Small, regional, or start-up cloud service providers might wonder what's a workable strategy for becoming an acquisition target in a crowded marketplace that is dominated by a few giants. They may not know it, but a sure fire way to cashing in is by obtaining the FedRAMP cloud security rating from the US General Services Administration.
While an expensive and time-consuming process, the certification has proven a winner for several cloud firms.
One lesser known provider that did get the FedRAMP certification, Virtustream, was having trouble making headway against the likes of Microsoft Azure, Amazon Web Services, and the Google Cloud Platform. Nevertheless, it was acquired May 26 by EMC for $1.2 billion as a way for the storage product supplier to branch out into full cloud services -- and gain an avenue to offer services to the federal government.
As it happens, Virtustream announced at the end of July that it had been approved by the Department of Interior as a FedRAMP authorized supplier of services.
That move was preceded by CSC's Feb. 25 purchase of Autonomic Resources, another FedRAMP certified provider, for an undisclosed amount.
Data center builder QTS Realty Trust in Reston, Va., bought FedRAMP-certified Carpathia for $326 million. The firm has five data centers that host the VMware vCloud Government Service. That deal was announced May 7.
Those with the certification find themselves suddenly going up in value, even though they may have been previously a small and specialized service provider. The reason being is that only a handful of FedRAMP certifications have been issued.
[Read more about EMC's purchase of Virtustream.]
The Federal Risk Authorization Management Program or FedRAMP was meant to impose a standard security assessment for use by government agencies in evaluating cloud suppliers.
The GSA appointed a Joint Authorization Board to review applicants. It has issued certifications to 14 companies, sometimes for just one of many services that these firms offer.
In Virtustream's case, it was assessed by an outside agency, Coalfire, on behalf of the Department of Interior. Likewise, Salesforce.com was certified a year ago through the Department of Health and Human Services to operate its Government Cloud.
IBM has previously told InformationWeek its SoftLayer cloud data centers in Dallas and Washington were built to meet both FedRAMP and federal FISMA standards. The IBM Smart Cloud for Government is certified by the GSA's Joint Authorization Board.
The FedRAMP evaluation process "sets a rigorous certification and accreditation bar for cloud service providers," said Dave McClure, associate administrator of the GSA's Office of Citizen Services and Innovative Technologies, as the standard was being put into practice in early 2013. It was announced by the Office Management and Budget in 2011 and set a deadline of June 5, 2014, for meeting it.
"We aren't creating perfection, just raising the minimum bar across the industry," McClure said in an interview at the time.
It takes 18 months or longer and a submission of 1,000 pages of technical and legal documentation to win FedRAMP certification. The effort is estimated to cost between $4 and $5 million.
The GSA lists 14 companies that have done so, though some of them, such as Akamai, are certified for a single specialized service -- in this case, the company's content delivery system. Likewise, the AT&T Synapse Cloud is certified by the GSA to delivery storage-as-a-service but not general purpose infrastructure-as-a-service.
A newsletter for federal IT professionals, MeriTalk, reported in May that in 2014, 24 cloud service providers were waiting for FedRAMP approval, and 16 of them are still waiting.
Those certified for IaaS, in addition to the IBM Smart Cloud for Government, Autonomic Resources, Carpathia, and Virtustream include: Microsoft Azure, HP Helion, CGI's Federal Cloud, Clear Government Solutions as host to a federal community cloud, and Lockheed Martin Solutions as a Service. Several software-as-a-service providers, including Oracle Cloud, HP's Fortify on Demand, and SecureKey's Bridge.net for Connect.Gov. Concurrent Technologies Corp. is also a certified SaaS supplier, but it uses Autonomic Resources as its hosting facility.
Consequently, the list of certified, general purpose, infrastructure-as-a-service providers is limited. To be a little known supplier on it is to be in a valuable position.
Amazon Web Services is not listed as a certified, general purpose IaaS supplier to all agencies. But it has been certified by a third party as a supplier to Health and Human Services, according to the AWS faq page on FedRAMP.
AWS also won a $600 million contract near the end of 2013 from the CIA to build and operate the agency's private cloud.