Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

survey icon Share your experience with the FAS IT-Playbook by taking this brief survey

FAQs (Frequently Asked Questions)

Browse through these FAQs to find answers to commonly raised questions that the Office of Acquisition IT Services (IQ) assists its customers with. If you're new to FAS-IT, we encourage you to not only browse through these questions and answers, but to also explore the relevant IT Playbook links appended to the answers.

Table of Contents:

FAS-IT General Questions

What is the FAS-IT Playbook?

The FAS-IT Playbook is a fluid suite of resources that serves as both a set of processes and mechanisms to deliver excellent business value to FAS-IT customers. Currently, it is delivered in the form of a GSA-internal Google Site that offers users over 10 major sections of content, and when including sub-sections, over 60 pages of FAS-IT guidance and resources.

How authoritative should we take the FAS-IT Playbook to be?

The IT Playbook should be the first stop to answer questions around the why and how of FAS-IT. It is an illustration of the FAS-IT direction and intention, containing information about process, architecture, and methodology. The Playbook follows a contribution or crowdsourcing model, similar to the FAS-IT ecosystem. We encourage you to submit whitepapers and case studies for the Playbook as you build new design constructs or discover new methods. The AEA team moderates content so that information is categorized and then added to the Playbook. If you would like to suggest content based on your knowledge from government or industry, let us know.

FAS Cloud Services (FCS) Generic Questions

What are FAS Cloud Services?

FAS Cloud Services (FCS) are a collection of cloud-centric tools and services that help FAS and GSA-IT improve IT project outcomes, while reducing costs and support requirements. The FCS Team is the provider for the foundational services of our modernization and data ecosystem. Refer to the following resources for more information on FAS Cloud Services:

IT Playbook: FAS Cloud Services

GSA.gov: FAS Cloud Services

GSA-internal FCS Portal

FCS-Sandbox

How can I get access to an FCS Sandbox environment?

You need the following prerequisites: A GSA email, and the SecureAuth Authentication App.

Then, you complete the following steps:

  1. Fill out and submit the FCS Sandbox agreement form
  2. Forward the Google Forms receipt to Scott Lewis and Jason Sun
  3. Once approved, the person requesting access will receive a "Welcome to FCS" email with instructions and credentials.
  4. Must be inside GSA Citrix Gateway or using GFE with VPN in order to navigate to https://auth.helix.gsa.gov/ and use GSA credentials to login to the AWS Sandbox. An OTP (One Time Password) will be sent to the person's GSA email for MFA purposes.

What are the constraints in using an FCS Sandbox environment?

The AWS Console cannot be accessed without being inside GSA Citrix Gateway or GFE with VPN. Additionally, FCS Sandbox environment has very short timeouts.

FCS-Cloud Enablement

I hear a lot about Cloud Enablement. Can you give me a concise idea of what this is so that I can understand it and communicate it to my folks? How do we interact with this group / philosophy?

Our team is outcome-driven and uses cloud to improve efficiency. FAS-IT’s people/process/solution advisory framework for cloud enablement joins together the application teams, FAS stakeholders, and AEA team to align playbooks and capabilities, consider cost and schedules, and manage the application cloud transformation spreadsheet. This includes short, medium, and long-term milestones for transformation. For example, the FSS-19 application team works with the cloud enablement team in an iterative “time box.” The three parties and AEA come together to make decisions. What is the three and five-year plan? What is best for our architecture, costs, and efficiency? Can we leverage what has already been done? The IPT has weekly office hours on Wednesday mornings to interact with the cloud enablement POC and provide general information on cloud strategy.

How can I request a new feature, and what is involved in the process?

FCS has a New Feature Request (NFR) form that tenants can fill out in order to request a new feature. We urge tenants to enter their NFRs as early as possible, to give all teams time for prioritization and implementation. Once the NFR is submitted, it’s reviewed by the CETT team and presented at the Government’s weekly review board. Following approval, the NFR will go into the teams backlog, for prioritization consideration during the next Program Increment (PI) planning, which occurs every two months.

How can I expedite a ticket when it becomes more urgent?

While there is no formal escalation process, the CETT team strives to complete tenant tickets in a timely manner. We encourage tenants to submit their tickets as early as possible so that the team is able to prioritize and implement all of FCS’ tenant tickets. To check on the status of your ticket, we recommend using the standard communication channels: ServiceNow, FCS/tenant Google Channels, CETT/tenant monthly touch points, or emailing FCS-support.

As a prospective tenant, what can I do proactively as I’m planning my modernization effort?

Engage with our team and start the Cloud Enablement (CE) Journey as early in your planning as possible. In particular, as you are developing your “To-Be” solution architectures, we encourage you to engage us right from the start. This will help ensure your technical teams to fully understand FCS capabilities and take these capabilities and the FCS roadmap into consideration when developing technical requirements and solidifying timelines. To begin your CE Journey, please reach out directly to either Jason Sun or Bill Fredricks.

What are the mechanisms that exist for my teams to really learn and understand about what capabilities FCS offers?

Self-Serve mechanisms are:

Direct mechanisms:

Can tenants take advantage of S3 Video File Streaming?

This is not currently supported on the platform. FCS is evaluating this new feature request for submission into our VR3 process for consideration into our engineering backlog.

Does Freedom offer a QuickDeploy job, as legacy Jenkins did?

Not at the moment. This request has been approved by FCS and is in our engineering backlog for prioritization and planning.

Is there a long-term solution for Jenkin’s recurring “Grabbing Grapes” issue?

The FCS Delivery team has implemented two changes to address this issue. First, the underlying infrastructure running Freedom has been scaled up. Secondly, Freedom now utilizes an AWS plugin to pull the AWS Java SDK, rather than pulling it programmatically from a Groovy script. We have seen no reports of this issue since those changes were made.

Is there a way to manually remove RDS Snapshots, similar to how we can create them through Freedom?

The creation of a job to remove snapshots has been approved by the FCS VR3 process. It has entered our product team’s backlog for prioritization and planning.

Is there a way to manage the lifecycle of the items in my S3 bucket with Glacier?

Lifecycle management policies with Glacier have been approved by the FCS VR3 process. It has entered our product team’s backlog for prioritization and planning.

Does FCS support IPV6 Traffic?

FCS does not currently provide support for IPv6 traffic. However, OMB recently released a mandate that will require 80% of systems to support end-to-end IPv6 communication Government wide by 2025. FCS will begin implementing IPv6 support as a part of that larger initiative to meet the OMB mandate. FCS is currently in the planning phase.

What services are available in the MCaaS 1.0 General Availability release?

Click here for a list of services

What’s FCS’s end-of-life process?

The Security team reviews the FCS Component Inventory spreadsheet and coordinates with the Infrastructure team to address software that is end of life. We are looking to improve this manual process, and are in the process of preparing a VR3 package to request a pilot of NetBrain and ISEC (tools were briefed in the FCS CONOPS 2020) to automatically monitor the FCS platform - providing an automated inventory and patching management, and continuous compliance.

What Data Service offerings are available?

Click here for a list of Data Service offerings available

As a tenant, how do I obtain access to the Cloud Enablement Journey project in Jira?

Does FCS support the use case for accessing on-premise databases? We are considering moving a JEE application (running on JBoss) to FCS. But moving the data is not an easy task. Can the JBoss JDBC connection pool connect to a Sybase DB running on-premise? Furthermore, are there any risks with those connections being reset and becoming stale? If direct connection to DB is not an option, can applications consume web service APIs running on-premise?

FCS supports accessing both on-premise databases and web service APIs given network connectivity to the on-premise data center. If FCS has network connectivity to the on-premise data center, then a direct connection to the on-premise database can be established by opening a Firewall Change Request (FCR). If network connectivity has not already been established then FCS does not support the use case for accessing an on-premise database and alternatives such as data migration should be considered. FCS has network connectivity to GSA on-premise, if you need to access another on-premise data center please work with the Tenant Experience team to determine whether or not network connectivity exists between FCS and your target data center.

What is the process for onboarding to MCaaS?

Onboarding to MCaaS is a multi-faceted process that includes FCS’ Cloud Enablement (CE), MCaaS, Security, Tenant Experience (TeX), and GSA IT Security. Tenants will be assigned a Cloud Advocate, who will be their partner throughout the entire Cloud Enablement journey. In order to onboard to MCaaS, tenants must first go through the Cloud Enablement process in order to gauge alignment, identify gaps between the business requirements and MCaaS’ supported functionality, and develop a Cloud Strategy for onboarding. After Cloud Enablement, FCS Security will go over the security process and work with the tenant to negotiate key dates in the ATO process with GSA IT Security. Once a timeline has been established with GSA IT Security, the MCaaS team can schedule onboarding work, including provisioning a development environment. Once the development environment is delivered, the TeX team will work with the tenant to get their application deployed to MCaaS. At this point the tenant can begin to complete the ATO process with GSA IT Security. Finally, once a tentative ATO approval is given the MCaaS team will provision the production environment and the tenant can deploy to go live.

We have a significant deployment coming up. How can we work with FCS to ensure that it goes smoothly?

Please email William Brower and Gurkiran Sethi on the Tenant Experience (TeX) team with the scheduled date and a list of requirements for the deployment. The TeX team will setup a meeting with Cloud Enablement (CE) and your Cloud Advocate to go over the requirements, identify gaps, and begin planning support for the deployment. Coordinating well in advance of the deployment will help FCS staff off hours support requests and schedule NFRs. FCS’ Off-Business Hours Support SOP can be found here.

What is the process for updating SSL certificates within FCS?

SSL certificates fall on both sides of the tenant responsibility model in FCS. Tenants are responsible for renewing SSL certificates and requesting, via a ServiceNow ticket, that FCS update certificates on the NetScaler.

The process for tenants from renewal to update is as follows: 1. Schedule the current certificate’s expiration date on a calendar 2. Start the renewal process for each certificate at least 2 weeks in advance of expiration 3. Generate a certificate signing request (CSR) and private key 4. Open an SSL certificate request in the Self Service Portal (Home -> Service Catalog -> Account Services -> GSA SSL Certificate) and include both the CSR and private key 5. Update, or add, a DNS TXT record for the associated domain to prove ownership 6. Open a ServiceNow request, directed at GSA.FCS-Level-1, asking for FCS to update the SSL certificate for the domain on NetScaler. Please include the domain name, the new certificate, and the private key from steps 3 and 4. 7. Schedule the new certificate’s expiration date on a calendar

What are the steps in the ATO process and who is responsible for each step?

Click here for the steps

How does the application team work with the business area's Data Governance Program?

We are more than just a tech shop - we are mission driven. The cloud enablement team puts the data ecosystem first and has active members on the Data Governance Board. Together, the cloud enablement, data governance, and application teams become one, collaborative IPT team. For example, the purpose of the ACR (Advanced Catalog Management Repository) was to leverage application architecture. The idea was to catalog data architecture to understand data domains and data stewards.

We have been told that FCS only supports business hours while after-hours and weekends are considered ‘best effort’. As more and more applications (some supporting global users) are being supported by FCS, is there a plan to address off-hours and weekends?

Yes. However, our team is constantly evaluating the best course of action given our capacity and resources. Fine tuning DevSecOps is an area of focus for us from a strategic perspective. This would require financial re-engineering to ensure that we can provide support after hours.

Can application teams take advantage of Reserved Instances to reduce our cloud infrastructure costs?

We recognize that plans are complex so costs should be monitored closely. FCS has an RI (Resiliency Framework) that is currently achieving 98-99%. These cost savings have been directed to operating costs and lowering cloud rates. Please refer to the cloud economics model.

When developing solutions, should we plan for the following: (1) reuse services, (2) plan to contribute reusable services through the contribution model or, (3) use platforms, like MCaaS?

BPA, COMET, and IT Staff need to work for the mission of GSA and taxpayers. Under the contribution model, reuse is important and facilitated by our modular model. These building blocks allow for reuse by other teams. MCaaS is a reusable platform. Over the past five years, we have learned and brought in new concepts and design factors. MCaaS is a means of expressing the do’s and don’ts of what we’ve learned and how to build security. It creates an interconnected module of shared services. Partners are encouraged to use MCaaS. The platform was built for GSA and meant to be a space to share lessons learned. MCaaS can also be built into the CIPP Pipeline. For more on MCaaS and other platforms, please refer to the FAS IT Playbook.

Developer Environments for Modernization

What are some best practices in terms of how many environments one should have as part of its IT Modernization Plan?

There are typically the following for environments key to any modernization effort:

Development (DEV)

Application: Applications development platform for developers. Less organized, amorphous configuration.

Data: Data structures in development / not finalized. No production data.

Testing (QA)

Application: Configuration approaches consistency of PROD. Used for unit, integration, and systems testing.

Data: Data structure finalized. Faker data replicating Prod data.

Staging (Stage)

Application: Configuration identical to PROD but without capacity / load balancing of PROD. Used for Training - live and recorded, screen-capture based.

Data: Prod data as prescribed by security and training requirements

Production (PROD)

Application: Full-on Production system for use by user community

Data: Legacy data, as required, has been migrated. Full-data management in-force (e.g. formal Records Management).

IT Security

What is the process to obtain an ATO at GSA?

Visit the IT Playbook’s Authority to Operate webpage and be sure to check out these FAS system-specific resources on the webpage:

Where can I find information on the authentication mechanism FAS applications/systems use?

Explore the Identity and Access Management webpage, which explains that while SecureAuth remains the primary authentication mechanism for internal users within FAS-IT, Login.gov and Okta are additional resources used.

FAS Architecture

Where can I see how the myriad of FAS internal and external systems interact?

The Services and Capabilities Architecture subpage under FAS Architecture Strategy provides a conceptual view of FAS systems and the context around them.

How does FAS-IT reckon with the continuous flow of new technologies coming to market?

FAS-IT provides Transitional Architectures, so that the roadmap to modernization is clearly understood from the start. These architectures are notional, to a degree, but represent the future trends.

When will FAS systems move off of legacy mainframe systems?

A general timeline to show when the mainframe can be cut off for select systems is available on the Mainframe Migration Roadmap subpage.

Does FAS-IT consider innovative technologies, such as Blockchain and Machine Learning?

Yes. Enabling Technologies are something that FAS-IT is eager to incorporate into its solutions for the FAS business, to produce tangible, traceable operational outcomes for FAS.

Does the FAS-IT Playbook acknowledge GSA’s API Strategy?

Yes. Our API Management goals support the broader GSA API Management effort.

FAS Initiatives

How does the progression of the modernization of FAS business systems get communicated?

A series of timelines that represent the FAS-IT Modernization Roadmap are updated and posted to the IT Playbook regularly.

FAS Agile Best Practices

Are there resources we can use to ensure that the documentation associated with modernization projects reduces overall risk and supports GSA’s agile mindset and adoption?

Yes - a growing, evolving set of templates are available for downloading and customizing.

GACA Request Instructions

Option 1: How to Create a GSA Affiliated Customer Account (GACA)

Provide the following steps to your government agency customer or business partner to create a GACA:

  1. Create a Gmail account at http://mail.google.com/mail/signup
    • Enter the first name and last name
    • Enter the username: must start with "GSA." Then first name, last name - example: GSA.johnsmith@gmail.com
    • Complete all required fields
  2. Accept the Terms of Service and submit the request.
  3. Set up 2-Step Verification (also known as two-factor authentication) using a smartphone that can receive simple messages.

Provide a copy of the GSA Affiliated Customer Accounts (GACA) Process, Feb 2023 [PDF - 176 KB] instructional letter for additional reference.

Note: Your government agency/business partner contact must create their own GACA. You cannot create it for them.

Option 2: How to request entry into the FCS Cloud Ecosystem via GACA access request, which will provide access to the IT Playbook

  1. Fill out the GACA Request Form and follow the instructions on the form.
  2. You will receive an email once the request has been approved and you can access the Playbook