FedRAMP Adoption Trends, FY 2016-2018

News broke recently that Rep. Gerry Connolly (D-Va.) and Rep. Mark Meadows (R-NC) have sponsored a new piece of legislation called the FedRAMP Reform Act of 2019. This bill follows the FedRAMP Reform Act of 2018, introduced by Rep. Connolly last summer, but which ended up going nowhere on the legislative agenda. Now Rep. Connolly and Rep. Meadows are trying again to have the GSA’s FedRAMP program codified so that it will remain in existence in perpetuity. The two representatives are also attempting through legislation to address industry concerns about the FedRAMP program’s high costs and extensive certification time period. These concerns are legitimate, particularly to small and medium-sized businesses that cannot afford to spend hundreds of thousands of dollars getting a solution FedRAMP certified before they’ve managed to generate any revenue from its sale, but they also take place in a context of rapidly widening FedRAMP adoption.

FY 2016-2018 FedRAMP Adoption

Data collected by Deltek for its cloud database shows that agencies are rapidly adopting FedRAMP-certified solutions as their de facto baseline cloud security standard.

At the current rate, measured by the number of FedRAMP-certified solutions contracted over the last three fiscal years, agencies are in general nearly doubling the number of FedRAMP-certified solutions they procure annually. In spending terms this trend has manifested as a boon for contractors with certified solutions. In FY 2016, for example, agencies spent $556M buying FedRAMP-compliant solutions. By FY 2018 that number had risen to $1.7B. Civilian agencies are leading the charge here, spending $1.2B of the FY 2018 total, while the DOD spent $506M.

FY 2016-2018 FedRAMP Adoption by Impact Level

In terms of adoption by data impact level, the chart below shows that agencies are acquiring solutions certified at FedRAMP Moderate more than any other type.

Those familiar with the FedRAMP program might notice the data listed in the “Moderate / High” category and wonder how a solution can be both when only three data impact levels (low, moderate, high) exist. The reason is that Deltek’s Cloud Database lists FedRAMP compliance levels based on multiple sources, including the online FedRAMP Marketplace, government solicitations, and solution provider websites. Some of this data shows requirements that are still being competed or which stated in their documentation that Moderate or high rated solutions would be acceptable. Hence the blended category.

When it comes to spending on FedRAMP Moderate solutions, Civilian agencies again led the way, obligating $429M in FY 2018 alone. The DOD, by comparison, spent $145M on FedRAMP Moderate solutions in FY 2018.

Bottom Line

As Deltek has been advising for several years now, securing FedRAMP certification for commercial solutions is now mandatory to be competitive. The cost of FedRAMP certification remains high, but SaaS solutions can be fast-tracked to minimize those expenditures using the FedRAMP-Tailored program. The DOD also now accepts certified FedRAMP Moderate solutions by default, reinforcing the need for contractors to secure certification to be competitive.