The FedRAMP Program Passes a Milestone

By now everyone in the federal cloud market should know the Federal Risk and Authorization Management Program, otherwise known as FedRAMP. This program, begun several years ago by the General Services Administration to provide agency customers with a “certify once, use many times” model for assuring the security of cloud vendor products and services, has made tremendous strides increasing the efficiency of the process. Whereas many once considered FedRAMP a roadblock to agency cloud adoption, the introduction of FedRAMP 2.0 (Accelerated) has cut certification times from previous estimates of 12 to 18 months down to 3 to 4 months. Shorter certification times are also translating into lower costs for both agencies and vendors. In September 2016 FedRAMP Program Manager, Matt Goodrich, stated that the median cost of obtaining FedRAMP authorization totaled approximately $2.25M. As of spring 2017 this cost had dropped to a range of between $350K and $865K, according to a study done by Coalfire. In short, FedRAMP is well on the way to achieving its goal of making agency cloud adoption easier and more secure.

How are agencies responding to the improvements? The data below provides at least part of the answer. It shows the FedRAMP compliance all of the contracted cloud efforts that Deltek has been able to identify and verify from fiscal 2014 to fiscal 2016. When reading this data please keep in mind that it is very difficult to identify the solutions in use at agencies. Simply listing contract awards doesn’t cut it because many contracts are awarded to resellers that provide agencies with access to services like Amazon and Microsoft. The data here summarizes the efforts using a FedRAMP certified solution that Deltek has been able to identify through further research, including reading through statements of work and compiling openly announced awards.

The data shows that the number of FedRAMP compliant solutions in use has grown 197% over the last three fiscal years from 106 in FY 2014 to 315 in FY 2016. Over the same period, the number of non-FedRAMP compliant solutions in use also grew, but at a much slower pace, rising 45%, from 254 in FY 2014 to 288 in FY 2016. Most importantly, the contracting of FedRAMP compliant solutions finally surpassed the contracting of non-compliant solutions. This is a major milestone for the program, proving its success.

Looking at the data split between the Civilian and Defense sectors of the market, we can see that Civilian agencies are using FedRAMP compliant solutions to a much higher degree than the DOD. This is true of cloud in general. Altogether, 49% of Civilian agency contracted efforts from FY 2014 to 2016 were FedRAMP compliant versus 34% of contracted DOD efforts. These numbers could be deceptive, however, because the DOD requires its cloud solution providers to be “FedRAMP+” certified. The FedRAMP+ program layers dozens of additional security controls on top of those required by FedRAMP. Certainly many providers are certified, but teasing out the details here has been very difficult.

Summing up, the procurement data shows that the FedRAMP program is here to stay. What’s more, it is flourishing. With such a high percentage of cloud procurements featuring FedRAMP certified solutions it is probably safe to say that possessing the certification is now a must have for vendors who wish to compete in the space.