The California Department of General Services is releasing this Request for Proposal to solicit proposals from
Authorized Federal Risk and Authorization Management Program (FedRAMP) Moderate Cloud
Service Providers (CSP), providing Infrastructure as a Service (IaaS) and/or Platform as a Service
(PaaS) Cloud offerings.
a. The CSP must be FedRAMP Authorized at the Moderate level by the proposal due date as
identified in Section I.E., Key Action Dates.
b. The Contractor must provide a portal and training for CDT for self-provisioning. The training
shall be included in the bid price.
c. The CSP must ensure, if using Network Edge Services, that the NIST ISO/IEC 27018:2014
certification has been achieved for the specific services being added to the portfolio. These
services augment the CSP’s IaaS and/or PaaS portfolio and may be included as part of the
portfolio services without obtaining a FedRAMP Authorization to Operate (ATO) for that
service. The Network Edge Services must have achieved NIST ISO/IEC 27018:2014
certification, which provides guidance aimed at ensuring that CSP’s offer suitable information
security controls to protect the privacy of their customers’ clients by securing PII (Personally
Identifiable Information) entrusted to them, for the specific service being added to the portfolio.
Services that have the potential of containing confidential and/or sensitive data must have the
ability to contain that service within the continental United States.
d. Service Provider shall enable the State to encrypt Personal Data and Non-Public Data at
rest, in use, and in transit with controlled access. The SOW and/or SLA will specify which
party is responsible for encryption and access control of the State Data for the service model
under Contract. If the SOW and/or SLA and the Contract are silent, then the State is
responsible for encryption and access control.
Application Programming Interface Requirements (M)
The Contractor’s IaaS and/or PaaS must provide open Application Programming Interfaces
(API) that provide the capability to:
a. Migrate workloads between the public cloud and the State’s private on premise cloud
where CDT acts as the broker of those services and has the ability to logically separate
b. Define networks, resources and templates within a multi-tenant environment with the
use of available APIs;
c. Provision and de-provision virtual machines and storage within a multi-tenant
d. Add, remove and modify computing resources for virtual machines within a multitenant environment;
e. Add, remove and modify object and block storage within a multi-tenant environment;
f. Retrieve financial and billing information that provides detailed information for each
CDT customer (i.e. Eligible Public Entity) subscriber;
g. Retrieve performance indicators for all workloads in the multi-tenant environment;
h. Retain all workloads and support within the U.S.
i. Retrieve log data from all workloads; and
j. Provide the ability to model potential workloads to determine cost of services.
Environment Requirements (M)
The Contractor’s cloud environment must have the ability to:
a. Provide a multi-tenant environment that supports a parent/child administrative
relationship that enables the CDT (parent) to programmatically apply compliance and
regulatory requirements and standards down to the Eligible Public Entities.
b. Provide FIPS 140-2 complaint cryptographic modules
c. Support cost tracking by resource tags or other solutions to tracking costs for Eligible
d. Run and manage web applications, including .NET environments;
e. Provide managed database services with support for multiple database platforms;
f. Support Security Access Markup Language (SAML) federation;
g. Provide integration with a customer’s on premise Active Directory;
h. Provide a managed service to create and control encryption keys used to encrypt data;
i. Provide a dedicated Hardware Security Module (HSM) appliance for encryption key
j. Provide services to migrate workloads to and from the State’s VMware and HyperV
k. Provide dashboard reporting that provides performance monitoring, usage and billing
For more information, contact firstname.lastname@example.org