From: GovWin/Deltek
by Kyra Kozemchak
It’s been a year since the memo was released establishing the Federal Risk and Authorization Management Program (FedRAMP). Despite some snags, Initial Operating Capabilities launched in June. According to plans, Full Operating Capabilities are supposed to begin in the next few months (second quarter of fiscal 2013). So how is progress going?
Over the past year, the FedRAMP program office has released security control documents, the program concept of operations, completed accreditation for third party assessors, launched the initial operating phase and engaged with government and industry through a host of live and virtual events. As of mid-December, some 16 organizations have been approved to function as Third Party Assessment Organizations (3PAOs).
The program espouses a crawl-walk-run philosophy, based on the idea that the process will become more efficient with repetition. According to GSA’s Kathy Conrad, assessment and authorization of a traditional, non-cloud federal IT system at the moderate level takes five to nine months. Similarly, the FedRAMP program office predicted that the assessment process could take as long as nine months. Though, obviously, time and cost would vary along with the size and complexity of the CSP’s architecture. Back in October, Conrad suggested that the first provisional authorizations would be expected in December 2012. (As of December 20, no such authorizations have been granted and time is running short.)
Initial Operating Capabilities phase was to include provisional authorization of cloud service providers and establish performance baselines. These initial authorizations for CSPs were supposed to be issued sometime between FY2012 and the second quarter of FY 2013. But the first run through the process is taking longer than plans anticipated.
While the assessment and authorization process has been plodding along, the federal contracting environment continues to change. The threat of sequestration is encouraging agencies to do some soul searching to prioritize spending, to look for additional opportunities to increase efficiency and take a hard look at what they can do without. Initiatives to establish strategic sourcing government-wide are beginning to take shape. And in the background, agency investments in cloud computing have slowed.
Perhaps agencies have been holding off on cloud computing pursuits until service providers receive FedRAMP authorization. Perhaps agencies are reassessing the business case and strategy for adopting cloud computing, in light of the changing challenges they face and having made progress with the migrations associated with the 25 Point Plan. These considerations add to the interest and uncertainty of what will happen once authorizations are issued and the program rolls toward full operating capabilities. The proposed potential cost savings to government through reuse could be a carrot for agencies, but it will take longer for the costs and benefit to cloud vendors to be clear.
Leave a Reply