Three routes to FedRAMP: Choose wisely

There are three paths commercial cloud service providers can take to comply with the government's baseline cloud computing standards, known as the Federal Risk and Authorization Management Program (FedRAMP).

Although the end goal is the same, the journeys can differ in the time it takes to get accredited and potentially in cost, according to FedRAMP Director Maria Roat. CSPs are also likely to experience differing business propositions depending on the paths they take.

The routes

Thus far, the most common route CSPs have chosen is gaining a provisional authority to operate (ATO) from the FedRAMP Joint Authorization Board (JAB), which is led by CIOs at the General Services Administration, the Defense Department and the Department of Homeland Security. A FedRAMP-accredited third-party assessment organization (3PAO) is required for this process. As of March 14, 11 companies have earned ATOs for platform-, infrastructure- or software-as-a-service offerings.

Alternatively, an agency can grant an ATO to a company, and other agencies can choose to take advantage of that authority to work with the company. Again, 3PAOs play a role in agency-issued ATOs and work with agencies and CSPs to ensure that security standards are met. Two companies and one agency -- the Agriculture Department -- have earned agency ATOs for a total of four cloud service offerings.

There is a little-known third route that CSPs can take, but to date no companies have made use of it, although Roat said one company has expressed interest. A CSP can hire a FedRAMP-accredited 3PAO to complete all required documentation, testing and security assessments. All that information could be sent to GSA's FedRAMP office for verification. This method is potentially attractive to companies that cannot or do not want to take advantage of existing federal contracts and do not want to partner with another CSP.

The differences

Once a cloud service provider earns an ATO, any agency can use that company's cloud services with confidence, and that's certainly an attractive option for CSPs. But going through the FedRAMP pipeline tends to take "a few months longer," Roat said. Most CSPs achieve JAB approval in about six months, which is longer than it typically takes a CSP to earn an agency-issued ATO.

"The JAB has more separate eyes viewing it," Roat said, explaining some of the time difference. "It's a governmentwide look. The agency process tends to be shorter because it doesn't have all parties reviewing it."

Yet that governmentwide look can carry weight in the federal cloud space because of how risk assessments are conducted in both situations. CSPs can designate whether they wish to be evaluated against a low-sensitivity or a moderate-sensitivity security baseline depending on the types of data their systems are meant to handle. High-sensitivity designations are currently not part of FedRAMP.

But Roat said an agency perspective on risk assessment could differ from JAB's point of view. In addition, an agency issuing an ATO is responsible for continuous monitoring, which JAB performs for the providers it approves.

"The JAB won't accept any high vulnerability," Roat said. "An agency could say yes to a high vulnerability. Agencies could be more flexible."

However, she added that agencies have plenty of incentive to be thorough in their risk assessments for credibility reasons, as do 3PAOs. Agencies know that other agencies could use the CSPs they approve, and therefore, they could damage their reputations if anything goes wrong.

"Agencies know they are under pressure," Roat said. "They know they need to do a job. They want to get it right the first time. They all have credibility on the line."

Costs are also rumored to vary widely, with agency ATOs likely to be a cheaper overall option. One industry source told FCW that one CSP invested $5 million to achieve JAB approval -- a significant amount of money given how much federal business would be required to recoup those costs.

Some general return-on-investment data is publicly available at MeriTalk's FedRAMP OnRAMP, which also provides a snapshot of which cloud providers are in the FedRAMP pipeline and which avenue they are pursuing.