FedRAMP Deadline Looms For Agencies, Cloud Providers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cloud computing
09:15 AM
Wyatt Kash
Wyatt Kash
Connect Directly

FedRAMP Deadline Looms For Agencies, Cloud Providers

Federal agencies have until June 5 to certify their cloud systems. Here's what will happen if they miss the deadline.

Most Wasteful Government IT Projects Of 2013
Most Wasteful Government IT Projects Of 2013
(click image for larger view and for slideshow)

As we reported last week in an in-depth analysis, cloud service providers are queuing up for a rigorous government review process that certifies their service meets a strict baseline of security standards. This certification, known as the Federal Risk and Authorization Management Program, or FedRAMP, is mandatory for any cloud service provider looking to do business with federal agencies.

But the stakes are equally high for the federal agencies. The Office of Management and Budget, which mandated in 2011 that agencies begin using cloud services, has given them until June 5 to show that those services meet federal security standards.

A big question now is what happens if cloud service providers don't get the security certification by the June deadline? And where does that leave agencies trying to migrate slices of their IT operations to the cloud if their preferred provider's services have not yet been approved?

The short answer: "Call us," says Maria Roat, the General Services Administration director who oversees the FedRAMP certification program.  If agencies already are working with certain cloud providers, officials expect there will be some flexibility on the deadline.  

[Here's why Defense Department CIO Teri Takai believes FedRAMP Helps Everyone.]

Whether agencies will find themselves in the hot seat for failing to meet the June deadline, however, is OMB's call, not FedRAMP's, say officials familiar with the situation. OMB didn't immediately respond to requests for comment.

"Agencies may have legitimate reasons, but these requirements have been around for more than two years," says Tom McAndrew, executive VP of Coalfire Federal, which helps cloud service providers get FedRAMP-certified. The details of those requirements were spelled out in a seven-page OMB memo issued by US CIO Steven VanRoekel on Dec. 8, 2011.

US CIO Steven VanRoekel
US CIO Steven VanRoekel

Since then, OMB has been polling agencies every quarter through its PortfolioStat IT investment review program and other reports to determine if they are:

  • meeting the administration's "Cloud First" policy, that requires agencies to use cloud alternatives when available;
  • meeting FedRAMP requirements, demonstrating that a cloud service complies with the government's minimum security standards; or
  • able to justify why they're not meeting federal policies.

"If agencies don't have a robust plan to address cloud and security by now, then there will likely be increased pressure on the agency managers, directors, and CIOs" about their IT investment decisions, says McAndrew. OMB, which controls agency budgets, views FedRAMP's "certify once, use often" approach as an essential tool for reducing redundant costs for security and compliance. 

Time is running out, however, to meet the June deadline.

It typically takes cloud service providers six months to complete the FedRAMP certification process. The agency and cloud provider must first demonstrate that the service meets up to 298 specific security controls. There are no shortcuts, but once a service has been certified, other agencies can adopt it quickly.

Federal CIO Steven VanRoekel tweets about FedRAMP's impact on the cloud computing industry, initially reported by InformationWeek Government and featured on the ABC7 news show 'Government Matters.'
Federal CIO Steven VanRoekel tweets about FedRAMP's impact on the cloud computing industry, initially reported by InformationWeek Government and featured on the ABC7 news show "Government Matters."

Although the FedRAMP process is rigorous and expensive, its comprehensive baseline approach has caught the attention of cloud customers in the private sector.

That comes as good news for VanRoekel, who not only sees cloud computing producing significant IT savings across federal agencies, but also setting a more widely accepted security baseline for the cloud computing industry. As more cloud providers align with FedRAMP security standards, they'll produce more cost-saving cloud services for agencies to choose from.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/31/2014 | 2:20:29 PM
On Target!
Wyatt nailed it with this article.  If we didn't recently do a bug sweep in our conference rooms, I would have suspected that he was listening in to some of our recent conversations! As a leading CSP in the final stages of the FedRAMP process, our large Enterprise accounts are starting to pay attention to the additional security controls that FedRAMP offers.  They are requesting we provide certain capabilities that are beyond PCI, ISO, CSA, and SOC1/2 compliance.  In light of the recent breeches of PCI certified companies, the realization is that increasing certain security controls and implementing the continuous monitoring aspects of FedRAMP are far cheaper than a breech.  Our company is making very significant investments and realizing good success in this area.  FedRAMP sets a high bar... but we believe the bar should be higher in certain areas that we're also addressing.  I'm looking forward to more insight from Wyatt.
User Rank: Author
1/31/2014 | 4:30:53 PM
Re: On Target!
Pete, you rasise an interesting point, now that credit card industry has suffered a sereis of massive breaches, FedRAMP is likely to get even greater attention than it might have a few months ago relative to FedRAMP offers.  PCI, ISO, CSA, and SOC1/2 standards.  Thanks for weighing in.  Good luck with your FedRAMP certification!
David F. Carr
David F. Carr,
User Rank: Author
1/31/2014 | 6:34:48 PM
Which push is biggest?
Are the feds pushing harder to make sure agencies get into the cloud than they are to make sure those cloud services are secure, or vice versa?
User Rank: Author
2/7/2014 | 4:55:00 PM
Re: Which push is biggest?
Interesting question. It's possible for agencies to set up private clouds -- managed data centers within their network domain, where users buy by the drink -- which must be meet Federal Information Security Management Act standards, but which don't necessarily have to get FedRAMP approved.  FedRAMP is largerly aimed at 3rd party cloud service providers who host govt systems on secured, multi-tenant platforms.

I think OMB's ability to control budgets, and hold agency execs accountable for IT investments, allows them to put pressure to agencies to get moving to the cloud to save money. Agency lawyers, that must follow the FISMA law and ensure security are also under pressure to hold the line and keep systems secure.  Who's got the upper hand probably depends agenc by agency.

Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll