GSA boosts FedRAMP accreditation as small-business advantage

The upfront costs in getting certified as a cloud service provider under the Federal Risk and Authorization Management Program may deter some, but small businesses should seize the opportunity as a pathway to grab more government business.  

The General Service Administration on May 14 announced the nine accredited third-party assessment organizations—3PAOs for short—that will assess and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing role in making sure providers meet requirements.

Cloud services providers that go through FedRAMP must use a 3PAO to independently confirm the security implementations required by the program. The process of becoming a certified cloud service provider may seem cumbersome to some but it shouldn’t stop vendors from trying.

Companies that want to pursue government business “need to make this investment anyway,” Kathy Conrad, principal deputy associate administrator of GSA's Office of Citizen Services and Innovative Technologies, said at a June 27 panel discussion organized by Deltek.

“You can’t do business with the government without being granted an [authority to operate], no matter how many times you test your own security,” she said. “You can go through this process once and greatly reduce the redundancy and repetitive investment that’s been required in the past.”

Instead of seeing it as a burden, Conrad said the FedRAMP certification process is a way to help the commercial sector get the accreditation in a cost-effective way.

Several of the current 3PAOs are small firms, and companies that choose to become part of that group not only have the government as a customer but other private-sector organizations that need their services, Conrad said.

“Information security is by no means limited to government,” she said. “I think it’s a great business opportunity for small companies.”

FedRamp.gov outlines the whole process of the certification process and the requirements. However, as a first step to becoming certified, businesses should carefully consult the FedRAMP guide and the actual application, particularly the checklist.

“As a business, you don’t want to start this process before you’re really truly prepared,” Conrad said, noting that particularly important is for companies to be ready to clearly define their system boundaries and being able to do multifactor authentication.

“Before you use your time and resources going through this process, make sure you do your homework and are ready to go through the rigorous kind of assessment that any of the 3PAOs will require of you,” she said.

The process itself may be laborious and time consuming, but Conrad said applicants can expect GSA to provide a lot of communication and feedback to help companies stay on track. 

In the event an applicant’s package is deemed to be lacking anything by the time it reaches the Joint Authorization Board, which grants the provisional ATO, “there will be plenty of opportunities to correct those deficiencies,” Conrad said.

“We’re trying to be fair and have a lot of communication – we’re trying to set everyone up for success,” she said

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Sat, Jun 30, 2012 DR

I see this as a huge potential GSA debacle. First, even if a company gets a provisional ATO through FedRAMP, there is absolutely no guarantee that this will satisfy an individual agency, EACH of which still needs to grant an ATO of their own before a company can provide cloud services to that agency. In other words, the FedRAMP program could give you an OK, but Interior could make you go back to the drawing board with more testing if they have more stringent standards, correct? Given the fact that agencies may all want to retain their own autonomy in determining the "right" level of security for their systems, how many are really going to accept a FedRAMP provisional ATO as "good enough for me"? Second, it seem that the only opportunity for small busi8nesses here is to become a 3PAO, and certainly not to become one of the first batch of companies to receive a provisional ATO. As Peter Tuttle noted, the JAB doesn't seem to want small businesses in that pipeline. In fact, the JAB has stated, "FedRAMP will prioritize the review of cloud systems with the objective to assess and authorize cloud systems that can be leveraged government-wide." In plain language, they are stating that they only want large-scale solutions from large companies to apply for approval. Obviously, these large companies will gain a massive competitive advantage in being able to shut out the vast majority of their commercial competition in a controlled land grab. Small businesses will be put on hold literally for years only to be allowed into the market when it is largely saturated. Third, allowing a very small number of 3PAOs to set their own prices in this MANDATORY market allows the 3PAOs to keep prices extremely high for the certification process - there simply is nowhere else that a company can go to. Even ignoring the inherent problem with unfunded mandates, it seems to me that a drastic expansion of the number of 3PAOs is needed in order to introduce price competition into the testing and certification process. Like Al Haig stepping up to the mic and declaring that he is in charge after Reagan's shooting, it seems that GSA is opportunistically asserting authority over a situation which it does not actually control. Remember, even a provisional ATO from FedRAMP gets you absolutely NOTHING until an agency issues you an actual ATO, allowing you to provide services to that agency. I just don't see this turning out well. It may turn out to be yet another situation in which GSA gets vendors to jump up and down, hoola-hoop, and do cartwheels, all for GSA's own amusement while providing no tangible benefit to the vendor itself or to the government as a whole.

Fri, Jun 29, 2012 OccupyIT

Unfortunately, GSA typically delivers more hype and PR than services. They tend to service their 'club members'

Thu, Jun 28, 2012 Peter G. Tuttle, CPCM

Sounds good, but let me quote from a recent email to a small bsuiness applicant from the FedRAMP PMO "Thank you for your application to have a FedRAMP security assessment. Unfortunately, at this time your application is not prioritized for review by the Joint Authorization Board. During our initial operating capability, we only have the capacity to complete a limited number of assessments. However, as we move out of initial operating capability and in to full operations, the FedRAMP PMO and Joint Authorization Board will have the capacity to complete more assessments." So, go ahead & apply but don't expect
too much.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above