Cloud

FedRAMP ramps up

FedRAMP logo -- GSA image

To date, agencies seeking a FedRAMP-certified cloud services provider have exactly one option, but the General Services Administration has 80 companies in the pipeline, and experts say agencies will have a sizeable pool to choose from by the time the accreditations become a baseline requirement for security.

Experts expect to see 10 to 15 accredited companies by the end of 2013, and double that number by the end of 2014, when the FedRAMP security accreditations become mandatory.

“You have, in effect, a two-year runway” to develop a wide pool of accredited companies that can meet the FedRAMP requirements, said Kevin Jackson, vice president and general manager of NJVC, a cloud and cyber-security provider. “This is a very difficult transition, but a very necessary transition.”

Tom McAndrew, executive vice president of Coalfire Federal Services, an independent IT governance and compliance firm, said the government may have even larger competitive pool.

“In my estimation, there will be approximately 15 to 30 certified cloud providers by the end of 2013,” he said. Moreover, “the FedRAMP repository could hold over 200 certified [cloud service providers] over the next 24 months if the momentum continues to increase.”

In December, GSA’s Federal Risk and Authorization Management Program (FedRAMP) issued the first Joint Authorization Board-approved provisional cloud security authorization. GSA expects several more provisional authority of operate certifications as it moves to FedRAMP’s Full Operating Capability phase in around April, an agency spokeswoman said Jan. 4.

Along with the 80 companies, more contractors are pursuing authorities directly with agencies that are using FedRAMP baseline controls and templates.

One expert, however, warned that agencies could face bid protests if the FedRAMP requirement is included in a request for proposal too soon.

“We’ll see a two-caste system grow over the next several years,” said David Bodenheimer, partner at the Crowell Moring law firm. Companies that are awaiting their accreditation “will be at a competitive disadvantage through no fault of their own.”

The accreditation board, which is comprised of the CIOs from GSA and the departments of Defense and Homeland Security, faces a major bottleneck of applications and approvals.  “Companies that are waiting in line for the accreditation have invested a lot of money in the status and will not want to give up a chance to win a contract,” Bodenheimer said.

McAndrew, however, said FedRAMP officials anticipated that there would be greater demand for accreditation than they had resources to handle.  “And that is why they offer multiple ways of getting into the FedRAMP repository outside of the Joint Authorization Board,” he said, referring to the third-party assessment organizations.

FedRAMP is a standardized approach to cloud-security authorization and monitoring. Officials hope to save the government money, time, and staff by eliminating redundant agency security assessments. Through FedRAMP’s leveraged security authorizations, agencies can also drastically reduce the time it takes to adopt new IT capabilities.

“The FedRAMP provisional authorization process sets a rigorous certification and accreditation bar for cloud service providers,” Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies, said in December.

In the future, there still will be breaches and security issues, but agencies can learn from them and develop securer requirements, McAndrew said.

“We aren’t creating perfection, just raising the minimum bar across the industry,” he said.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.