Jump to content

Recommended Posts

I have an IT contract for cloudbased webhosting services among the many contracts I've inherited recently. IT contracts are new to me, so I don't know if the contract was properly written or not. The contract provides the agency with a definite amount of bandwidth every month. During a distributed denial of service attack (DDoS), the amount of bandwidth the agency uses can easily exceed the amount of bandwidth that the contract allows for. The subject contract provides for overage charges for whenever the agency exceeds the amount of bandwidth provided by the contract on any particular month.

My concern with this scheme is that the contract currently does not provide funding for overage charges incurred by the agency. In fact, I have to modify the contract to add funds in order to be able to pay last month's invoice because it included overage charges that the agency had not anticipated. I assume that there should be funding on the contract to cover the overage charges, but how do I estimate something that can vary so significantly from month to month? We have no advance knowledge of when DDoS attacks will occur, or of how many attacks might occur in a month. Since the amount of the overage can be so significant, how do I go about keeping the contract properly funded? Is there a better or more common method of setting up the contract?

Another concern I have is that the provider has offered us a type of "protection" plan that for a monthly fee establishes a fee cap on the amount of overage charges the agency would incur during a DDoS attack. The "protection" plan requires the agency to request a service credit after the agency has suffered a DDoS attack. Upon receipt of the agency's request, the provider would credit any overage charges that are in excess of the fee cap established by the "protection" plan. The "protection" plan they're offering seems to have - to some degree - the effect of insurance. Is this type of plan/service considered insurance? If so, are we allowed to purchase these types of "protection" plans? Or is the Government's limitation on purchasing insurance limited only to insurance provided by insurance companies?

My last concern with this contract is that the contractor is a FedRAMP compliant cloud service provider (CSP). That's why the agency chose the contractor. The agency's CIO was surprised to learn that bandwidth overage charges could be incurred by the agency during a DDoS attack under this contract. The contractor claims that it provides the agency with DDoS protection (through a third party), but that the additional bandwidth required to keep the agency's websites available during a DDoS attack is not included in the contract price. Does anyone know whether or not a FedRAMP compliant CSP is required to provide DDoS attack protection and additional bandwidth at no additional cost to the Government when there is a contract in place for cloud services? Or is there a more common method the industry employs to allow for excess bandwidth usage in government contracts without additional charges?

Link to comment
Share on other sites

Rios, have you discussed these questions with your IT requirements people, including the CIO? It seems that they should be familiar with the topic. As for allowability of the .protection plan, some types of insurance are acceptable. However, I'm not an expert on the cost principle at FAR 31.205-19 -- Insurance and Indemnification.

Link to comment
Share on other sites

Joel, I agree - the FedRAMP question is something that the IT people should know about, but since the whole FedRAMP thing is relatively new, they don't. I wasn't too optimistic on receiving an answer to that part of my question. And the insurance question might be more suitable for Legal. But the rest of my question is acquisition specific. I'm simply asking how might I fund this contract so that I don't run the risk of incurring an Anti Deficiency Act violation if our usage sky rockets in a given month. I don't have any way of anticipating the amount of bandwidth we might use if we were attacked.

Link to comment
Share on other sites

Joel, I agree - the FedRAMP question is something that the IT people should know about, but since the whole FedRAMP thing is relatively new, they don't. I wasn't too optimistic on receiving an answer to that part of my question. And the insurance question might be more suitable for Legal.

But the rest of my question is acquisition specific. I'm simply asking how might I fund this contract so that I don't run the risk of incurring an Anti Deficiency Act violation if our usage sky rockets in a given month. I don't have any way of anticipating the amount of bandwidth we might use if we were attacked.

Wow! I'm fortunate to have an excellent IT organization, I guess. Your guys are still the ones who should find answers to those questions. That would seem to fall into their lane as far as responsibility for defining the scope and limits of the contract to meet the organization's requirements.

As to your second point, hopefully someone can help there.

Link to comment
Share on other sites

Guest Vern Edwards

No. The potential overage up to the limit would have been a contingent liability. See the GAO Redbook, Vol. II, Ch. 7, Section C.

Link to comment
Share on other sites

Vern, I read the section and it addresses my situation exactly. The contingency is the DDoS attack. So I'll discuss with the program office the requirement that they commit (or reserve) funds for this purpose. It sounds then that I don't need to establish a limit on the contract, because establishing a limit could cause the provider to shut us down if we exceed our usage during such an attack. We should commit funds for this purpose and obligate them should such an attack occur. Do I need to document the commitment in the contract file, or is that simply a Program/Budget issue?

Link to comment
Share on other sites

Guest Vern Edwards

If you don't establish a limit, how will you know how much money to commit? You need a limit. Every contract has to have some limit on funds liability. Every contract.

Link to comment
Share on other sites

Vern, I'm going to look at my GAO Redbook now. Don, I did not understand what you menat by a commitment of funds. Did you mean that we should obligate to the limit?

No, a commitment is an administrative reservation of funds--it is not an obligation. See 080202 of the DoD FMR (Volume 3, Chapter 8) for a discussion of committing funds.

Link to comment
Share on other sites

Thank you Don and Vern. I think I understand now. Let me know if I'm on the right track with the following language:

The limit of the Government's liability to the contractor for bandwidth usage charges that exceed the bandwidth amounts listed in the schedule, and that result from DDoS attacks on the agency's websites or from other unanticipated surge events, is $XX,XXX.XX in any one calendar-month period. The contractor shall not provide the agency with bandwidth under this contract that would result in charges to the agency in excess of this amount, except at its own risk.

Then I would require the program office to commit funds in the amount of $XX,XXX.XX, to be obligated if a contingency materializes into an obligation. I still have to research commitments, since it's not something I've worked with in the past.

Link to comment
Share on other sites

Guest Vern Edwards

The language of your limitation clause should match the language of the contract. You previously used the term "overage charges." Is that a contract term or just something that you made up? If it's a contract term, then you should state the limit in terms of "overage charges."

Link to comment
Share on other sites

Thank you Vern. I will look at the contract again to ensure that the language I use in the modification is consistent with the language in the contract. And to provide an update on one other item, our general councel advised me that the plan that the vendor is offering (see original post) is not insurance, and therefore, is not subject to the restriction on purchasing insurance. Regarding my FedRAMP concern, I'll look to the CIO for information regarding FedRAMP requirements.

I appreciate everyone's feedback!

Link to comment
Share on other sites

Rios, what would you expect the contractor to do if you had a serious attack that caused your bandwidth usage to exceed the limit you establish? Could the agency assume the risk of not having the extra bandwidth? Also, have you considered what the impact on your appropriation would be if the contractor reached the monthly limit on a continuous basis?

Link to comment
Share on other sites

Guest Vern Edwards

The requirement and funding questions raised by Retread are programmatic. The contractual solutions are easy. The program office needs to tell contracting what it wants and how much money it has to spend.

Link to comment
Share on other sites

I think you may be misunderstanding what FedRAMP is. FedRAMP allows for a provisional authority to operate (ATO) a cloud system federal-wide (I think up to medium), I believe based on NIST 800-53. It is not FISMA and has nothing to do with SLAs. If you don't know what I'm talking about I'd strongly recommend finding someone who can assist you in understanding.

Link to comment
Share on other sites

Rios, what would you expect the contractor to do if you had a serious attack that caused your bandwidth usage to exceed the limit you establish? Could the agency assume the risk of not having the extra bandwidth? Also, have you considered what the impact on your appropriation would be if the contractor reached the monthly limit on a continuous basis?

I'm in the process of negotiating a fixed monthly price for overage charges. We're also looking at modifying the contract to state the total allowed bandwith on an annual basis, rather than as a monthly basis. For example, rather than having 2TBs of bandwidth per month, we'd have 24TBs of bandwidth to use throughout the year. There are several options on the table. But to answer your question, I'd assume that if we established a limit and we hit that limit, the contractor might shut us down. In reality, they would probably not shut us down and would simply submit an invoice which we'd end up paying - one way or another.

Link to comment
Share on other sites

I think you may be misunderstanding what FedRAMP is. FedRAMP allows for a provisional authority to operate (ATO) a cloud system federal-wide (I think up to medium), I believe based on NIST 800-53. It is not FISMA and has nothing to do with SLAs. If you don't know what I'm talking about I'd strongly recommend finding someone who can assist you in understanding.

Thanks jlbdca. I based my original question on the understanding that the FedRAMP compliant contractor must have certain security protocols and policies in place that protect the agency's websites in the cloud environment. I thought that one security requirement might be the requirement to provide protection against DDoS attacks. That's why I was asking. The thread has provided me with the information I needed to proceed. Thanks to everyone who contributed.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...