Three routes to FedRAMP: Choose wisely

Placeholder Image for Article Template

There are three paths commercial cloud service providers can take to comply with the government's baseline cloud computing standards, known as the Federal Risk and Authorization Management Program (FedRAMP).

Although the end goal is the same, the journeys can differ in the time it takes to get accredited and potentially in cost, according to FedRAMP Director Maria Roat. CSPs are also likely to experience differing business propositions depending on the paths they take.

The routes

Thus far, the most common route CSPs have chosen is gaining a provisional authority to operate (ATO) from the FedRAMP Joint Authorization Board (JAB), which is led by CIOs at the General Services Administration, the Defense Department and the Department of Homeland Security. A FedRAMP-accredited third-party assessment organization (3PAO) is required for this process. As of March 14, 11 companies have earned ATOs for platform-, infrastructure- or software-as-a-service offerings.

Alternatively, an agency can grant an ATO to a company, and other agencies can choose to take advantage of that authority to work with the company. Again, 3PAOs play a role in agency-issued ATOs and work with agencies and CSPs to ensure that security standards are met. Two companies and one agency -- the Agriculture Department -- have earned agency ATOs for a total of four cloud service offerings.

There is a little-known third route that CSPs can take, but to date no companies have made use of it, although Roat said one company has expressed interest. A CSP can hire a FedRAMP-accredited 3PAO to complete all required documentation, testing and security assessments. All that information could be sent to GSA's FedRAMP office for verification. This method is potentially attractive to companies that cannot or do not want to take advantage of existing federal contracts and do not want to partner with another CSP.

The differences

Once a cloud service provider earns an ATO, any agency can use that company's cloud services with confidence, and that's certainly an attractive option for CSPs. But going through the FedRAMP pipeline tends to take "a few months longer," Roat said. Most CSPs achieve JAB approval in about six months, which is longer than it typically takes a CSP to earn an agency-issued ATO.

"The JAB has more separate eyes viewing it," Roat said, explaining some of the time difference. "It's a governmentwide look. The agency process tends to be shorter because it doesn't have all parties reviewing it."

Yet that governmentwide look can carry weight in the federal cloud space because of how risk assessments are conducted in both situations. CSPs can designate whether they wish to be evaluated against a low-sensitivity or a moderate-sensitivity security baseline depending on the types of data their systems are meant to handle. High-sensitivity designations are currently not part of FedRAMP.

But Roat said an agency perspective on risk assessment could differ from JAB's point of view. In addition, an agency issuing an ATO is responsible for continuous monitoring, which JAB performs for the providers it approves.

"The JAB won't accept any high vulnerability," Roat said. "An agency could say yes to a high vulnerability. Agencies could be more flexible."

However, she added that agencies have plenty of incentive to be thorough in their risk assessments for credibility reasons, as do 3PAOs. Agencies know that other agencies could use the CSPs they approve, and therefore, they could damage their reputations if anything goes wrong.

"Agencies know they are under pressure," Roat said. "They know they need to do a job. They want to get it right the first time. They all have credibility on the line."

Costs are also rumored to vary widely, with agency ATOs likely to be a cheaper overall option. One industry source told FCW that one CSP invested $5 million to achieve JAB approval -- a significant amount of money given how much federal business would be required to recoup those costs.

Some general return-on-investment data is publicly available at MeriTalk's FedRAMP OnRAMP, which also provides a snapshot of which cloud providers are in the FedRAMP pipeline and which avenue they are pursuing.

About the Author

Frank Konkel is a former staff writer for FCW.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • Shutterstock imag (by Benjamin Haas): cyber coded team.

    What keeps govtech leaders up at night?

    A joint survey by Grant Thornton and PSC found that IT stakeholders in government fear their own employees and outdated systems the most when it comes to cybersecurity.

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group