It’s a little over two years since the June deadline for federal agencies to ensure their implemented cloud solutions are compliant with the government-wide cloud security baseline. The tally of compliant offerings continues to grow. At this point, the options are pretty evenly spread across the three different service models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). In total, there are 38 offerings including authorizations awarded by the FedRAMP Joint Authorization Board (JAB) and federal agencies as well as cloud service provider (CSP) supplied reviews. (It’s worth noting that several offerings are available in multiple service models, which impacts the spread across them.)
Between the time FedRAMP launched initial operations in June 2012 and the end of October 2014, fewer than 20 total authorizations for cloud solutions were awarded by the FedRAMP Joint Authorization Board (JAB) and federal agencies. At the start of 2015, the count of compliant cloud service providers had climbed to 27. Since then, another 10 offerings have been approved. The rate at which compliant cloud services complete the FedRAMP process has more than doubled. When the FedRAMP introduced, program leadership described the approach as “Crawl-Walk-Run.” Indeed, the program certainly seems to be gaining steam as it pursues its new strategy over the next two years.
Earlier this month, Stan Kaczmarczyk, director of the Cloud Computing Services Program Management Office (PMO) in the General Services Administration’s (GSA) Federal Acquisition Service, and FedRAMP Director Matt Goodrich both commented on the impact that FedRAMP compliance has had on the bidding process for cloud computing contracts. The practice of agencies requiring FedRAMP authorization in order to bid work stands to limit competition. In response to this emerging habit, GSA officials have advised agencies that FedRAMP authorization is fine to include as evaluation criteria, but it shouldn’t be a factor from the start. To help clarify their stance further, the FedRAMP PMO is working to finalize procurement guidance for agencies. The suggestion that vendors need only be engaged in the FedRAMP process, not completed, in order to bid on cloud has prompted some to speculate that the FedRAMP program office may be setting itself up to receive a rash of sub-par submissions. That seems unlikely considering the steps the process improvements the program has undertaken, not to mention the costs associated with completing the submission process. It may provide incentive for vendors previously on the fence to initiate the process, though.