How Will FedRAMP Affect Smaller to Mid-Sized Cloud Solutions Providers?

By Lisa Gecko

With government agencies as critical to national security as the Department of Defense migrating to the private sector for cloud computing solutions, what will this mean for larger cloud service providers (CSPs) that might not be able to comply as quickly as smaller, niche-driven cloud hosting companies? It might mean that some of the bigger players will find themselves out of the loop. CSPs both large and small that drag their feet will miss out on this unprecedented opportunity to work with state and federal agencies. Until recently, lucrative government contracts have, for the most part, remained unavailable for commercial CSPs. With the implementation of the Federal Risk and Authorization Management Program (FedRAMP), the doors will open to all government agencies interested in working with the private sector.

One of the ancillary benefits with FedRAMP could be the increase in cloud adoption by businesses that to date have remained wary of the move. A government-wide standard for contracting IT services from outside providers will most likely alleviate any lingering doubt in the corporate world in regards to cloud computing solutions and security concerns. In that sense, FedRAMP is a win-win for CSPs. FedRAMP is intended to be applicable to all cloud deployment and service models. So Public Clouds, Private Clouds and Hybrid Clouds, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) (as defined by the National Institute of Standards and Technology (NIST)) could be judged by businesses in the private sector by federal standards across the board. This should be exciting news for cloud solutions providers looking for yet another bullet point when broaching the subject of cloud security with potential clients.

Cloud solutions providers should also find the universal standard a benefit in acquiring multiple government agencies as clients. One of FedRAMP’s goals is to eliminate any duplication of compliance effort, thus enabling commercial CSPs to work with a variety of state and federal departments without reapplying for any certifications they have already achieved. This will also spare both providers and agencies unnecessary investment of time and money in the process. Standardization of the contract language is already underway to further assist with the integration of FedRAMP, which should also in turn, provide an easier road for CSPs to work with multiple state and federal agencies.

There are some very interesting opportunities for CSPs with the implementation of FedRAMP, but there is a potential downside for the smaller to mid-sized cloud solutions providers. It is possible that the lion’s share of these government contracts could go to the larger, more established organizations due to something as simple as name recognition. If the big guns are on their game, they each might be able to slice off a sizable portion of the pie, leaving little for even the well-prepared of the rest; and nothing for the stragglers. This is just another reason for smaller to mid-sized CSPs to get a head start on FedRAMP certifications. Even though monopolization is a possibility, the sheer scope and breadth of governmental agencies in the United States makes that likelihood doubtful at best.

Even though FedRAMP may not be necessary to the private sector as a security standard, given the fact that the government concedes that the security provided by commercial CSP’s is equal to or greater than what is currently being provided within most governmental agencies—it may be fundamental in bringing the rest of the business world into the cloud. As long as FedRAMP delivers on promises made, and does not bog down the certification process, the implementation should bode well for all CSPs interested in working with state and federal agencies. If a universal security standard does indeed accelerate the corporate migration to cloud solutions, then the benefits for CSPs are at least two fold.