People reviewing information about GSA's new cloud marketplace

**Important update 2** On Dec. 19, 2023, a Draft Performance Work Statement (PWS) was posted on GSA eBuy under RFQ1671198 and on The Draft PWS includes IaaS/PaaS (Pool 1) requirements and defines general scope for SaaS (Pool 2), and IT Professionals Services (Pool 3). While GSA has had a protracted acquisition timeline for the release of Ascend, they have consistently communicated throughout the importance of Supply Chain Risk Management and the requirement for SCRM plan submission. If you have questions on the Ascend BPA and its underlying requirements, please don’t hesitate to contact the Baker Tilly team.

**Important update 1** On May 23, 2022, GSA released a Draft Performance Work Statement (PWS) notice to solicit questions, comments and feedback on proposed BPA pools, sub-pools and anticipated solicitation requirements. Now designated as the “Ascend” BPA, the PWS provides lax sub-pool definitions compared to the initial RFI released in October 2021. Unchanged are the major pool designations and primary SIN requirements. Additionally, the key compliance drivers for offerors under the BPA, including at least annual SCRM plan submission and heightened cybersecurity considerations that are embedded within the statement (and discussed below).  If there are any questions, please don’t hesitate to contact the Baker Tilly team.

In a recent interview with Federal Computer Week, Laura Stanton, assistant commissioner for the Office of the Information Technology Category in the General Services Administration’s (GSA) Federal Acquisition Service, revealed that GSA plans to launch a “cloud marketplace to serve as a comprehensive framework and one-stop shop for federal agencies seeking cloud solutions.” Recognizing the tremendous growth in the government’s use and need for cloud computing solutions, a marketplace will help focus agency needs on a select group of vetted solution providers. According to GSA, the need for such a vehicle has only intensified as agencies have continued a shift to a virtual working environment spurred on by the pandemic.

On Oct. 4, 2021, GSA issued an initial request for information (RFI) providing more details on the contemplated vehicle:

The response deadline to the RFI for interested offerors is Oct. 14, 2021.

The following details were shared about the contemplated vehicle:

  • Agency:  GSA, Federal Acquisition Service (FAS) and Information Technology Category (ITC)
  • Contract vehicle type:  Multiple award blanket purchase agreement (BPA) against multiple award schedule (MAS)
  • MAS Special Item Numbers (SINs)
    - 518210C: Cloud and Cloud-Related IT Professional Services
    - 54151S: IT Professional Services
    - Order Level Materials (OLM)
  • Scope:  Includes the traditional cloud computing service models (Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)), and Cloud-Related Information Technology (IT) Professional Services

The RFI notice indicates that the multiple award BPA will consist of three independent primary pools with respective independent sub-pools, as shown below.  Baker Tilly has also provided the notional minimum qualifying criteria for security given that this will be a significant focal point for prospective vendors. 

Pool one: Infrastructure as a Service (IaaS)
and Platform as a Service (Paas)
Notional minimum qualifying criteria (security)
Sub-pool 1-1 Unclassified IaaS and PaaS Cloud Service Offerings (CSOs)
  • FEDRAMP IL Moderate
  • DoD CC SRG IL 2 Authorization
  • CMMC Level 2 or third party cyber audit
  • SCRM plan
  • Participation in government cyber monitoring programs
Sub-pool 1-2 Classified IaaS and PaaS CSOs
  • DoD CC SRG IL 6 Authorization
  • CMMC Level 3 or third party cyber audit
  • SCRM plan
  • Participation in government cyber monitoring programs
Sub-pool 1-3 Future government identified requirement(s)  
Pool two: Software as a Service (SaaS) Notional minimum qualifying criteria (security)
Sub-pool 2-1 Enterprise office productivity
  • FEDRAMP IL Moderate
  • DoD CC SRG IL 2 Authorization
  • CMMC Level 2 or third party cyber audit
  • SCRM plan
  • Participation in government cyber monitoring programs
Sub-pool 2-2 Customer relationship management (CRM)
  • FEDRAMP IL Moderate
  • DoD CC SRG IL 2 Authorization
  • CMMC Level 2 or third party cyber audit
  • SCRM plan
  • Participation in government cyber monitoring programs
Sub-pool 2-3 Future government identified requirement(s)  
Pool three: Cloud Professional Services Notional minimum qualifying criteria (security)
Sub-pool 3-1 Application services, applications modernization services, Fortran Programming Language professional services
  • Facility clearance level (confidential, secret, top secret)
  • CMMC Level 2 or third party cyber audit
Sub-pool 3-2 Future government identified requirement(s)
  • CMMC or third party cyber audit

GSA also provided the correlation between the pools and MAS SINs:

Pool one
Pool two
Pool three
Cloud Professional Services
Primary Secondary Primary Secondary Primary Secondary
518210c Ancillary OLM 518210c Ancillary OLM 518210c 54151S Ancillary OLM

Notably, the number of awards GSA intends to make is currently unknown, but the administration stated it will be “dependent on the number of offerors capable of meeting BPA technical requirements and offering best value solutions.”

SCRM plan requirement

Federal procurements have increasingly included requirements for offerors to describe SCRM practices and provide detailed plans of action to protect hardware, software and embedded components from compromise (otherwise known as a “SCRM plan”). GSA has been at the forefront in requiring contractors to understand and manage risks to their supply chains.

The mention of a SCRM plan requirement in the preliminary goals associated with GSA’s cloud marketplace dovetails with recent GSA solicitations (8(a) STARS III, Polaris, GSA FEDSIM ASTRO and others), which have required offerors to articulate current practices in identifying, assessing and mitigating supply chain risk, along with adherence to governing frameworks. GSA RFPs have referred contractors to NIST SP 800-161 (a federal government requirement that wasn’t designed for private companies) for guidance in developing an approach for their SCRM plans. Several procurements have gone as far as to state outright that supply chain risk processes and/or events may be subject to audit at the government’s discretion. For those organizations that have not prepared a current, accurate and complete SCRM plan, it would be prudent to consider doing so in advance of the final release of the solicitation associated with this cloud services BPA.

Baker Tilly is here to help

Baker Tilly is here to assist with solidifying your SCRM practices, starting by performing a gap assessment or utilizing other evaluation procedures to assess your risk. We also can help you understand  aspects of these updated requirements that are applicable to your organization, while helping you best allocate time and resources to understand what is “fit for purpose” for your SCRM program.

Additionally, your organization may require a SCRM plan, either now or in the future. These plans explore the processes you currently have in place to manage your third-party risk and oftentimes require an in-depth understanding of governmental standards. We regularly assist organizations with preparing SCRM plans in order to avoid complications that may arise with federal review and evaluation of these plans.

As the pandemic and recent supply chain “shocks” made clear, risk management procedures and business continuity plans can be tested at any time. Federal contractors should look to develop an effective SCRM program that puts the systems, policies and processes in place that will allow them to effectively mitigate and manage ongoing supplier risks. Baker Tilly stands ready to support your organization.

Leo Alvarez
Professionals collaborate in team meeting
Next up

What to know about incentives and trusts