Autonomic Resources Receives FedRAMP Authority to Operate

Published: January 03, 2013

Cloud ComputingCybersecurityDHSInnovationNAVYSmall Business

Just before the close of the 2012 calendar year, the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) issued its first security certification, meeting one of the program’s self-imposed deadlines. In the wake of the announcement, some are suggesting that the award bumped the North Carolina based company into a spotlight. Yet in several respects, the award went to a company “pre-qualified” for its status as a FedRAMP Cloud Service Provider (CSP).

Issued on the 26th of December, the provisional authorization is set at the Joint Authorization Board (JAB) level, as opposed to agency granted authority to operate (ATO), which may come into play once FedRAMP launches full operating capabilities. The JAB Authorizing Officials consist of the Chief Information Officers from the Defense Department, Department of Homeland Security and General Services Administration. According to their charter, this group is responsible establishing the priority queue requirements for authorization package reviews and for granting provisional authority to operate based on evaluations of authorization packages, third party assessment organization (3PAO) results and FedRAMP Program Management Office (PMO) insight.

The provisional authorization covers the Automonic Resources Cloud Platform (ARC-P), an Infrastructure as a Service (IaaS) offering providing capabilities for processing, storage, networks and other fundamental computing resources that support deployment and operation of systems and applications through virtual machines. To review their security controls, processes and procedures for compliance with FedRAMP criteria, Autonomic enlisted Veris Group as its 3PAO.

Considering the concerns around the market impact of sourcing arrangements on small businesses, it’s worth noting that Autonomic is an SBA Certified 8(a), small disadvantaged business. Granting them the first approval could be a statement to affirm claims that small businesses won’t be hurt by this process. That being said, the company has established partnerships with Red Hat, IBM, Dell and Microsoft. And they’ve received awards for two government wide BPAs in as many years. 

Autonomic Resources is listed on GSA’s IT Schedule 70 (contract GS-35F-0587R) for term software licenses, perpetual software licenses and maintenance of Software as a Service (SaaS). They also offer IT professional services, training, electronic commerce and subscription services, as well as furnishing new equipment.

They’re among the twelve vendors on the General Services Administration’s IaaS Blanket Purchase Agreement (BPA), which were expected to be among the applicants at the head of the FedRAMP queue. Under the BPA, Autonomic offers virtual machine capabilities. The IaaS BPA award was issued in December 2011, and in August 2012, the Email as a Service (EaaS) BPA was awarded to 17 industry partners. As small businesses go, Autonomic Resources is no fledgling start up.

In building these credentials, Autonomic Resources has already incorporated security precautions that would position it well against the FedRAMP requirements. For example, as part of the GSA IaaS BPA employees and contracted staff undergo are subject to background investigation requirements. Further, the company vouches that most ARC-P assigned staff member have security clearances (at either U.S. Secret or Top Secret DOD levels). To date, its list of government customers include: the Environmental Protection Agency, the Department of Homeland Security, the Navy, the National Institutes of Health, and various state and local government organizations. Again, not typical of many small businesses.

Additional ATOs are expected to be awarded in “early 2013” to any of the applicants that meet the FedRAMP CSP requirements. According to company officials, Microsoft expects to have at least one of its products approved by April 2013. It’s estimated that around 80 vendors had submitted applications by the end of 2012, so they may be in good company.

Due to the granularity required for FedRAMP review, many applicants have had to expand their security plans. By one account, that means plans can range anywhere between 80 and 1,000 pages. In the meantime, guidance is still being provided to vendors on the application process, which has proved a hurdle for some.  The FedRAMP Program Management Office will be holding a webinar on January 8, 2013 to review the completion of the security authorization process, walking through the start of testing to the submission of a final complete package to the FedRAMP repository.