The General Services Administration is responding to the rapid changes in cloud computing by writing new procurement documents, adding security requirements, and changing Apps.gov.
The General Services Administration has canceled its initial blanket purchase agreement and request for quotations for infrastructure-as-a-service offerings and will soon offer a new one, signaling a shift in its cloud computing strategy to evolve to meet the rapidly changing nature of the market.
The old blanket purchase agreement had been 11 months in the making, but feedback from agencies and vendors forced the agency to take another look at how it was preparing to offer cloud infrastructure services to government agencies, according to Dave McClure, associate administrator for GSA's office of citizen services and communications.
"Eleven months in cloud computing time is really about 11 years," McClure said. "The market is changing fast, experience in the market is changing daily, and customer needs are becoming better defined. All those factors have converged to make us make sure that what we're putting out is the right BPA and we're responsive both to industry and agency customers."
The decision to cancel the RFQ was entirely GSA's decision, McClure said, but GSA kept the Office of Management and Budget, which has been driving the government-wide cloud computing strategy, apprised of its decision and reasoning.
Over the next week to 10 days, the GSA will work to close down the old BPA, including reaching out to vendors who had responded to the initial RFQ released last summer. Those companies' work likely has not been entirely for naught, though, as McClure said that by going through the process once, they'll be ahead of the game for the next go-round. The next BPA will be created soon, and McClure said in an interview that GSA will have numerous conversations with industry and government agencies "to make sure what we are going to put out is on target."
The new BPA will have a number of changes, the most evident of which will be in terms of security. For the first agreement, vendors who responded to the RFQ only had to ensure their products met Federal Information Security Management Act certification and accreditation standards for low-risk systems. The new BPA will require offerings to meet moderate-risk standards. McClure said he has been hearing from government that this is more in line with its needs. "We'll actually pull in more potential solutions that government can use," he said.
McClure also said that its public positioning of the RFQ may be different this time around. Though McClure said he can't disclose the number of responses to last year's RFQ while it remains open, he noted confusion around the intersection of the RFQ and Apps.gov. "I believe there was a lot of confusion in the vendor market about the staging of [software-as-a-service] versus the infrastructure piece," he said. "We've learned we need to interact with industry very carefully. As we go out with the new RFQ, we're going to be reaching out and making sure we pull in as big a pool of vendors as possible."
What's not changing is the general thrust of the BPA. McClure noted that estimates have shown that more than 20% of the $79 billion the federal government will spend on IT next year is infrastructure spending, and that OMB has been clear in its demands for more efficiency and savings in IT infrastructure.
McClure also noted upcoming changes to the federal government's cloud computing application store, Apps.gov, where federal employees with purchasing power can go sign up for software-as-a-service offerings. GSA will be revamping the site's look and feel and will eventually add the infrastructure-as-a-service offerings that make it through with the new BPA.
So far, it sounds like McClure remains confident about the long-term success of Apps.gov. He said he sees "lots of enthusiasm" around the site, and though few agencies are actually procuring services through the site as of now, many people have been going to the site, searching for applications, and familiarizing themselves with both the site and the applications posted there.
Finally, McClure noted the ongoing effort to develop a common, streamlined certification and accreditation process for cloud vendors. A working group convened by GSA, OMB, and the federal CIO Council is putting together recommendations on the process, but is working under a new hard and fast deadline.
"We want the storefront and what it evolves into to focus on delivering quality cloud services, set up the process so industry and cloud vendors can offer services easily and through very efficient processes," McClure said.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.