FedRAMP Certified Solutions and the GSA Cloud SIN

Published: September 20, 2017

Federal Market AnalysisCloud ComputingContracting TrendsGSAInformation TechnologyPolicy and Legislation

Cloud providers should add both GSA’s Cloud SIN and FedRAMP compliance to be competitive.

Back in April of this year I posted a bit of analysis on the number of vendors that had added GSA’s new Cloud Special Item Number (132-40) to their GSA Schedule 70 contracts. In that post I noted that 53 vendors had been approved to do business under the new Cloud SIN, helping to confirm that a growing volume of agency cloud procurement is moving to Schedule 70 (see chart below).

The one angle I left out of the earlier post is the percentage of those new Cloud SIN vendors whose solutions have also received FedRAMP certification. In Fiscal 2016 the number of awards made by agencies for FedRAMP certified solutions surpassed those without FedRAMP certification for the first time ever, indicating how having FedRAMP certification is becoming an important competitive factor.

Since that spring blog post an additional 15 solutions/vendors have added the new Cloud SIN to their GSA Schedules, bringing the total number of providers up to 68. This post takes a look at how many of those 68 solutions/vendors also have FedRAMP certification.

The chart below shows the results.

Only about 23% of the vendors with the new Cloud SIN have acquired FedRAMP certification for their solutions. While this might seem to be a low percentage one of the things to keep in mind is that at least a few of the vendors on GSA’s Cloud SIN list are resellers. Carahsoft and DLT Solutions come immediately to mind, but there are others as well. Vendors like DLT and Carahsoft provide federal customers with access to cloud services offered by Microsoft and Amazon Web Services – both of which have received FedRAMP certification for even the most sensitive data.

Meanwhile, neither Microsoft nor Amazon nor other big players like Google, for that matter, have yet added the Cloud SIN to their Schedule 70 contracts, so you can see the difficulty involved in doing a straightforward analysis of the subject. There are nevertheless dozens of other vendors, including a large number of small businesses, that have added the Cloud SIN and yet their solutions are not FedRAMP certified.

All of this suggests several things about the market:

First – A larger number of vendors have positioned themselves to compete for cloud business on Schedule 70. The data shows clearly that this is the place to be because agencies are using Schedule 70 more for cloud procurement.

Second – As of Fiscal 2016, FedRAMP certification has become a critical discriminator for being competitive in this market. More agencies are demanding it in acquisitions and they are awarding more contracts to FedRAMP certified vendors.

Third – Not enough vendors who have added the Cloud SIN have received FedRAMP certification. This means that while more vendors can compete under SIN 132-40, they are less likely to win any awards because they haven’t FedRAMP certified their solutions.

In other words, to take advantage of evolving trends in the cloud market, vendors need to get FedRAMP certifications AND the add the Cloud SIN to their GSA Schedule contracts. These pieces represent the two most important parts of any go-to-market strategy that cloud providers must have to be competitive.