FedRAMP Certified Capability Adoption Trends, FY 2017-2019

Key Takeaways

• From FY 2017 to 2019, 67% of the cloud solutions procured by federal agencies were FedRAMP compliant.
• The number of procured cloud solutions dropped in FY 2019 after strong growth in FY 2018.
• The top five FedRAMP compliant solutions by number of contracts awarded were Adobe desktop capabilities (1,646), Amazon Web Services (321), Salesforce Government Cloud (293), Microsoft Azure (253), and Microsoft 365 (91).
• Cloud solutions should be FedRAMP certified to compete in the federal marketplace.

Back in March 2020, around the start of the COVID-19 public health crisis, MeriTalk published a brief report showing that 71% of surveyed federal employees thought the Office of Management and Budget’s updated Cloud Smart strategy had contributed to a rapid acceleration of cloud adoption across federal agencies. Cloud Smart emphasizes the need for agencies to improve their security postures as part of cloud adoption and a portion of that process includes leveraging Federal Risk and Authorization Management Program (FedRAMP) approved cloud services and capabilities to the furthest extent possible.

It appears OMB tapped into a trend that had already been accelerating across government because agency use of FedRAMP-certified cloud services was growing for a couple of years before the Cloud Smart strategy came out in 2019. Now, Deltek has updated data concerning FedRAMP capability adoption trends from FY 2017-2019, which it published on August 27 as part of its Federal Cloud Computing Market, 2020-2022 report.

This data shows that from FY 2017 to 2019 federal agencies procured at least 5,917 cloud solutions and services, including purchases of single capabilities, cloud migration and strategy development services, engineering services, etc. Deltek identified those that were FedRAMP compliant by noting either a demand for the requirement in the solicitation or verification of the solution’s compliance as listed on the GSA Program Management Office’s FedRAMP Marketplace website.

Over that three year period 3,699 procured solutions/services ended up being FedRAMP compliant, a total of 63%, meaning 27% of cloud solutions agencies procured were not FedRAMP certified despite OMB compliance requirements.

The most interesting insight from this data comes when it is examined on a year-by-year basis, and this shows growth and then a leveling-off in the use of FedRAMP solutions. In FY 2017, for example, 62% of the cloud solutions agencies procured were FedRAMP compliant. In FY 2018, this number rose to 67%, but then it fell to 58% in FY 2019. This drop tracked with a decline in the overall number of cloud solutions procured that year. Data in the past has shown that years of strong growth can be followed by years of weaker growth so the data from FY 2019 should be considered a normal fluctuation.

According to Deltek’s data, the top five solutions by number of contracts awarded were Adobe desktop capabilities (1,646), Amazon Web Services (321), Salesforce Government Cloud (293), Microsoft Azure (253), and Microsoft 365 (91).

Meanwhile, in terms of FedRAMP authorization levels used, the data showed the following

Agencies continue to use FedRAMP Moderate solutions more than any other type, driven in part by the fact that Defense organizations cannot use cloud solutions with a FedRAMP certification lower than Moderate. As for the top end of the spectrum, the number of FedRAMP High solutions procured came in very low by comparison. Part of the reason for this is the way agencies report contract data. Learning the solution used can be difficult if the information has not been released publicly. The best we can do, therefore, is record the certification level requirement in the solicitation documents. These show frequent demand for either FedRAMP Moderate or High, which is why the blended category is included in the graphic above. Undoubtedly, a good percentage of those solutions eventually contracted were FedRAMP High.

Summing up, federal agency use of FedRAMP certified solutions continues going strong. The decline in procured solutions in FY 2019 is undoubtedly a temporary dip in the overall trend, which continues upward, reinforcing the need for cloud solutions to be certified in order to compete in the federal marketplace.