Skip to main content

Evaluating Cloud

Owned
  • Cloud Service Provider
    Cloud Service Provider

    The provider of a cloud service offering

  • Value-Added Reseller (VAR)
    Value-Added Reseller (VAR)

    Serves as a conduit to the government for CSPs that do not have existing contract vehicles with the government

  • Managed Service Provider
    Managed Service Provider

    Provides access to a service and is also responsible for managing that service's operations

  • Integrator
    Integrator

    Provides a cloud service and also professional services for incorporating the solution into an existing technology environment

Operated

Provider Types

Cloud adoption has consistently been identified as one of the top challenges for government. In our conversations, we’ve found this is often because the term has come to imply a number of distinct uses. This is in part because of the evolving nature of the technology, as well as the evolving nature of government needs, and trust, in cloud computing environments.

As federal government Agencies are evaluating cloud solutions and the requirements they must adhere to, there are several considerations to take into account, including the type of cloud offeror and their delivery model, along with additional factors detailed below.

Generally, cloud offerors can be categorized into the following types:

  • Cloud Service Provider (CSP): The provider of a Cloud Service Offering
  • Value-Added Reseller (VAR): Serves as a conduit to the government for CSPs that do not have existing contract vehicles with the government
  • Managed Service Provider (MSP): Provides access to a service and is also responsible for managing that service’s operations
  • Integrator: Provides a cloud service and also professional services for incorporating the solution into an existing technology environment

Key Considerations

When looking to evaluate cloud services it’s important for Agencies to understand the different types of providers, as various security requirements may apply differently. For example, an Agency may acquire cloud email and want to ensure it can meet the FedRAMP certification, which applies to CSPs, but also want to utilize an integrator for configuration, operations, and maintenance, which is not a cloud organization where FedRAMP applies.

It is valuable to understand the following considerations, based on the general provider types.

CSP

  • CSPs are subject to FedRAMP requirements
  • CSPs are not classified as a traditional contractor, and staff are not required to follow requirements that pertain to government contractors (such as HSPD-12)
  • Cloud services are defined by NIST in SP 800-145

VAR

  • VARs are not subject to FedRAMP requirements. However, VARs can often provide a point of contact at a CSP to answer cloud questions
  • VARs typically do not provide any professional services for integration and are therefore not classified as a government contractor for the purposes of HSPD-12
  • Agencies working with VARs should be sure to maintain “ownership” of accounts (e.g. root credentials) when the contract is over

MSP

  • Depending on the cloud service, an MSP may be subject to FedRAMP requirements. For example, if the MSP develops their own custom cloud, that cloud service would be subject to FedRAMP requirements
  • MSPs are typically classified as a government contractor, and staff are required to follow requirements that pertain to government contractors (such as HSPD-12)

Integrator

  • Integrators are not subject to FedRAMP requirements
  • Integrators are typically classified as a government contractor, and staff are required to follow requirements that pertain to government contractors (such as HSPD-12)