Government Contracts Legal Forum

FedRAMP Issues First Provisional Certification to Cloud Contractor

Both Kate Molony and Gordon Griffin contributed to this post. 

Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider.  On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP.  The GSA expects last month's authorization to pave the way for more in early 2013, with some anticipating as many as 10 to 15 authorizations over the course of the year.

In an effort to better implement the government's "Cloud First" policy, the GSA collaborated with private industry and other executive agencies - including the NIST, DHS, and DOD - to standardize security requirements for federal cloud contractors.  Begun in June 2012, certification under the FedRAMP standards will become mandatory by the same month in 2014.

North Carolina-based Autonomic Resources has been the first cloud service provider to check all of FedRAMP's boxes, but its journey to complete federal endorsement is not over.  Cloud service providers seeking FedRAMP approval must undergo a four-step application process.  Either a contractor or an agency may initiate a FedRAMP review.  Contractors must then retain a "third party assessor" (3PAO) to perform an independent assessment of whether the contractor's security systems comply with Federal Information Security Management Act (FISMA) and NIST standards.  With a 3PAO's security assessment package in hand, the contractor may then apply for provisional authorization from FedRAMP's Joint Authorization Board (JAB), comprised of the Chief Information Officers (CIOs) from the DOD, DHS, and GSA.  This is the certification that FedRAMP has granted Autonomic Resources, but the key word is "provisional."  The JAB "authorization to operate" (ATO) is but an initial endorsement of the contractor's security controls and their acceptable risk.  Specific agencies are to then leverage this threshold approval to streamline their more tailored ATOs.  Although not formally a part of the application process, it is worth noting that, even after agency approval, the contractor must provide FedRAMP with continuous monitoring reports and various updates. 

As the former federal CIO stated, the idea behind the FedRAMP process is "approve once, use often."  This practice seeks to maximize transparency between cloud contractors and the federal agencies, while minimizing duplicative efforts.  The GSA expects the result to be a universal and trustworthy security authorization process that consumes less time and fewer taxpayer dollars.  Current GSA estimates predict that, with the help of the FedRAMP system, agencies will save approximately $200,000 per authorization.  Until the GSA ushers more prospective cloud contractors through the FedRAMP process, however, federal agencies will have to wait for such savings.  In the meantime though, nothing is preventing agencies from relying on FedRAMP guidelines to independently scrutinize the security of their contractors.

For more information about federal cloud computing and acquisitions, see

Trackbacks (0) Links to blogs that reference this article Trackback URL
Comments (0) Read through and enter the discussion with the form at the end
1001 Pennsylvania Avenue, N.W.
Washington, DC 20004-2595
Phone: 202.624.2500
Fax: 202.628.5116
Orange County
3 Park Plaza, 20th Floor
Irvine, CA 92614-8505
Phone: 949.263.8400
Fax: 949.263.8414
New York
590 Madison Avenue, 20th Floor
New York, NY 10022-2524
Phone: 212.223.4000
Fax: 212.223.4134
1029 W. 3rd Avenue Suite #402
Anchorage, AK 99501
Phone: 907.865.2600
Los Angeles
515 South Flower St., 40th Floor
Los Angeles, CA 90071
Phone: 213.622.4750
Fax: 213.622.2690
11 Pilgrim Street
London, EC4V 6RN United Kingdom
Phone: +44.207.413.0011
Fax: +44.207.413.0333
San Francisco
275 Battery Street, 23rd Floor
San Francisco, CA 94111
Phone: 415.986.2800
Fax: 415.986.2827
71, Rue Royale
Brussels, B - 1000 Belgium
Phone: +
Fax: +