What's the Impact of Cloud Security Compliance?

Published: August 28, 2013

Cloud ComputingDigital GovernmentInnovation

When the General Service Administration launched its Federal Risk and Authorization Management Program (FedRAMP), it promised a “do once, use many times” approach that would simplify the cloud adoption environment by providing both industry and government with baseline security controls. As cloud adoption continues to gain traction across federal agencies, it’s still unclear how the certification will impact cloud vendors’ competitive position.

At the start of the year, it was reported that nearly seventy vendors had applications waiting to complete review. To date, eight cloud service providers have completed the FedRAMP process and received Authority to Operate (ATO) from either the FedRAMP Joint Authorization Board (JAB) or an agency. It’s open to debate whether government customers will prefer one type of ATO over another. Some argue that agency sponsored ATO offers other potential government customers evidence of potential deployments. Others suggest that receiving JAB approval is testament to offering’s ability to withstand the scrutiny of the General Services Administration, Department of Homeland Security, and the Defense Department. In either case, service offerings must meet the same security baseline control requirements.

Curiously, during the pre-launch phase of the program rollout, a FedRAMP official mentioned that providers on the GSA Blanket Purchase Agreements (BPAs) were expected to progress through the process first. While the GSA BPA for Infrastructure as a Service (IaaS) and Email as a Service (EaaS) are represented among the compliant CSPs, their numbers are few. And certainly a variety of other governmentwide acquisition contracts (GWACs) and indefinite delivery/indefinite quantity (IDIQ) contracts are represented as well.
It’s tempting to regard the Department of the Interior (DOI) award for Foundation Cloud Services as an indication that the FedRAMP certification has its benefits. However, only four of the ten vendors selected had completed the process. The DOI cloud services award is an easy example of cloud contract awards that have reacted to FedRAMP certification as more of a suggestion than a requirement. More subtle examples include requirements on established contract vehicles that have evolved to incorporate options for cloud computing deployments.
Agencies still have time to comply with the mandate ensure contracted cloud services meet the FedRAMP baseline controls. Some solicitations have included references to FedRAMP in the requirements, suggesting compliance is a consideration for new efforts. For existing arrangements, however, it’s unlikely that agencies will abandon services when the clock strikes. Even as spending on cloud contracts continues to build, it will be a while before the impact becomes more apparent.