FedRAMP: Sure-Fire Path To Acquisition In The Cloud Market - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Infrastructure as a Service
News
6/1/2015
11:01 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

FedRAMP: Sure-Fire Path To Acquisition In The Cloud Market

Little known Virtustream, Autonomic Resources, and Carpathia had one thing in common -- FedRAMP certifications. This helped when it came to acquisitions.

8 Reasons IT Pros Hate The Cloud
8 Reasons IT Pros Hate The Cloud
(Click image for larger view and slideshow.)

Small, regional, or start-up cloud service providers might wonder what's a workable strategy for becoming an acquisition target in a crowded marketplace that is dominated by a few giants. They may not know it, but a sure fire way to cashing in is by obtaining the FedRAMP cloud security rating from the US General Services Administration.

While an expensive and time-consuming process, the certification has proven a winner for several cloud firms.

One lesser known provider that did get the FedRAMP certification, Virtustream, was having trouble making headway against the likes of Microsoft Azure, Amazon Web Services, and the Google Cloud Platform. Nevertheless, it was acquired May 26 by EMC for $1.2 billion as a way for the storage product supplier to branch out into full cloud services -- and gain an avenue to offer services to the federal government.

As it happens, Virtustream announced at the end of July that it had been approved by the Department of Interior as a FedRAMP authorized supplier of services.

That move was preceded by CSC's Feb. 25 purchase of Autonomic Resources, another FedRAMP certified provider, for an undisclosed amount.

Data center builder QTS Realty Trust in Reston, Va., bought FedRAMP-certified Carpathia for $326 million. The firm has five data centers that host the VMware vCloud Government Service. That deal was announced May 7.

(Image: KellyISP/iStockphoto)

(Image: KellyISP/iStockphoto)

Those with the certification find themselves suddenly going up in value, even though they may have been previously a small and specialized service provider. The reason being is that only a handful of FedRAMP certifications have been issued.

[Read more about EMC's purchase of Virtustream.]

The Federal Risk Authorization Management Program or FedRAMP was meant to impose a standard security assessment for use by government agencies in evaluating cloud suppliers.

The GSA appointed a Joint Authorization Board to review applicants. It has issued certifications to 14 companies, sometimes for just one of many services that these firms offer.

In Virtustream's case, it was assessed by an outside agency, Coalfire, on behalf of the Department of Interior. Likewise, Salesforce.com was certified a year ago through the Department of Health and Human Services to operate its Government Cloud.

IBM has previously told InformationWeek its SoftLayer cloud data centers in Dallas and Washington were built to meet both FedRAMP and federal FISMA standards. The IBM Smart Cloud for Government is certified by the GSA's Joint Authorization Board.

The FedRAMP evaluation process "sets a rigorous certification and accreditation bar for cloud service providers," said Dave McClure, associate administrator of the GSA's Office of Citizen Services and Innovative Technologies, as the standard was being put into practice in early 2013. It was announced by the Office Management and Budget in 2011 and set a deadline of June 5, 2014, for meeting it.

"We aren't creating perfection, just raising the minimum bar across the industry," McClure said in an interview at the time.

It takes 18 months or longer and a submission of 1,000 pages of technical and legal documentation to win FedRAMP certification. The effort is estimated to cost between $4 and $5 million.

The GSA lists 14 companies that have done so, though some of them, such as Akamai, are certified for a single specialized service -- in this case, the company's content delivery system. Likewise, the AT&T Synapse Cloud is certified by the GSA to delivery storage-as-a-service but not general purpose infrastructure-as-a-service.

A newsletter for federal IT professionals, MeriTalk, reported in May that in 2014, 24 cloud service providers were waiting for FedRAMP approval, and 16 of them are still waiting.

Those certified for IaaS, in addition to the IBM Smart Cloud for Government, Autonomic Resources, Carpathia, and Virtustream include: Microsoft Azure, HP Helion, CGI's Federal Cloud, Clear Government Solutions as host to a federal community cloud, and Lockheed Martin Solutions as a Service.  Several software-as-a-service providers, including Oracle Cloud, HP's Fortify on Demand, and SecureKey's Bridge.net for Connect.Gov. Concurrent Technologies Corp. is also a certified SaaS supplier, but it uses Autonomic Resources as its hosting facility.

Consequently, the list of certified, general purpose, infrastructure-as-a-service providers is limited. To be a little known supplier on it is to be in a valuable position.

Amazon Web Services is not listed as a certified, general purpose IaaS supplier to all agencies. But it has been certified by a third party as a supplier to Health and Human Services, according to the AWS faq page on FedRAMP.

AWS also won a $600 million contract near the end of 2013 from the CIA to build and operate the agency's private cloud.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
6/1/2015 | 2:31:43 PM
Services still in the JAB pipeline
Some services currently before the GSA's Joint Authorization Board include: ServiceNow's Service Automation Government Cloud Suite; Microsoft's Office 365 SaaS; AT&T's Government Cloud; IBM's SoftLayer Federal Cloud; Firberlink, an IBM company, with its MaaS 360 or Mobility as a Service; Datapipe's Government Solutions. There are also services being authorized separately for individual agencies by third parties. Are the authorizations moving fast enough?
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
News
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll