Forget tuning in for the Indianapolis 500 this weekend. All eyes trained on the Great FedRAMP CSP Acquisition 500 right now. Smaller companies that pioneered the FedRAMP approval process are selling quicker than Express Lane traffic on the Beltway. EMC’s eating VirtuStream. CSC acquired Autonomic Resources. QTS quaffed Carpathia. And, we’ve only in the first lap. We’re going to see a lot more of the FedRAMP frontrunners lapped up as the IT industry giants realize they need FedRAMP – but flinch from the traffic, complexity, and cost of the certification process. What’s the future of Clear Government, CTC, EconSys, SecureKey, Vazata, and more?
Running Into Traffic
The Cloud Computing Caucus Advisory Group annual report, Don’t Be a Boxhugger tells us, as of May 2015, just 35 products were certified as FedRAMP compliant, with another 40 at one stage or another in the review process, and many, many more waiting to engage in certification. According to CSPs, the average cost to complete FedRAMP certification is between $4 million and $5 million. It takes around 18 months to get through the process. In April 2014, 24 CSPs were awaiting certification. One year later, 16 of those same CSPs were still in the pipeline awaiting approval according to the FedRAMP OnRAMP. Each FedRAMP certification submission typically entail 1,000 pages of technical and legal documentation. It’s the importance of the certification to Federal agency buyers and the complexity of the process that’s fueling the FedRAMP CSP buying race.
As more of the bigs jump into FedRAMP, it’s going to change the feel of FedRAMP. Today, it’s a cottage industry, that trades on relationships. Companies in the pipeline are more concerned about managing relationships with the FedRAMP PMO – so they can cash in on their certifications. Many of those companies are less concerned about how FedRAMP works as an operating model, the costs associated with maintaining their ATOs, and broader government-wide adoption rates. Too many that have made it through the process see the program’s complexity as an effective barrier to entry that wards off competition on the track.
Oil on the Track?
A host of questions hang over scalability of the FedRAMP process – how can the program office manage the deluge of new CSPs that want to get through the process? We understand that the FedRAMP PMO currently spends as much time and money maintaining ATOs for the handful of CSPs already through the process – which means the program cannot scale.
Further, word is CSPs are running into challenges with the alternative agency route to FedRAMP certifications – as those agencies are bristling at the cost associated with managing those certifications. How can the FedRAMP PMO manage the volume without adequate funding? If there aren’t enough cloud options, how’s the government supposed to move to the cloud? The requirement to move to FedRAMP Rev 4 raises additional questions for industry and government alike.
FedRAMP Fast Forward
Industry wants a front seat in FedRAMP. That’s why MeriTalk, working collaboratively with the FedRAMP PMO at GSA, is hosting a new industry working group. FedRAMP Fast Forward provides a venue to support, inform, and accelerate FedRAMP and broader cloud adoption across government. The group’s structured in three workstreams:
1. Technical Standards and Process
2. Rules, Policy, Interagency Collaboration, and Communications
3. Training, Education, and Transparency
Interested in learning more? Download the working notes from the kick-off meeting or drop a line firstname.lastname@example.org. The group will host a breakfast meeting at the MeriTalk Cloud Computing Brainstorm on June 17th.
And speaking of traffic, the Brainstorm features a morning keynote by Tony Scott, NIST Cloud Cyber Security Working Group session. Cloud Computing Caucus Advisory Group panel, as well as theFedRAMP Fast Forward session – so it’s going to be bumper to bumper at the Brainstorm.