Software // Information Management
Commentary
11/4/2010
03:44 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How Feds Shut Out The Cloud Start-Ups

The federal government's newly detailed voluntary, standardized process to make sure cloud computing services meet government security requirements was supposed to facilitate the adoption of innovative technologies, but in its current iteration, it may fall short.

The federal government's newly detailed voluntary, standardized process to make sure cloud computing services meet government security requirements was supposed to facilitate the adoption of innovative technologies, but in its current iteration, it may fall short.First, a bit of background to set the stage. Today, agencies typically take apps and services through their own security accreditation processes, regardless of whether other agencies have already authorized the same systems for government use. The FedRAMP process is designed to eliminate duplication and reduce costs with a standardized process. Once a service is certified by FedRAMP, other agencies can leverage the certification, thereby speeding up time to deployment for cloud services.

However, one problem is that FedRAMP, as it's currently proposed (it's was released earlier this week in draft form) requires that agencies looking to deploy particular services sponsor those services' certifications. Vendors can't request certification on their own, nor can the Office of Management and Budget (which heads up IT policy for the feds) or General Services Administration (which is running FedRAMP) simply pick and choose a list of suppliers whose services they want to certify.

That may keep the burden on the young FedRAMP process low by pushing only those services through the process that are going to be adopted by agencies. However, it may also shut-out start-ups.

The first companies whose products get certified on FedRAMP will inevitably be the big players who are actively courting government customers and/or already have active government deployments. IBM, Microsoft and Google have all said they have FedRAMP certifications in waiting, and companies like Amazon.com, EMC and Salesforce.com are sure to be close on their heels.

Security accreditation is estimated to cost six figures, and that's a big chunk of change to drop on an unproven start-up that may only have one product an agency wants to use. What's an agency to do? Is it to drop $100,000 to certify a start-up's niche service that meets all of an agency's needs, or simply leverage the pre-existing authorization of a Microsoft product that meets most of its needs? The prudent course might be to leverage Microsoft's authorization rather than open up the wallet, especially in a period of budget crunches.

Unfortunately, that'll keep the universe of authorized services relatively small, and the same services may be used over and over. There's got to be a better way to close the gap between the government and start-ups, many of whom already shy away from government business because it's too expensive and arduous.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.