“The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”—FedRamp website
That sounds positive, but getting approved for the FedRAMP certification is far tougher than most cloud providers anticipated. In fact, few organizations are truly capable of making it through the process. As shared by an article in GCN:
“Of more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half are not yet ready to go through the process, according to Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies.”
Further, Conrad reported that the government intentionally made the program “rigorous and does not plan to make it any easier.”
In other words, any organization that is capable of obtaining FedRAMP certification has a pretty shiny competitive advantage over other cloud providers. It’s the federal government’s stamp of approval.
So, which organizations are genuinely capable of making it through the FedRAMP certification process?
One reliable measure is how highly an organization rates against the Capability Maturity Model Integration (CMMI) framework. CMMI is a process improvement program that guides businesses into organizational and operational maturity. It is broken up into five levels:
- Level 1: Initial — At this stage, processes are not defined and are reactive.
- Level 2: Managed — Some processes are defined, but the business is still in a state of reactive mode.
- Level 3: Defined — The business starts to move into a state of proactivity, with clearly defined processes and procedures.
- Level 4: Quantitatively Managed — Not only are the processes well-defined, but they are measured for quality and efficiency.
- Level 5: Optimizing — Mature businesses maintain clear real-time visibility into how their processes are performing and optimize them accordingly.
Our estimation is that companies need to be at Level 4 and well into Level 5 to have a realistic chance of successfully navigating the FedRAMP certification process.
The reality is that FedRAMP will separate the high-level providers from the commodity providers. If you want to compete for any government agency cloud hosting contracts, then the rigorous, costly and tedious process is mandatory.
This article was originally featured on Network World. To see the original post, click here.