Using the Marketplace — guidance for agencies
On this page:
- Technical support
- Secondary procurement of public cloud services
- Cloud Security Risk and Assurance Considerations
The Marketplace includes a Knowledge Base providing a range of guidance on how to use the Marketplace.
Note: The Knowledge Base does not launch in Microsoft Edge when within the Marketplace.
There is a range of guidance provided, including but not limited to:
- Accounts and Security
- Change Password
- Suspended or Terminated Account
- Using the Marketplace
- Browsing and Purchasing
- Payment and Provisioning
- Agency Account set-up and activation
- Subscription Process
Let us know if you think there should be other content in the Knowledge Base.
This guidance is provided to support Agencies purchasing public cloud services from the Marketplace. Agencies are required to apply their own procurement policies and procedures.
1. The procurement of public cloud services is different from the more orthodox procurement of goods and services in the following ways:
a) more often than not, the cloud service providers are based overseas or use third party infrastructure based overseas from which to provide their cloud services;
b) the cloud service providers are usually providing highly commoditised services and are usually targeting large global audiences;
c) cloud service providers’ business models usually depend on high consumption volumes with minimal to no on-boarding effort on their part for individual customers;
d) the transparency of online international pricing and services ensures competition between providers that, in many respects, is comparable to pricing within a commodity market;
e) supplier’s margins for individual customers are often low;
f) for these reasons, most public cloud service providers are unlikely to participate in public procurement processes for individual purchases unless (and even then only in some cases) the value of the projected spend is high;
h) Agencies using the marketplace channel will be expected to apply their own policies and follow the government rules of sourcing when making procurement decisions. The business rules that have been developed for the marketplace have been done so with the following considerations.
2. We believe that the approach taken by agencies undertaking a secondary procurement through the marketplace should:
a) take into account the matters mentioned above; and
b) reflect the different kinds of purchasing decisions that agencies could be making
3. We also think it needs to be realistic given the nature of public cloud services whilst also enabling:
a) comparison of the same or similar cloud services where required or desired; and
b) interaction with relevant cloud service providers when an agency needs further information before being able to make a purchasing decision.
4. The preferred secondary procurement processes are essentially a combination of marketplace design and implemented secondary procurement processes.
Typical Secondary Procurement Process for Procurement of Public Cloud Services
The following describes the steps of a typical secondary procurement process that will be undertaken through the marketplace:
Step 1 – Agencies to be shown competing offerings by default:
i. The marketplace presents the competing offerings to agencies by default (by category tags), regardless of the potential cost of their purchasing.
ii. When an agency searches for a particular type of public cloud service, the marketplace will also show the competing offerings.
iii. The agency is able to then drill into the differing offerings as it chooses. This design choice immediately creates transparency of competing service providers.
Step 2 – Assessment of simple versus complex sign-up:
i. Agencies have differing informational and assurance needs depending on the nature and complexity of the kind of cloud service they wish to use.
ii. It is proposed, therefore, that an agency would be prompted when in the marketplace whether it is simple or complex for the agency to sign up for the services.
iii. In making this assessment, the agency would need to consider its requirements, the nature of the services, the amount of functional and assurance-related information already available on the marketplace and the extent to which it may require further information from suppliers to make an informed decision and satisfy its own cloud-related certification and accreditation responsibilities.
iv. This is a matter for each agency. Subject potentially to a ‘direct purchasing’ off-ramp for purchases of low value, the answer to this question would take the agency to one of two alternative short form competitive processes.
Step 3 – Short form competitive process:
i. The short form competitive process could take one of two forms, depending on whether the agency:
a) can obtain sufficient information from the marketplace to make a decision (aka simple); or
b) requires significant further information from suppliers before being able to determine which service(s) would meet the agency’s requirements (aka complex).
ii. The two types of competitive evaluative process are summarised as follows:
a) Simple sign-up evaluative process – primarily passive evaluation:
The evaluative process for simple procurements would be by reference to pre-existing information on service listings in the marketplace (which may include links to other information that the service providers already make publicly available to all customers) but an agency could ask specific questions of suppliers if it wished.
This differs from a traditional RFP / RFQ / closed tender approach as it’s more passive in nature by reference to information suppliers have already supplied as part of the on-boarding process. For that reason, we’re referring to it as a ‘primarily passive evaluation’.
b) Complex sign-up evaluative process – interactive evaluation:
The competitive process for non-simple sign ups would involve evaluation of suppliers’ information on the marketplace together with their responses to a mini-RFP.
This is a more formal process than the primarily passive evaluation and is expected to involve more active and agency-specific input from suppliers.
The MVP version of the marketplace does not functionally support a mini-RFP process. Where applicable, this will occur outside of the marketplace digital procurement channel.
All Public Cloud Services listed in the Marketplace will be assigned to one of the tiers listed below.
- Tier 3 - Baseline Index (e.g. Marketplace confidence & risk index + GCDO 105 Cloud Risk Assessment Tool)
Suppliers have an independently verified security risk rating and can provide their service on the marketplace
- Tier 2 - Design Analysis
Suppliers have provided additional information and received GCDO endorsement
- Tier 1 - Design and Control Effectiveness (e.g. ISO/IEC 2700X Certification)
Suppliers have provided additional information and received GCDO and ISO endorsement.
Services listed are required, at a minimum, to have associated to them a Confidence and Risk Index (CRI) rating from an independent Cloud Assurance Security Broker (CASB) and a copy of the GC105 Risk Assessment tool (with the supplier questions answered). These suppliers will be assigned Tier 3 status.
Note: The GCDO is not endorsing or providing any form of assurance for services listed under a Tier 3 status.
Optionally - suppliers may seek a higher tier rating (some may hold this status prior to joining the Marketplace), and if so determined will work with the GCDO to undergo further assurance activities as required.
Agencies will use the available information to undertake their own certification and assurance activities appropriate for the service(s) being contemplated.