The arrival of FedRAMP — a program meant to standardize the security requirements for selling cloud computer services to the federal government — has received plenty of attention from prospective suppliers.
“It’s not really a traditional play,” acknowledged Paul Strasser, senior vice president and general manager of the federal group at contractor Dynamics Research Corp. “We’re not selling to the government, we’re selling to the [cloud service providers].”
Andover, Mass.-based DRC, which has offices in Arlington, Reston and Columbia, is one of 10 organizations approved by the General Services Administration in May to evaluate cloud service providers as part of the FedRAMP process.
FedRAMP, shorthand for the Federal Risk and Authorization Management Program, is intended to cut down on the redundancy created when multiple federal agencies evaluate the same cloud product, all in hopes of speeding agencies’ adoption of the new technology.
After the third-party assessment, a joint authorization board — which convenes the chief information officers from the Pentagon, the Department of Homeland Security and GSA — also evaluates the applications to see if the companies meet security requirements.
Under the FedRAMP rules, third-party assessment organizations can sell cloud services if they adequately wall off that portion of their business from the evaluation side.
“It’s a specialty realm for someone who has a certain set of skills that GSA requires,” said Shawn P. McCarthy, research director at IDC Government Insights, who compared third-party assessors to building inspectors.
Reston-based Knowledge Consulting Group, also approved as a third-party assessor, has been focusing on cyber and security consulting for all of its 12 years in business, said Maryann Hirsch, the company’s president.
However, the company typically works for government agencies, evaluating programs’ compliance with security and privacy requirements.
In this case, FedRAMP “opens up a new market on the private sector side,” said Paul Nguyen, the company’s vice president of cyber solutions. The company entered the commercial market about two years ago and expects FedRAMP to expand that business.
Fairfax-based SRA International is hoping to serve as both an assessor — it is one of the accredited third parties — and a cloud service integrator.
Majed Saadi, SRA’s practice leader for cloud computing, said the company’s focus is on accelerating cloud adoption.
“Whether we’re working as a FedRAMP assessor or a cloud systems integrator, getting the momentum of cloud computing going in the federal government is something that we see as ... essential,” he said. “[In] the long run, we believe that this is going to help us maintain our leadership in the market.”
Still, company spokesman Mark Hein said it remains to be seen how much work the company will get from FedRAMP.