FedRAMP ramps up

To date, agencies seeking a FedRAMP-certified cloud services provider have exactly one option, but the General Services Administration has 80 companies in the pipeline, and experts say agencies will have a sizeable pool to choose from by the time the accreditations become a baseline requirement for security.

Experts expect to see 10 to 15 accredited companies by the end of 2013, and double that number by the end of 2014, when the FedRAMP security accreditations become mandatory.

“You have, in effect, a two-year runway” to develop a wide pool of accredited companies that can meet the FedRAMP requirements, said Kevin Jackson, vice president and general manager of NJVC, a cloud and cyber-security provider. “This is a very difficult transition, but a very necessary transition.”

Tom McAndrew, executive vice president of Coalfire Federal Services, an independent IT governance and compliance firm, said the government may have even larger competitive pool.

“In my estimation, there will be approximately 15 to 30 certified cloud providers by the end of 2013,” he said. Moreover, “the FedRAMP repository could hold over 200 certified [cloud service providers] over the next 24 months if the momentum continues to increase.”

In December, GSA’s Federal Risk and Authorization Management Program (FedRAMP) issued the first Joint Authorization Board-approved provisional cloud security authorization. GSA expects several more provisional authority of operate certifications as it moves to FedRAMP’s Full Operating Capability phase in around April, an agency spokeswoman said Jan. 4.

Along with the 80 companies, more contractors are pursuing authorities directly with agencies that are using FedRAMP baseline controls and templates.

One expert, however, warned that agencies could face bid protests if the FedRAMP requirement is included in a request for proposal too soon.

“We’ll see a two-caste system grow over the next several years,” said David Bodenheimer, partner at the Crowell Moring law firm. Companies that are awaiting their accreditation “will be at a competitive disadvantage through no fault of their own.”

The accreditation board, which is comprised of the CIOs from GSA and the departments of Defense and Homeland Security, faces a major bottleneck of applications and approvals.  “Companies that are waiting in line for the accreditation have invested a lot of money in the status and will not want to give up a chance to win a contract,” Bodenheimer said.

McAndrew, however, said FedRAMP officials anticipated that there would be greater demand for accreditation than they had resources to handle.  “And that is why they offer multiple ways of getting into the FedRAMP repository outside of the Joint Authorization Board,” he said, referring to the third-party assessment organizations.

FedRAMP is a standardized approach to cloud-security authorization and monitoring. Officials hope to save the government money, time, and staff by eliminating redundant agency security assessments. Through FedRAMP’s leveraged security authorizations, agencies can also drastically reduce the time it takes to adopt new IT capabilities.

“The FedRAMP provisional authorization process sets a rigorous certification and accreditation bar for cloud service providers,” Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies, said in December.

In the future, there still will be breaches and security issues, but agencies can learn from them and develop securer requirements, McAndrew said.

“We aren’t creating perfection, just raising the minimum bar across the industry,” he said.