Some Cloud Vendors Will Miss FedRAMP Deadline
A June 5 deadline for federal agencies to comply with government cloud security and other U.S. standards could leave some major cloud vendors on the outside looking in.
That is the scheduled deadline for federal agencies to complete assessments of their cloud providers based on the Federal Risk and Authorization Management program, or FedRAMP. The program was launched several years ago to create government-wide standards security requirements for cloud vendors competing for federal contracts.
Cloud security standards have been revised at least four times over the last three years by the National Institute of Standards and Technology (NIST). The changes have further slowed the certification process for prospective vendors.
While most major cloud vendors appear to at least be in the pipeline for gaining FedRAMP approval, the initiative's web site currently lists eight cloud service providers waiting to "begin the FedRAMP authorization process." Among them are AT&T, Dell, and VMware.
Among the cloud vendors who have so far attained FedRAMP approval are Amazon Web Services, Hewlett-Packard, Microsoft, and Oracle.
Each has taken varying routes to competing for federal cloud contracts. Amazon, which won a huge contract last year to build a secure cloud for the CIA, recently won DoD approval to provide cloud services to defense agencies.
Vendors can pursue different strategies to win FedRAMP certification. Companies like Amazon, CenturyLink, HP, and Microsoft have opted for certification through a joint authorization board overseen by the General Services Administration (GSA), the government's primary procurement arm. The FedRAMP board includes chief information officers from the GSA, the Department of Homeland Security and the Defense Department.
Other vendors such as Google and Verizon have decided to work with specific agencies to gain security certification.
According to the FedRAMP web site, Oracle appears so far to be the only cloud vendor to receive both joint and agency approval to provide platform-as-a-service and software-as-a-service offerings. Oracle is working with DoD.
Of the baker's dozen vendors taking the joint agency route, their proposals to bid on government cloud contracts are listed as either in the "documentation" or "testing" stage.
Among the agencies working with individual cloud vendors are Health and Human Services (Adobe, Salesforce.com, Verizon), Federal Transit Administration (Appian), Transportation Department (Acquia), Justice Department (Avue Technologies), Agriculture Department (BMC Software), GSA (Google), Interior Department (MicroPact) and the Federal Aviation Administration (Proofpoint).
The problem for federal agencies and potential cloud vendors who have yet to jump through all FedRAMP certification hoops is that they could reportedly receive additional scrutiny from auditors like the Government Accountability Office. Potential vendors who missed the June 5 deadline also would have to meet revised cloud security standards. That could ultimately mean fewer vendors competing for government cloud contracts.
The GSA office overseeing the FedRAMP program said it expects to release updated cloud security guidelines reflecting the latest NIST revisions on June 6.
