The changes have made a splash in government information technology circles, but there remains in industry a surprising level of confusion and misinformation about FedRAMP. Here are a few of the most common misconceptions:
Myth: FedRAMP is a federal effort to buy cloud services.
Truth: FedRAMP is simply an attempt to standardize system requirements and assessments to create a single set of security standards for all federal cloud services. Passing a FedRAMP review means a company meets that baseline — not that it’s won any business. But agencies won’t buy from a company that hasn’t passed.
What FedRAMP may do is streamline the procurement process and accelerate the deployment of cloud services.
Myth: Companies can either participate as FedRAMP auditors or sell cloud services to the government; they can’t do both.
Truth: The FedRAMP office originally said a company could not do both, but later clarified that if a company can sufficiently separate two of its organizations, one can act as an assessor while the other markets cloud services.
To do both, companies must provide a firewall between those two business units and the auditor unit certainly can’t review the cloud services unit.
Myth: FedRAMP won’t be a barrier to small business.
Truth: Assessment fees are reported to range from $20,000 to $200,000, depending on the complexity of the cloud system. FedRAMP allows a federal agency to cover the assessment bill, but tight budgets mean many may be unwilling. The steep costs may mean small businesses must pay for their own audit — even though it provides no promise of federal business — or forego it and be out of the running for some cloud contracts.
Still, small businesses that do not pursue FedRAMP may still find government cloud work through private cloud deployments exempt from FedRAMP compliance or by providing services that help government agencies find the best cloud option.
Myth: Cloud service providers will not need to meet continuous monitoring requirements.
Truth: Cloud service providers must have internal, real-time monitoring. Reporting will be conducted manually at first — on a quarterly, annual or biannual basis — but the requirements are expected to eventually call for automated real-time reporting.
The General Services Administration and the Department of Homeland Security appear likely to release more guidance on continuous monitoring.
Myth: FedRAMP is mandatory so agency buy-in is guaranteed.
Truth: Participation in FedRAMP is mandatory, but the federal agency response remains uncertain. Establishing these standards meant departing from highly customized agency requirements, and there is nothing to prevent an agency from seeking an exemption for a deployment or enacting its own stricter requirements.
Still, there are hopeful signs pointing to widespread agency support. Some buyers, including NASA and the Federal Aviation Administration, referenced FedRAMP in contract solicitations even before the official launch of the program.
Myth: The June start date included an announcement of approved service providers.
Truth: The process of naming assessors was delayed, and FedRAMP officials now indicate the initial authorizations may be issued to as few as three providers. Even those certification announcements aren’t anticipated until later in the year.
Myth: If a provider meets the current FedRAMP requirements, they’re all set.
Truth: Service providers will need to closely watch updates to security controls and reporting requirements. For example, an update to one document that guided FedRAMP’s approach to security controls is expected in July. And there may be other changes, including more information on reporting and record maintenance.
Kyra Kozemchak is a senior analyst for federal industry analysis at Herndon-based Deltek, which conducts research on the government contracting market and can be found at www.deltek.com.