Provide the most appropriate deployment model associated with each proposed cloud service. The Contractor shall select at least one deployment model (e.g. Private Cloud, Public Cloud, Community Cloud, Hybrid Cloud) conforming to the definitions in The NIST Definition of Cloud Computing SP 800-145 page 3. . Provide a brief description on how service meets each selected deployment model. (1/2 page limit for each deployment model.) / Yes

Important Instructions for Completing the Response in eOffer System

Vendors should use the eOffer system to submit solicitation responses for SIN 132-40. If your company is not currently registered with eOffer, you can establish an account using your Dun & Bradstreet (D-U-N-S) Number. Once logged in, the eOffer system will guide vendors through entering the required contractual and corporate information.

This guidance in this document pertains specifically to the “Technical Proposal: Corporate Experience” section of the Solicitation Provisions portal.In this section, Boxes (H), (I), and (J) ask the vendor to respond to the three technical evaluation criteria: how services meet the cloud characteristics as described in ‘National Institute of Standards and Technology (NIST) Special Publication 800-145 (Box H);a description of the deployment model (Box I), and a description of the service model (Box J).

However, due to the character limitations of this portal, it is likely that vendors will not have enough space to adequately address all of these questions within the equivalent of the three-page limitation provided by the solicitation. Therefore, vendors have two choices to complete these questions: 1) enter responses directly into the eOffer system (Boxes (H)-(J)), or 2) attach a Word or PDF document to the response before submission (with a 2-page limit on the NIST questions and a ½ page limit each for the deployment and service model questions). Because of the system’s character limitations and the critical role of the technical response in the approval process, GSA recommends (but does not require) vendors take the latter option and attach their response to allow for a more complete response.

If this you choose to attach your response to the technical evaluation questions, please complete Boxes (H), (I), and (J) by writing “Please see attached technical response.” In addition, please be sure to clearly label your technical response document when attaching in order to expedite the review process.

Response Template

Proposed Cloud Service Name: <Insert Name of Service or Solution >

1.Cloud Computing Services Adherence to Essential Cloud Characteristics

Within a two-page limitation for each cloud product/service/brand submitted, provide a description of how thecloud computing service meets each of the five essential cloud computing characteristics asdefined in National Institute of Standards and Technology (NIST) Special Publication 800-145and subsequent versions of this publication.

The cloud service must be capable of satisfying eachof the five NIST essential Characteristics as follows (additional guidance for each characteristic is provided in the following subsections):

  • On-demand self-service
  • Broad network access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Refer to the ‘Guidance for Contractors’ section of the Terms & Conditions for the Cloud

Computing Services SIN for guidance on meeting the NIST characteristics. For the purposes of

the Cloud Computing Services SIN, meeting the NIST essential characteristics is concerned

primarily with whether the underlying capability of the commercial service is available, whether

or not an Ordering Activity actually requests or implements the capability.

1.1.On-Demand Self Service

Describe how the cloud computing service meets the essential characteristic of on-demand self-service:

“A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Informationfor this characteristic should include a brief description of the mechanisms the service utilizes to provision computing capability without human interaction with the provider (e.g., through a fully automated interface or through an automated service request). Examples of “computing capabilities” include server time and network storage.

Below is the guidance for “on-demand self-service” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Ordering activities can directly provision services without requiring Contractor intervention.
  • This characteristic is typically implemented via a service console or programming interface for provisioning
/ Government procurement guidance varies on how to implement on-demand provisioning at this time. Ordering activities may approach on-demand in a variety of ways, including “not-to-exceed” limits, or imposing monthly or annual payments on what are essentially on demand services.
Services under this SIN must be capable of true on-demand self-service, and ordering activities and Contractors must negotiate how they implement on demand capabilities in practice at the task order level:
  • Ordering activities must specify their procurement approach and requirements for on-demand service
  • Contractors must propose how they intend to meet the approach
  • Contractors must certify that on-demand self-service is technically available for their service should procurement guidance become available.

1.2.Broad Network Access

Describe how the cloud computing service meets the essential characteristic of broad network access:

“Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Information for this characteristic should include a brief description of the mechanisms the service utilizesto provide service over the Internet or a ubiquitous network as defined by the consumer. The term “standard mechanisms” in the NIST definition implies that the computing capability is available by way of http, xml and/or other internet protocols.

Below is the guidance for “broad network access” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Ordering activities are able to access services over standard agency networks
  • Service can be accessed and consumed using standard devices such as browsers, tablets and mobile phones
/
  • Broad network access must be available without significant qualification and in relation to the deployment model and security domain of the service
  • Contractors must specify any ancillary activities, services or equipment required to access cloud services or to integrate cloud with other cloud or non-cloud networks and services. For example a private cloud might require an Ordering Activity to purchase or provide a dedicated router, etc. which is acceptable but should be indicated by the Contractor.

1.3.Resource Pooling

Describe how the cloud computing service meets the essential characteristic of resource pooling:

“The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.”– NIST Special Publication 800-145, “Definition of Cloud Computing”

Information for this characteristic should include a brief description of the mechanisms the service utilizes to provide the capability to serve multiple tenants, regardless of how many tenants are actually served.

Below is the guidance for “resource pooling” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Pooling distinguishes cloud services from offsite hosting.
  • Ordering activities draw resources from a common pool maintained by the Contractor
  • Resources may have general characteristics such as regional location
/
  • The cloud service must draw from a pool of resources and provide an automated means for the Ordering Activity to dynamically allocate them.
  • Manual allocation, e.g. manual operations at a physical server farm where Contractor staff configure servers in response to Ordering Activity requests, does not meet this requirement
  • Similar concerns apply to software and platform models; automated provisioning from a pool is required
  • Ordering activities may request dedicated physical hardware, software or platform resources to access a private cloud deployment service. However the provisioned cloud resources must be drawn from a common pool and automatically allocated on request.

1.4.Rapid Elasticity

Describe how the cloud computing service meets the essential characteristic of rapid elasticity:

“Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Information for this characteristic should include a brief description of the mechanisms the service utilizes to scale resources dynamically.

Below is the guidance for “rapid elasticity” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 - Critical Information Specific To Schedule 70” of the IT Schedule 70 Solicitation.

Capability / Guidance
  • Rapid provisioning and de-provisioning commensurate with demand
/
  • Rapid elasticity is a specific demand-driven case of self-service
  • Procurement guidance for on-demand self-service applies to rapid elasticity as well, i.e. rapid elasticity must be technically available but ordering activities and Contractors may mutually negotiate other contractual arrangements for procurement and payment.
  • ‘Rapid’ should be understood as measured in minutes and hours, not days or weeks.
  • Elastic capabilities by manual request, e.g. via a console operation or programming interface call, are required.
  • Automated elasticity which is driven dynamically by system load, etc. is optional. Contractors must specify whether automated demand-driven elasticity is available and the general mechanisms that drive the capability.

1.5.Measured Service

Describe how the cloud computing service meets the essential characteristic of measured service:

“Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction (typically done on a pay-per-use or charge-per-use basis) appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.” – NIST Special Publication 800-145, “Definition of Cloud Computing”

Information in this section should include a description of the mechanisms the service utilizes to measure service in a transparent way and provide monitoring and reporting to the ordering activity. It should also describe how it fits the pay as you go model.

Below is the guidance for “measured service” provided in Section 5 (GUIDANCE FOR CONTRACTORS) of Document “14 – Critical Information Specific to Schedule 70” of the IT Schedule 70 Solicitation?

Capability / Guidance
  • Measured service should be understood as a reporting requirement that enables an Ordering Activity to control their use in cooperation with self service
/
  • Procurement guidance for on-demand self-service applies to measured service as well, i.e. rapid elasticity must be technically available but ordering activities and Contractors may mutually designate other contractual arrangements.
  • Regardless of specific contractual arrangements, reporting must indicate actual usage, be continuously available to the Ordering Activity, and provide meaningful metrics appropriate to the service measured
  • Contractors must specify that measured service is available and the general sort of metrics and mechanisms available

2.Cloud Computing Deployment Model

Under the “Technical Proposal: Corporate Experience” section of the response form in eOffer/eMod, Box (I) asks the vendor for“A description of how your proposed service meets the NIST definition of a particular deployment model (Public, Private, Community, or Hybrid) as described in NIST Special Publication 800-145.”

Provide responses for this cloud computing product/service/brand within a ½ page limitation for each proposed cloud computing service submitted.Multiple deployment model selection is permitted, but at least onemodel must be indicated.