Sep 17 2014

Agencies Demand FedRAMP-Approved Cloud Services

See what NASA, the Army and the Commerce Department are requiring from their cloud vendors.

The Federal Risk and Authorization Management Program has redefined how commercial cloud vendors do business with the government. In many ways, the program has set clear expectations for both agencies and companies by creating a common language and standards for securing cloud-based products and services.

Federal cloud computing has grown into a $3 billion market since the pre-FedRAMP era, when agencies didn’t have a mechanism for certifying if vendors could meet security requirements.

Agencies have come a long way since then, and it shows in their solicitations for cloud services. Requests for FedRAMP-approved cloud services have become common.

In a recent statement of work for Email as a Service, the Commerce inspector general described requirements for moving 350 email accounts from a Microsoft Exchange 2010 platform to a cloud environment. The document noted that the IG plans to procure a “FedRAMP-approved cloud e-mail and migration services for Government Community Cloud to support OIG’s mission.” The winning contractor will be required to submit FedRAMP documentation upon receiving the contract award.

NASA's statement of work for its next-generation land mobile radio requires contractors to confirm that their hosting facility is FedRAMP-certified.

An Army solicitation for an in-car video recording system had similar requirements. Specifically, the Army asked for a software solution that allows laptops in law enforcement vehicles to use peripheral devices for recording video, audio and other data. Any cloud storage used to host the data must have a provisional authority to operate, or ATO, from the FedRAMP joint authorization board, or JAB.

In other words, CIOs at the General Services Administration and Defense and Homeland Security departments, who sit on the board, have agreed that those services meet federal security standards. Their approval makes JAB reviews an ideal route for agencies and companies. When it comes to security, the board is less likely to accept risks on behalf of the federal government.

But FedRAMP program officials discourage agencies from requiring that only the JAB approve cloud services and products. Doing so would further strain the board to get services approved for government use. The process takes about nine months, and that doesn’t include the preparation before a review kicks off.

So far, a dozen cloud services have obtained provisional ATOs from the JAB, and 19 cloud services are awaiting approval. Five services have received FedRAMP agency authorization, and 15 are undergoing the agency authorization process, according to the FedRAMP office.

To learn more about how cloud computing solutions can help your organization get ahead, visit


aaa 1