Choosing the Right FedRAMP Provider

Strategic Solutions Series

Choosing the Right FedRAMP Provider

By Erik Linask, Group Editorial Director  |  May 18, 2016

Much as it has become a staple in commercial endeavors, cloud computing has found firm footing within the federal government, helping drive operational efficiencies and reducing costs. In fact, federal agencies are required to leverage cloud computing to improve flexibility, increase responsiveness, and reduce costs – and to justify the use of a non-cloud provider. In his 2011 memo to government CIOs, then United States CIO Steven VanRoekel stated:

“Cloud computing offers a unique opportunity for the Federal Government to take advantage of cutting edge information technologies to dramatically reduce procurement and operating costs and greatly increase the efficiency and effectiveness of services provided to its citizens. Consistent with the President’s International Strategy for Cyberspace and Cloud First policy, the adoption and use of information systems operated by cloud service providers (cloud services) by the Federal Government depends on security, interoperability, portability, reliability, and resiliency.”

As far as the cloud computing industry has come, and as much as security and compliance have become merely checkboxes on the list of must-haves, government entities, regardless of function cannot afford to take any risks and must be certain they use only the best and properly vetted cloud providers, which is what the Federal Risk and Authorization Management Program (FedRAMP) was designed to facilitate.

FedRAMP is the government-wide initiative that, in collaboration with NIST, GSA (News - Alert), DOD, DHS, NSA and other organizations, provides standards that cloud services providers much achieve in order to become certified for government use. FedRAMP defines three impact levels in its certifications: Low, Moderate, High.

  • Low Impact Level is effectively non-controlled and unclassified information cleared for public release and consumption. There is little risk of systems and services being compromised as a result of Low Impact data.
  • Moderate Impact Level contains sensitive, but not top secret, information, but data that, if compromised, could have a significant adverse effect on operations, entities, or individuals.
  • High Impact Level is reserved for critical systems that could result in loss of life if compromised.

It’s important to note that the FedRAMP framework doesn’t recreate the wheel – rather, it adds existing NIST baseline controls to the FISMA framework, specifically for cloud providers (whereas FISMA defines government certification requirements for all IT vendors, cloud or not).

That said, while the requirements may not be new, the process is time-consuming and costly. The 1-4-year timeframe and $2-7 million cost is the chief reason there are only some three dozen or so FedRAMP-certified cloud providers currently. Most CSPs don’t have the time or resources to dedicate to the process, especially without a guaranteed return on that investment.

However, once certified, the benefit can be quickly evident, as the mandate to use cloud is driving government agencies to seek appropriate cloud providers that can meet their needs. The majority of the FedRAMP providers are IaaS vendors, with a few PaaS providers in the mix.

The imbalance is largely a result of a lack of understanding, as the enterprise market has perpetuated a false understanding of PaaS as being rigid and inflexible. The truth is that, while some entities may have access to resources to deploy and manage their own operating systems on top of leased infrastructure, the ability to develop and deliver applications on top of a managed framework can be more of a benefit than many entities realize (government or commercial, for that matter). The service element is a major differentiator for PaaS providers; because they manage the operating systems, there is much greater visibility and access when troubleshooting issues, often leading to speedier resolution and, in fact, an inherent ability to prevent many issues from ever happening. In addition, PaaS can be an effective cost-control mechanism, as users aren’t provisioning servers that eventually become forgotten but still incur a cost.

In addition to being one of the few FedRAMP PaaS providers, BlackMesh further differentiates itself through its service element – it really sees itself as a managed services provider that includes the infrastructure as a bonus. BlackMesh’s SecureCloud FedRAMP moderate PaaS provides the same platform offerings as many customers might deploy on their own, but is able to reduce costs on the services side by managing the infrastructure and allowing users to focus on their operational tasks. Inherently, there is less waste resulting from unused cloud resources.

BlackMesh has been hosting platforms for the Department of Energy for several years and, in fact, the DoE sponsored its FedRAMP certification process because it understood the value of the PaaS alternative and needed a FedRAMP certified vendor.

For more information, contact BlackMesh at 888-473-0854 or [email protected].

Edited by Stefania Viscusi
Get stories like this delivered straight to your inbox. [Free eNews Subscription]