Search the Community
Showing results for tags 'FedRAMP'.
Found 1 result
I have an IT contract for cloudbased webhosting services among the many contracts I've inherited recently. IT contracts are new to me, so I don't know if the contract was properly written or not. The contract provides the agency with a definite amount of bandwidth every month. During a distributed denial of service attack (DDoS), the amount of bandwidth the agency uses can easily exceed the amount of bandwidth that the contract allows for. The subject contract provides for overage charges for whenever the agency exceeds the amount of bandwidth provided by the contract on any particular month. My concern with this scheme is that the contract currently does not provide funding for overage charges incurred by the agency. In fact, I have to modify the contract to add funds in order to be able to pay last month's invoice because it included overage charges that the agency had not anticipated. I assume that there should be funding on the contract to cover the overage charges, but how do I estimate something that can vary so significantly from month to month? We have no advance knowledge of when DDoS attacks will occur, or of how many attacks might occur in a month. Since the amount of the overage can be so significant, how do I go about keeping the contract properly funded? Is there a better or more common method of setting up the contract? Another concern I have is that the provider has offered us a type of "protection" plan that for a monthly fee establishes a fee cap on the amount of overage charges the agency would incur during a DDoS attack. The "protection" plan requires the agency to request a service credit after the agency has suffered a DDoS attack. Upon receipt of the agency's request, the provider would credit any overage charges that are in excess of the fee cap established by the "protection" plan. The "protection" plan they're offering seems to have - to some degree - the effect of insurance. Is this type of plan/service considered insurance? If so, are we allowed to purchase these types of "protection" plans? Or is the Government's limitation on purchasing insurance limited only to insurance provided by insurance companies? My last concern with this contract is that the contractor is a FedRAMP compliant cloud service provider (CSP). That's why the agency chose the contractor. The agency's CIO was surprised to learn that bandwidth overage charges could be incurred by the agency during a DDoS attack under this contract. The contractor claims that it provides the agency with DDoS protection (through a third party), but that the additional bandwidth required to keep the agency's websites available during a DDoS attack is not included in the contract price. Does anyone know whether or not a FedRAMP compliant CSP is required to provide DDoS attack protection and additional bandwidth at no additional cost to the Government when there is a contract in place for cloud services? Or is there a more common method the industry employs to allow for excess bandwidth usage in government contracts without additional charges?