Is FedRAMP a barrier to entry for cloud service providers?
- By Cristina Gillaspie
The Federal Risk and Authorization Management Program bills itself as a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
For companies in the “cloud business,” their service must be compliant with FedRAMP in order to do business with the federal government. Compliance means the cloud offering has undergone this standardized security assessment successfully, a common IT practice when dealing with a federal agency.
There are three main participants in the FedRAMP process: the government agencies, the cloud service providers and the hird-party assessment organizations (3PAOs). The government agencies are responsible for selecting a cloud service, leveraging the FedRAMP process, and requiring CSPs to meet FedRAMP requirements. The CSPs must meet FedRAMP requirements before they can sell their cloud services to the federal government. 3PAOs are specially qualified organizations that perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance and help ensure CSPs meet requirements.
To be an authorized CSP, a vendor would work with a 3PAO to ensure that the FedRAMP processes have been followed and that it has successfully passed accreditation. According to a recent Coalfire report, Securing Your Cloud Solution, the cost of this initial preparation and assessment can range from $350,000 to $865,000 and takes an average of six months.
However, each agency within the federal government has the ability to add additional security requirements to a CSP because ultimately it is the agency that grants the authority to operate or connect to their networks. So a CSP that gets a FedRAMP authorization for its cloud offering may discover that it just cleared the first hurdle.
For example, if a CSP wants to sell its cloud offering to the Navy, the CSP not only has to have a FedRAMP authorized offering at the appropriate data categorization (i.e. complying with the Federal Information Security Management Act at the moderate or high levels), the CSP must also have a Defense Information Systems Agency provisional authorization combined with an authorization from the Navy authorizing official. FedRAMP and DISA have been working to reduce the time it would take vendors to get through this process by allowing FedRAMP moderate authorizations to automatically become DISA provisional authorizations (public) and also allowing FedRAMP FISMA-high authorizations to achieve DISA provisional authorization (sensitive).
CSPs interested in selling to federal government should know the concerns around cybersecurity for agency that they want to support. Some big ones include:
Security of data center staff. A technical reality for many CSP offerings is that the cloud consists of data centers that have human resources in them, and the CSP must demonstrate that those persons with cloud access are U.S. citizens who have been cleared to handle the data.
Geographic location of data. Though it is “in the cloud,” the data is housed somewhere geographically. If a government agency is the consumer, it may require its data be stored on U.S. soil.
Ownership of data. CSPs must state and establish that the government owns the data that placed in a CSP’s cloud.
Identity management. The CSP must demonstrate that it can authenticate and identify the people who access its cloud. It is even better if that identity access and authentication is tied to a government issued personal identity verification card.
Vulnerability scanning. FedRAMP requires authorized CSPs to perform high-quality vulnerability scans of their cloud service systems at least monthly.
CSPs that are not prepared to deal with government constraints around cybersecurity and acquisition will face huge barriers to entry in the federal market space. Many CSPs will not do business with the federal government because this process is challenging. Also, it is not unusual for CSPs to change how they offer their service in order to meet FedRAMP or other government security requirements.
So is FedRAMP is a barrier to entry? The answer is no, but it is a hurdle. For CSPs and the government alike, security compliance is a hurdle that must be leapt prior to a successful implementation. Once a CSP meets FedRAMP requirements, it may face other issues ranging from acquisition of the cloud offering to additional security requirements that come in to play from other government agencies. This is a symptom of government agencies struggling with reciprocity with FedRAMP not with the FedRAMP process itself.
Cristina Gillaspie is an IT consultant who helps innovative organizations develop cloud solutions.