Three routes to FedRAMP: Choose wisely

Placeholder Image for Article Template

There are three paths commercial cloud service providers can take to comply with the government's baseline cloud computing standards, known as the Federal Risk and Authorization Management Program (FedRAMP).

Although the end goal is the same, the journeys can differ in the time it takes to get accredited and potentially in cost, according to FedRAMP Director Maria Roat. CSPs are also likely to experience differing business propositions depending on the paths they take.

The routes

Thus far, the most common route CSPs have chosen is gaining a provisional authority to operate (ATO) from the FedRAMP Joint Authorization Board (JAB), which is led by CIOs at the General Services Administration, the Defense Department and the Department of Homeland Security. A FedRAMP-accredited third-party assessment organization (3PAO) is required for this process. As of March 14, 11 companies have earned ATOs for platform-, infrastructure- or software-as-a-service offerings.

Alternatively, an agency can grant an ATO to a company, and other agencies can choose to take advantage of that authority to work with the company. Again, 3PAOs play a role in agency-issued ATOs and work with agencies and CSPs to ensure that security standards are met. Two companies and one agency -- the Agriculture Department -- have earned agency ATOs for a total of four cloud service offerings.

There is a little-known third route that CSPs can take, but to date no companies have made use of it, although Roat said one company has expressed interest. A CSP can hire a FedRAMP-accredited 3PAO to complete all required documentation, testing and security assessments. All that information could be sent to GSA's FedRAMP office for verification. This method is potentially attractive to companies that cannot or do not want to take advantage of existing federal contracts and do not want to partner with another CSP.

The differences

Once a cloud service provider earns an ATO, any agency can use that company's cloud services with confidence, and that's certainly an attractive option for CSPs. But going through the FedRAMP pipeline tends to take "a few months longer," Roat said. Most CSPs achieve JAB approval in about six months, which is longer than it typically takes a CSP to earn an agency-issued ATO.

"The JAB has more separate eyes viewing it," Roat said, explaining some of the time difference. "It's a governmentwide look. The agency process tends to be shorter because it doesn't have all parties reviewing it."

Yet that governmentwide look can carry weight in the federal cloud space because of how risk assessments are conducted in both situations. CSPs can designate whether they wish to be evaluated against a low-sensitivity or a moderate-sensitivity security baseline depending on the types of data their systems are meant to handle. High-sensitivity designations are currently not part of FedRAMP.

But Roat said an agency perspective on risk assessment could differ from JAB's point of view. In addition, an agency issuing an ATO is responsible for continuous monitoring, which JAB performs for the providers it approves.

"The JAB won't accept any high vulnerability," Roat said. "An agency could say yes to a high vulnerability. Agencies could be more flexible."

However, she added that agencies have plenty of incentive to be thorough in their risk assessments for credibility reasons, as do 3PAOs. Agencies know that other agencies could use the CSPs they approve, and therefore, they could damage their reputations if anything goes wrong.

"Agencies know they are under pressure," Roat said. "They know they need to do a job. They want to get it right the first time. They all have credibility on the line."

Costs are also rumored to vary widely, with agency ATOs likely to be a cheaper overall option. One industry source told FCW that one CSP invested $5 million to achieve JAB approval -- a significant amount of money given how much federal business would be required to recoup those costs.

Some general return-on-investment data is publicly available at MeriTalk's FedRAMP OnRAMP, which also provides a snapshot of which cloud providers are in the FedRAMP pipeline and which avenue they are pursuing.

About the Author

Frank Konkel is a former staff writer for FCW.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group