Jump to content
The Wifcon Forums and Blogs

Search the Community

Showing results for tags 'FedRAMP'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Instructions and Terms of Use
    • Terms Of Use
    • Before You Register, Before You Post
  • Contracting Forum
    • Section 809 Panel
    • Polls
    • For Beginners Only
    • Contracting Workforce
    • Recommended Reading
    • Contract Award Process
    • Contract Pricing Including CAS & Allowable Costs
    • Contract Administration
    • Schedules, GWACS, MACs, IDIQs
    • Subcontracts & Subcontract Management
    • Small Business, Socioeconomic Programs
    • Proposed Law & Regulations; Legal Decisions
  • Federal Contracting: A New Beginning
    • The Competition in Contracting Act


  • The Wifcon Blog
  • Don Mansfield's Blog
  • Bob Antonio's Blog
  • NCMA HQ Blog
  • Professor Ralph Nash's Blog
  • Emptor Cautus' Blog
  • Centre Knowledge Blog
  • Leftbrainpro.com Answer Blog
  • SmallGovCon.com
  • Patterns of Procurement

Product Groups

There are no results to display.


  • Rules & Tools
  • Legal Opinions
  • News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Found 1 result

  1. I have an IT contract for cloudbased webhosting services among the many contracts I've inherited recently. IT contracts are new to me, so I don't know if the contract was properly written or not. The contract provides the agency with a definite amount of bandwidth every month. During a distributed denial of service attack (DDoS), the amount of bandwidth the agency uses can easily exceed the amount of bandwidth that the contract allows for. The subject contract provides for overage charges for whenever the agency exceeds the amount of bandwidth provided by the contract on any particular month. My concern with this scheme is that the contract currently does not provide funding for overage charges incurred by the agency. In fact, I have to modify the contract to add funds in order to be able to pay last month's invoice because it included overage charges that the agency had not anticipated. I assume that there should be funding on the contract to cover the overage charges, but how do I estimate something that can vary so significantly from month to month? We have no advance knowledge of when DDoS attacks will occur, or of how many attacks might occur in a month. Since the amount of the overage can be so significant, how do I go about keeping the contract properly funded? Is there a better or more common method of setting up the contract? Another concern I have is that the provider has offered us a type of "protection" plan that for a monthly fee establishes a fee cap on the amount of overage charges the agency would incur during a DDoS attack. The "protection" plan requires the agency to request a service credit after the agency has suffered a DDoS attack. Upon receipt of the agency's request, the provider would credit any overage charges that are in excess of the fee cap established by the "protection" plan. The "protection" plan they're offering seems to have - to some degree - the effect of insurance. Is this type of plan/service considered insurance? If so, are we allowed to purchase these types of "protection" plans? Or is the Government's limitation on purchasing insurance limited only to insurance provided by insurance companies? My last concern with this contract is that the contractor is a FedRAMP compliant cloud service provider (CSP). That's why the agency chose the contractor. The agency's CIO was surprised to learn that bandwidth overage charges could be incurred by the agency during a DDoS attack under this contract. The contractor claims that it provides the agency with DDoS protection (through a third party), but that the additional bandwidth required to keep the agency's websites available during a DDoS attack is not included in the contract price. Does anyone know whether or not a FedRAMP compliant CSP is required to provide DDoS attack protection and additional bandwidth at no additional cost to the Government when there is a contract in place for cloud services? Or is there a more common method the industry employs to allow for excess bandwidth usage in government contracts without additional charges?
  • Create New...