Cloud

FedRAMP ramps up

FedRAMP logo -- GSA image

To date, agencies seeking a FedRAMP-certified cloud services provider have exactly one option, but the General Services Administration has 80 companies in the pipeline, and experts say agencies will have a sizeable pool to choose from by the time the accreditations become a baseline requirement for security.

Experts expect to see 10 to 15 accredited companies by the end of 2013, and double that number by the end of 2014, when the FedRAMP security accreditations become mandatory.

“You have, in effect, a two-year runway” to develop a wide pool of accredited companies that can meet the FedRAMP requirements, said Kevin Jackson, vice president and general manager of NJVC, a cloud and cyber-security provider. “This is a very difficult transition, but a very necessary transition.”

Tom McAndrew, executive vice president of Coalfire Federal Services, an independent IT governance and compliance firm, said the government may have even larger competitive pool.

“In my estimation, there will be approximately 15 to 30 certified cloud providers by the end of 2013,” he said. Moreover, “the FedRAMP repository could hold over 200 certified [cloud service providers] over the next 24 months if the momentum continues to increase.”

In December, GSA’s Federal Risk and Authorization Management Program (FedRAMP) issued the first Joint Authorization Board-approved provisional cloud security authorization. GSA expects several more provisional authority of operate certifications as it moves to FedRAMP’s Full Operating Capability phase in around April, an agency spokeswoman said Jan. 4.

Along with the 80 companies, more contractors are pursuing authorities directly with agencies that are using FedRAMP baseline controls and templates.

One expert, however, warned that agencies could face bid protests if the FedRAMP requirement is included in a request for proposal too soon.

“We’ll see a two-caste system grow over the next several years,” said David Bodenheimer, partner at the Crowell Moring law firm. Companies that are awaiting their accreditation “will be at a competitive disadvantage through no fault of their own.”

The accreditation board, which is comprised of the CIOs from GSA and the departments of Defense and Homeland Security, faces a major bottleneck of applications and approvals.  “Companies that are waiting in line for the accreditation have invested a lot of money in the status and will not want to give up a chance to win a contract,” Bodenheimer said.

McAndrew, however, said FedRAMP officials anticipated that there would be greater demand for accreditation than they had resources to handle.  “And that is why they offer multiple ways of getting into the FedRAMP repository outside of the Joint Authorization Board,” he said, referring to the third-party assessment organizations.

FedRAMP is a standardized approach to cloud-security authorization and monitoring. Officials hope to save the government money, time, and staff by eliminating redundant agency security assessments. Through FedRAMP’s leveraged security authorizations, agencies can also drastically reduce the time it takes to adopt new IT capabilities.

“The FedRAMP provisional authorization process sets a rigorous certification and accreditation bar for cloud service providers,” Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies, said in December.

In the future, there still will be breaches and security issues, but agencies can learn from them and develop securer requirements, McAndrew said.

“We aren’t creating perfection, just raising the minimum bar across the industry,” he said.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Wed, Jan 9, 2013 Beltway Bill

I'm sorry to say that even after FedRAMP is complete and GSA (et al) is using it, it would be sufficient for the DoD, nor will one DoD-service's acceptance mean another one will. Witness the huge delta between NIST and DIACAP IA Controls.... or the simple fact that C&A reciprocity is still 'just a nice idea' between the services.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group