Michael Binko has been in this position before, vying for a stamp of approval that would help his small cloud services firm compete with big players in the market.
But this time around, his target is government certification, and that may make this a far slower and more challenging venture.
“We have been through this before with financial services and health care, so we know the value of these certifications and we’re champing at the bit because we know we’ll pass,” Binko, chief executive of kloudtrack, said of the government’s new Federal Risk and Authorization Management Program (FedRAMP). “But there’s a real risk that demand is going to overwhelm the process, and small providers like us might have a difficult time getting through.”
Rolled out earlier this month, FedRAMP sets a common standard for providing cloud services to the federal government. The General Services Administration announced the program last year as part of a broad initiative to simplify the IT services procurement process and ensure that those trusted with transmitting and storing government data meet key security standards.
The certification process requires three core components: An Authorization to Operate (ATO) granted by a federal agency, an audit conducted by a government-approved Third Party Assessment Organization (3PAO) and a final review by a Joint Authorization Board (JAB), the latter comprised of the chief information officers from the GSA, Defense Department and Department of Homeland Security.
Binko, whose Rockville-based firm provides cloud computing software to clients in fields such as health care and banking, applauded the concept, suggesting that FedRAMP should eventually “separate the chaff from the wheat” in the cloud services industry.
But that’s only if companies are given the chance to prove their mettle to a review board, and he’s worried that could be a long time coming for small firms like kloudtrack.
The problem is that hundreds of cloud service providers are expected to seek FedRAMP approval, but only those three agency officials are authorized to carry out the final review. Moreover, the government has thus far approved only nine 3PAOs to conduct all the initial audits, which include more than a hundred data security checks. Industry officials expect the audits alone to take as long as several months to complete.
Consequently, the parties designated to shepherd applicants through the process are likely to face overwhelming demand, according to Michael Hettinger, director of the public sector innovation division of the Software & Information Industry Association. He noted that GSA officials estimate that only three firms will make it through the FedRAMP process by the end of the year.
So who comes out on top in such a fiercely competitive scenario? Probably not small businesses, Hettinger said. Binko, who employs eight people, expressed the same concern.
“The traditional players and big system integrators are going to be able to fund vast amounts of their products through FedRAMP, and many of them have long histories working with the federal government and are going to have an easier time securing an ATO,” Binko said, pointing out that his company has only recently branched into the government services market. “Our past performance is nominal, so from that perspective, we are almost locked out right from the beginning.”
Even if small firms can secure an ATO, the high anticipated costs of the auditing process could force many of them to shy away from FedRAMP. The software industry association recently released a report suggesting that the barrier for small IT businesses remains too high, largely because of the time and resources required to run the FedRAMP gantlet.
“It’s pretty easy for the big guys to eat that cost, but once again, we will have to go to our board and convince them that we need to do this, without any guarantees of resulting short-term revenue,” Binko said.
The government is expected to announce more 3PAOs in the coming months, which should ease some of backlog. But Hettinger said further changes are needed at the federal level to help small IT providers compete in the procurement arena, starting with a shift away from large, multifaceted contracts (for which only large corporations can compete) in favor of smaller offerings that bring small, specialized firms into the fray.
Binko also suggested the federal government follow in the path of several states that offer publicly supported venture funds catering to young, innovative companies.
“The government is investing in the future and innovation, and FedRAMP is just one way they can make sure they are meeting baselines of security and performance,” he said. “But it should also be a metric for innovation.”