FedRAMP: A challenging path to operational excellence for cloud providers

“The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”—FedRamp website

That sounds positive, but getting approved for the FedRAMP certification is far tougher than most cloud providers anticipated. In fact, few organizations are truly capable of making it through the process. As shared by an article in GCN:

Federal Risk and Authorization Management Program“Of more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half are not yet ready to go through the process, according to Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies.”

Further, Conrad reported that the government intentionally made the program “rigorous and does not plan to make it any easier.”

In other words, any organization that is capable of obtaining FedRAMP certification has a pretty shiny competitive advantage over other cloud providers. It’s the federal government’s stamp of approval.

So, which organizations are genuinely capable of making it through the FedRAMP certification process?

One reliable measure is how highly an organization rates against the Capability Maturity Model Integration (CMMI) framework. CMMI is a process improvement program that guides businesses into organizational and operational maturity. It is broken up into five levels:

  • Level 1: Initial — At this stage, processes are not defined and are reactive.
  • Level 2: Managed — Some processes are defined, but the business is still in a state of reactive mode.
  • Level 3: Defined — The business starts to move into a state of proactivity, with clearly defined processes and procedures.
  • Level 4: Quantitatively Managed — Not only are the processes well-defined, but they are measured for quality and efficiency.
  • Level 5: Optimizing — Mature businesses maintain clear real-time visibility into how their processes are performing and optimize them accordingly.

Our estimation is that companies need to be at Level 4 and well into Level 5 to have a realistic chance of successfully navigating the FedRAMP certification process.

The reality is that FedRAMP will separate the high-level providers from the commodity providers. If you want to compete for any government agency cloud hosting contracts, then the rigorous, costly and tedious process is mandatory.


This article was originally featured on Network World. To see the original post, click here.

Rich Banta

Rich Banta

Managing Member at Lifeline Data Centers
Rich is responsible for Compliance and Certifications, Data Center Operations, Information Technology, and Client Concierge Services. Rich has an extensive background in server and network management, large scale wide-area networks, storage, business continuity, and monitoring. Rich is a former CTO of a major health care system. Rich is hands-on every day in the data centers. He also holds many certifications, including: CISA – Certified Information Systems Auditor CRISC – Certified in Risk & Information Systems Management CDCE – Certified Data Center Expert CDCDP – Certified Data Center Design Professional