FedRAMP: A challenging path to operational excellence for cloud providers

FedRAMP certification is a must to win any government cloud hosting contract, but it is far tougher to achieve than most cloud providers anticipated

“The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”—FedRamp website

That sounds positive, but getting approved for the FedRAMP certification is far tougher than most cloud providers anticipated. In fact, few organizations are truly capable of making it through the process. As shared by an article in GCN:

“Of more than 80 cloud providers who have applied to go through the FedRAMP certification, more than half are not yet ready to go through the process, according to Kathy Conrad, principal deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies.”

Further, Conrad reported that the government intentionally made the program “rigorous and does not plan to make it any easier.”

+ Also on Network World: 5 things cloud providers need to know about selling to the government +

In other words, any organization that is capable of obtaining FedRAMP certification has a pretty shiny competitive advantage over other cloud providers. It’s the federal government’s stamp of approval.

So, which organizations are genuinely capable of making it through the FedRAMP certification process?

One reliable measure is how highly an organization rates against the Capability Maturity Model Integration (CMMI) framework. CMMI is a process improvement program that guides businesses into organizational and operational maturity. It is broken up into five levels:

  • Level 1: Initial — At this stage, processes are not defined and are reactive.
  • Level 2: Managed — Some processes are defined, but the business is still in a state of reactive mode.
  • Level 3: Defined — The business starts to move into a state of proactivity, with clearly defined processes and procedures.
  • Level 4: Quantitatively Managed — Not only are the processes well-defined, but they are measured for quality and efficiency.
  • Level 5: Optimizing — Mature businesses maintain clear real-time visibility into how their processes are performing and optimize them accordingly.

Our estimation is that companies need to be at Level 4 and well into Level 5 to have a realistic chance of successfully navigating the FedRAMP certification process.

The reality is that FedRAMP will separate the high-level providers from the commodity providers. If you want to compete for any government agency cloud hosting contracts, then the rigorous, costly and tedious process is mandatory.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.