Three routes to FedRAMP: Choose wisely

Placeholder Image for Article Template

There are three paths commercial cloud service providers can take to comply with the government's baseline cloud computing standards, known as the Federal Risk and Authorization Management Program (FedRAMP).

Although the end goal is the same, the journeys can differ in the time it takes to get accredited and potentially in cost, according to FedRAMP Director Maria Roat. CSPs are also likely to experience differing business propositions depending on the paths they take.

The routes

Thus far, the most common route CSPs have chosen is gaining a provisional authority to operate (ATO) from the FedRAMP Joint Authorization Board (JAB), which is led by CIOs at the General Services Administration, the Defense Department and the Department of Homeland Security. A FedRAMP-accredited third-party assessment organization (3PAO) is required for this process. As of March 14, 11 companies have earned ATOs for platform-, infrastructure- or software-as-a-service offerings.

Alternatively, an agency can grant an ATO to a company, and other agencies can choose to take advantage of that authority to work with the company. Again, 3PAOs play a role in agency-issued ATOs and work with agencies and CSPs to ensure that security standards are met. Two companies and one agency -- the Agriculture Department -- have earned agency ATOs for a total of four cloud service offerings.

There is a little-known third route that CSPs can take, but to date no companies have made use of it, although Roat said one company has expressed interest. A CSP can hire a FedRAMP-accredited 3PAO to complete all required documentation, testing and security assessments. All that information could be sent to GSA's FedRAMP office for verification. This method is potentially attractive to companies that cannot or do not want to take advantage of existing federal contracts and do not want to partner with another CSP.

The differences

Once a cloud service provider earns an ATO, any agency can use that company's cloud services with confidence, and that's certainly an attractive option for CSPs. But going through the FedRAMP pipeline tends to take "a few months longer," Roat said. Most CSPs achieve JAB approval in about six months, which is longer than it typically takes a CSP to earn an agency-issued ATO.

"The JAB has more separate eyes viewing it," Roat said, explaining some of the time difference. "It's a governmentwide look. The agency process tends to be shorter because it doesn't have all parties reviewing it."

Yet that governmentwide look can carry weight in the federal cloud space because of how risk assessments are conducted in both situations. CSPs can designate whether they wish to be evaluated against a low-sensitivity or a moderate-sensitivity security baseline depending on the types of data their systems are meant to handle. High-sensitivity designations are currently not part of FedRAMP.

But Roat said an agency perspective on risk assessment could differ from JAB's point of view. In addition, an agency issuing an ATO is responsible for continuous monitoring, which JAB performs for the providers it approves.

"The JAB won't accept any high vulnerability," Roat said. "An agency could say yes to a high vulnerability. Agencies could be more flexible."

However, she added that agencies have plenty of incentive to be thorough in their risk assessments for credibility reasons, as do 3PAOs. Agencies know that other agencies could use the CSPs they approve, and therefore, they could damage their reputations if anything goes wrong.

"Agencies know they are under pressure," Roat said. "They know they need to do a job. They want to get it right the first time. They all have credibility on the line."

Costs are also rumored to vary widely, with agency ATOs likely to be a cheaper overall option. One industry source told FCW that one CSP invested $5 million to achieve JAB approval -- a significant amount of money given how much federal business would be required to recoup those costs.

Some general return-on-investment data is publicly available at MeriTalk's FedRAMP OnRAMP, which also provides a snapshot of which cloud providers are in the FedRAMP pipeline and which avenue they are pursuing.

About the Author

Frank Konkel is a former staff writer for FCW.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group