GSA boosts FedRAMP accreditation as small-business advantage

The upfront costs in getting certified as a cloud service provider under the Federal Risk and Authorization Management Program may deter some, but small businesses should seize the opportunity as a pathway to grab more government business.  

The General Service Administration on May 14 announced the nine accredited third-party assessment organizations—3PAOs for short—that will assess and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing role in making sure providers meet requirements.

Cloud services providers that go through FedRAMP must use a 3PAO to independently confirm the security implementations required by the program. The process of becoming a certified cloud service provider may seem cumbersome to some but it shouldn’t stop vendors from trying.

Companies that want to pursue government business “need to make this investment anyway,” Kathy Conrad, principal deputy associate administrator of GSA's Office of Citizen Services and Innovative Technologies, said at a June 27 panel discussion organized by Deltek.

“You can’t do business with the government without being granted an [authority to operate], no matter how many times you test your own security,” she said. “You can go through this process once and greatly reduce the redundancy and repetitive investment that’s been required in the past.”

Instead of seeing it as a burden, Conrad said the FedRAMP certification process is a way to help the commercial sector get the accreditation in a cost-effective way.

Several of the current 3PAOs are small firms, and companies that choose to become part of that group not only have the government as a customer but other private-sector organizations that need their services, Conrad said.

“Information security is by no means limited to government,” she said. “I think it’s a great business opportunity for small companies.”

FedRamp.gov outlines the whole process of the certification process and the requirements. However, as a first step to becoming certified, businesses should carefully consult the FedRAMP guide and the actual application, particularly the checklist.

“As a business, you don’t want to start this process before you’re really truly prepared,” Conrad said, noting that particularly important is for companies to be ready to clearly define their system boundaries and being able to do multifactor authentication.

“Before you use your time and resources going through this process, make sure you do your homework and are ready to go through the rigorous kind of assessment that any of the 3PAOs will require of you,” she said.

The process itself may be laborious and time consuming, but Conrad said applicants can expect GSA to provide a lot of communication and feedback to help companies stay on track. 

In the event an applicant’s package is deemed to be lacking anything by the time it reaches the Joint Authorization Board, which grants the provisional ATO, “there will be plenty of opportunities to correct those deficiencies,” Conrad said.

“We’re trying to be fair and have a lot of communication – we’re trying to set everyone up for success,” she said