At the end of January, the Federal Risk and Authorization Management Program (FedRAMP) office issued its second cloud service provider provisional authority to operate (ATO). The award went to CGI Federal’s Infrastructure as a Service (IaaS) offering. Issued on the last day of January 2013, the provisional authorization is set at Joint Authorization Board (JAB) level and covers Virtual Machine and Web Hosting cloud services. These offerings will allow federal agencies to procure and provision scalable, redundant, dynamic computing and hosting services. To review their security controls, processes and procedures for compliance with FedRAMP criteria, CGI Federal enlisted SecureInfo as their third party assessment organization (3PAO). SecureInfo, the cybersecurity group under Kratos Defense & Security Solutions, Inc, announced its 3PAO certification in September 2012. The first 3PAO accreditations were announced several months earlier in May, which is interesting to note because the time required for preparing and reviewing security assessments has been looked at as a hurdle in the FedRAMP application process.
The first ATO was issued in December 2012 to Autonomic Resources. The announcement raised some curiosity about the 8(a) certified, small business based out of Cary, North Carolina. But, as we explored previously, Autonomic’s credentials damper any surprise about their FedRAMP certification.
Based on what the two initial FedRAMP approved vendors have in common, you might be able to guess who is positioned next among the 77 or so providers awaiting results of their FedRAMP application reviews. Both Autonomic Resources and CGI Federal are vendors on the General Service Administrations IaaS Blanket Purchase Agreement (BPA). Back among the early presentations and discussions about how the program approval would proceed, GSA officials suggested that the vendors on this BPA were likely to be at the front of the queue. So, it’s worth pointing out that, indeed, both vendors that have received ATOs thus far received certifications for IaaS and are also listed on the GSA’s IaaS BPA.
According to the initial FedRAMP phase schedule, provisional authorizations were expected to be awarded to fewer than 20 vendors and program operations were planned to enter full operations during the second quarter of FY 2013. Incremental delays have extended the phase schedule a bit and the number of initial authorizations has dropped. Still, additional authorizations are expected to be awarded throughout “early 2013.”
Looking at the dozen vendors on the IaaS BPA, there are three that are also on the GSA’s Email as a Service (EaaS) BPA. Of those three, the only one that does not have a FedRAMP ATO is General Dynamics Information Technology. Having recently posted losses for 2012’s fourth quarter, the aerospace and defense company would undoubtedly welcome positioning to expand their share of federal cloud services. Fourteen of the vendors on GSA’s EaaS BPA were not on their IaaS BPA, though. And since email has been a gateway cloud service for a number of federal agencies, additional consideration of the EaaS BPA vendors is warranted. Also, interestingly, company officials at Microsoft reportedly expect to have at least one of its products approved by April 2013, which may sound optimistic considering the pace of announcements.
In a recent panel discussion, leadership from Homeland Security said they were “watching FedRAMP with interest.” The comment highlights the uncertainty remaining around how agencies will leverage the cloud security authorizations. The uncertainty around budgets and sequestration, which will impact migration plans and continuity of operations, are compounding the challenges that both vendors and agencies face while assessing government cloud adoption.