FedRAMP Authority to Operate: Who's Next?
Published: February 12, 2013
Two provisional authorizations have been issued for cloud service providers that meet federal cloud security baseline standards. With close to 80 more vendors are in the application pipeline, whose cloud offering is likely to get that next stamp of approval?
At the end of January, the Federal Risk and Authorization Management Program (FedRAMP) office issued its second cloud service provider provisional authority to operate (ATO). The award went to CGI Federal’s Infrastructure as a Service (IaaS) offering. Issued on the last day of January 2013, the provisional authorization is set at Joint Authorization Board (JAB) level and covers Virtual Machine and Web Hosting cloud services. These offerings will allow federal agencies to procure and provision scalable, redundant, dynamic computing and hosting services. To review their security controls, processes and procedures for compliance with FedRAMP criteria, CGI Federal enlisted SecureInfo as their third party assessment organization (3PAO). SecureInfo, the cybersecurity group under Kratos Defense & Security Solutions, Inc, announced its 3PAO certification in September 2012. The first 3PAO accreditations were announced several months earlier in May, which is interesting to note because the time required for preparing and reviewing security assessments has been looked at as a hurdle in the FedRAMP application process.
According to the initial FedRAMP phase schedule, provisional authorizations were expected to be awarded to fewer than 20 vendors and program operations were planned to enter full operations during the second quarter of FY 2013. Incremental delays have extended the phase schedule a bit and the number of initial authorizations has dropped. Still, additional authorizations are expected to be awarded throughout “early 2013.”
Looking at the dozen vendors on the IaaS BPA, there are three that are also on the GSA’s Email as a Service (EaaS) BPA. Of those three, the only one that does not have a FedRAMP ATO is General Dynamics Information Technology. Having recently posted losses for 2012’s fourth quarter, the aerospace and defense company would undoubtedly welcome positioning to expand their share of federal cloud services. Fourteen of the vendors on GSA’s EaaS BPA were not on their IaaS BPA, though. And since email has been a gateway cloud service for a number of federal agencies, additional consideration of the EaaS BPA vendors is warranted. Also, interestingly, company officials at Microsoft reportedly expect to have at least one of its products approved by April 2013, which may sound optimistic considering the pace of announcements.