Cloud

FedRAMP ramps up

FedRAMP logo -- GSA image

To date, agencies seeking a FedRAMP-certified cloud services provider have exactly one option, but the General Services Administration has 80 companies in the pipeline, and experts say agencies will have a sizeable pool to choose from by the time the accreditations become a baseline requirement for security.

Experts expect to see 10 to 15 accredited companies by the end of 2013, and double that number by the end of 2014, when the FedRAMP security accreditations become mandatory.

“You have, in effect, a two-year runway” to develop a wide pool of accredited companies that can meet the FedRAMP requirements, said Kevin Jackson, vice president and general manager of NJVC, a cloud and cyber-security provider. “This is a very difficult transition, but a very necessary transition.”

Tom McAndrew, executive vice president of Coalfire Federal Services, an independent IT governance and compliance firm, said the government may have even larger competitive pool.

“In my estimation, there will be approximately 15 to 30 certified cloud providers by the end of 2013,” he said. Moreover, “the FedRAMP repository could hold over 200 certified [cloud service providers] over the next 24 months if the momentum continues to increase.”

In December, GSA’s Federal Risk and Authorization Management Program (FedRAMP) issued the first Joint Authorization Board-approved provisional cloud security authorization. GSA expects several more provisional authority of operate certifications as it moves to FedRAMP’s Full Operating Capability phase in around April, an agency spokeswoman said Jan. 4.

Along with the 80 companies, more contractors are pursuing authorities directly with agencies that are using FedRAMP baseline controls and templates.

One expert, however, warned that agencies could face bid protests if the FedRAMP requirement is included in a request for proposal too soon.

“We’ll see a two-caste system grow over the next several years,” said David Bodenheimer, partner at the Crowell Moring law firm. Companies that are awaiting their accreditation “will be at a competitive disadvantage through no fault of their own.”

The accreditation board, which is comprised of the CIOs from GSA and the departments of Defense and Homeland Security, faces a major bottleneck of applications and approvals.  “Companies that are waiting in line for the accreditation have invested a lot of money in the status and will not want to give up a chance to win a contract,” Bodenheimer said.

McAndrew, however, said FedRAMP officials anticipated that there would be greater demand for accreditation than they had resources to handle.  “And that is why they offer multiple ways of getting into the FedRAMP repository outside of the Joint Authorization Board,” he said, referring to the third-party assessment organizations.

FedRAMP is a standardized approach to cloud-security authorization and monitoring. Officials hope to save the government money, time, and staff by eliminating redundant agency security assessments. Through FedRAMP’s leveraged security authorizations, agencies can also drastically reduce the time it takes to adopt new IT capabilities.

“The FedRAMP provisional authorization process sets a rigorous certification and accreditation bar for cloud service providers,” Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies, said in December.

In the future, there still will be breaches and security issues, but agencies can learn from them and develop securer requirements, McAndrew said.

“We aren’t creating perfection, just raising the minimum bar across the industry,” he said.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1996, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Wed, Jan 9, 2013 Beltway Bill

I'm sorry to say that even after FedRAMP is complete and GSA (et al) is using it, it would be sufficient for the DoD, nor will one DoD-service's acceptance mean another one will. Witness the huge delta between NIST and DIACAP IA Controls.... or the simple fact that C&A reciprocity is still 'just a nice idea' between the services.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group