This content is part of the Essential Guide: Navigating cloud computing regulations and compliance requirements

FedRAMP certification eases government customers into the cloud

Although smaller government agencies are shying away from the cloud, FedRAMP certification for cloud providers may sway more government customers.

Cloud computing has always been a tough sell with both federal and local government agencies. Plagued by regulatory compliance requirements and high-stakes security concerns, these customers loathe moving sensitive data into a cloud provider's data center, where compute and storage resources are typically shared among customers.

Until recently, government agencies that sought cloud services had to shop around for a cloud provider that could live up to their strict, sometimes unique requirements -- with few guarantees from a provider, other than its word, that a particular cloud offering would best meet their needs.

Smaller, local government agencies have been the most skittish about adopting cloud due to ongoing security fears, lack of experience and cost concerns, according to recent research from Alexandria, Va.-based IDC Research. This sector is the least enthusiastic about the cloud, despite gains that a cloud environment could offer, noted Shawn McCarthy, research director of IDC Government Insights.

To mitigate cloud compliance concerns, the U.S. government recently introduced a certification program -- the Federal Risk and Authorization Management Program (FedRAMP) -- aimed at standardizing and improving the security and transparency requirements for government cloud adoption. To achieve the FedRAMP certification, cloud providers must undergo a series of rigorous assessments by accredited FedRAMP third-party assessment organizations (3PAOs).

FedRAMP certification easing cloud compliance woes

Smaller government agencies don't want to go at it alone when it comes to the cloud. While this sector has cost and experience concerns, security doesn't need to be another, McCarthy said.

More on the FedRAMP program

U.S. government launches FedRAMP cloud initiative.

FedRAMP third-party assessors named.

Optimism, criticism spurred by FedRAMP initiative.

FedRAMP certification draws interest.

Although no cloud providers have become FedRAMP-certified yet, some 3PAOs expect several cloud providers to gain FedRAMP certification by the end of the year. Their potential short list includes the likes of Microsoft Corp., CenturyLink Inc. and Terremark Worldwide Inc.

While most modern data centers can support cloud computing, FedRAMP requires that specific physical, environmental and contingency-planning security controls be in place, said David Svec, co-principal and co-founder of Veris Group LLC, a cybersecurity consultancy and accredited FedRAMP 3PAO in Vienna, Va.

Savvis -- the managed hosting, colocation and cloud services arm of CenturyLink -- is currently working through the FedRAMP certification process.

Savvis offers a portfolio of managed security services, including network perimeter protection and intrusion detection, as well as traffic and integrity monitoring.

"Government customers can't cut corners -- they need a very robust set of protection services around their data," said David Shacochis, vice president of cloud platforms for Savvis.

While cloud providers, such as Savvis, can be deemed Federal Information Security Management Act (FISMA) compliant, FedRAMP will finally offer a way for cloud providers to present government customers with a "Good Housekeeping seal of approval," Shacochis said.

Will FedRAMP and cost reduction attract government customers?

Cloud providers have an opportunity with FedRAMP to gain more government customers and not just large federal agencies. They may even stand to gain more by working with each other on FedRAMP, according to Tom McAndrew, executive vice president of professional services for Coalfire, an independent IT governance, risk and compliance consultancy and accredited FedRAMP 3PAO based in Louisville, Colo.

"Instead of having different cloud providers build 30 unique cloud offerings for [government agencies], you start seeing providers share [FedRAMP] approaches and policies," McAndrew noted.

Any cloud providers looking to take on government customers must implement a cloud architecture that incorporates layered security, data encryption and multi-factor authentication capabilities, Svec added.

Cloud provider participation in the FedRAMP certification program could jump start adoption among local government agencies, as the program can expedite their procurement processes and instill more confidence in a provider's offerings, according to McAndrew.

"Once you have a cloud that's deemed good for the federal government and safe enough to store health records and financial data, like Social Security information, it will be a fine option for smaller, local government sectors," McAndrew said.

In addition to joining the FedRAMP program, cloud providers can also make their offerings more government-friendly by addressing cost concerns.

Government agencies -- both local and federal -- spend $81 billion annually on IT, McAndrew said, noting that cloud services could potentially cut those costs considerably. This will ultimately drive the market forward, IDC's McCarthy added.

"Price point is going to make the argument, like if the government sector can get their email cheaper in a cloud environment," McCarthy said. "If cloud providers are prepared to say, 'This is the price we can promise you,' it will get these customers to think about it."

Let us know what you think about the story; email: Gina Narcisi, News Writer and follow @GeeNarcisi on Twitter.

Dig Deeper on Telecommunication networking

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I don't think this will drive as suggested by the author. If you actually have the provider meet security standards and maintain them - You still have no physical control over your system, but it will drive costs up. Probably to where owning your own iron is very competitive - and really, that is the only advantage the cloud brings to the table.
I agree it not for every body yet the data set is the property of the tenant or customer the provider does not deal with the data set yet provides the infrastructure support to secure it. If you want physical control then get an IaaS based solution.. The problem typically is that deliniation between what the provider provides and the what the tenant needs to address with FEDRAMP that security gap would be substantially less.