The Federal Risk and Authorization Management Program, known as FedRAMP, is designed to standardize security assessment, authorization and continuous monitoring for cloud products and services. But it is an expensive and time-consuming undertaking for even the largest companies, which might explain why to date only seven cloud infrastructure providers have been granted provisional authority to operate governmentwide.
But a new trend may be emerging that could streamline the process for introducing the software-as-a-service model to FedRAMP. Infrastructure and platform providers may be increasingly willing to pay for and help manage FedRAMP certification of specific software applications to ride on top of their already-certified infrastructure offerings, said Kenyon Wells, vice president of professional services at CGI Federal.
For example, when the Department of Homeland Security awarded its $95 million blanket purchase agreement in August to Meridian Knowledge Solutions for a cloud-based talent management system, it did so as an infrastructure-as-a-service with CGI Federal’s FedRAMP-certified cloud.
“We won that with Meridian, with their [talent management system] on top of our cloud,” said Wells, speaking at the Akamai Edge Conference on Oct. 9 in Washington, D.C. “But we offered to pay to get the application certified. I think you’re going to see a lot more of that.”
Although there are currently no software-as-a-service providers that have received FedRAMP certification — either from the Joint Authorization Board for governmentwide availability or through an agency-specific authority to operate — Wells said he expects a dozen cloud infrastructures will be certified by the end of the fiscal year.
“Companies that want to play in the federal space are going to have to pay to be there,” Wells said.
And “it’s not cheap. It’s significant,” said Fran Trentley, senior director for global security and government services at Akamai Technologies, which won its JAB provisional authority to operate for its Content Delivery Network on Aug. 22.
“We really did look under every stone. It wasn’t by any means an easy process,” said Christine Schweickert, Akamai’s strategic engagement manager who led the company’s FedRAMP efforts.
But for application providers, FedRAMP has drastically lowered the cost of certification because it shifts the boundaries of responsibility for certification between application providers and infrastructure providers, Schweickert said.
Matt Mitchell, director of Knowledge Consulting Group, the independent Third Party Assessment Organization, or 3PAO, that validated Akamai’s cloud offerings, said he sees a wave of SaaS providers on the horizon for FedRAMP. But he offered some advice for those companies before they engage in the certification process.
“This is telling your story in 600 pages of controls,” Mitchell said. “A lot of customers we help are used to dealing with one agency and their controls.”
But with FedRAMP, “every single control has to live and stand by itself. The typical [certification and accreditation] process doesn’t have that level of detail,” he said.
There are currently 298 controls that cloud service providers must implement under FedRAMP and have certified by an independent 3PAO.