There are not enough certified cloud services providers to meet the federal government’s needs, say senior information technology executives.
“At the current rate we are moving activities into the cloud, we are going to need more authorized service providers,” said the Interior Department’s chief information officer, Bernard Mazer.
Commercial cloud service providers are able to serve federal agencies only after they are certified as meeting tough federal security standards by an interagency program called the Federal Risk and Authorization Management Program (FedRAMP). The certifications are performed by an independent, third-party review. FedRAMP will become mandatory for all new agency programs in June, 2014. A FedRAMP certification can take about six months.
The Interior Department aims to transition data and applications from more than 400 data centers to the cloud to increase efficiency and close hundreds of data centers. The move is projected to save Interior $100 million a year from 2016 to 2020.
But the department needs more vendors to choose from to ensure it gets the best services and security, Mazer said. So far, only eight companies have been certified by FedRAMP to provide cloud services to federal agencies: Akamai, AT&T, Autonomic Resources LLC, CGI Federal, Hewlett Packard, Lockheed Martin, Microsoft and Amazon Web Services. The Agriculture Department has been certified to provide cloud infrastructure as a service.
Dan Tangherlini, the administrator of the General Services Administration, which runs FedRAMP, said there is no target for how many companies the FedRAMP program wants to certify. But he said such comments from senior IT officials will help show companies that there is a market for FedRAMP certification.
“I want as many people as possible to be interested in getting the FedRAMP certification so I can give guys like [Mazer] the most number of options, so they can get good services for their agencies,” Tangherlini said.
He said GSA wants to simplify the FedRAMP process. “The idea with FedRAMP is that we if do it once and do it well, we can share it across the enterprise,” he said.
Steve O’Keeffe, founder of public-private IT partnership MeriTalk, said the “jury is still out” on how many companies will ultimately join FedRAMP, but he thinks companies will go through the certification process so as not to miss out on contracts.
If agencies end up circumventing FedRAMP, companies may decide it’s not worth it. So GSA needs to aggressively promote the program and recruit companies, he said.
“If the cost and time commitment associated with FedRAMP certification do not drive significant business, then a good number of the companies waiting in line for FedRAMP certification will turn off and find other paths to market,” O’Keeffe said.
John Keese, the CEO of Autonomic Resources, the first company to receive FedRAMP certification, predicts more companies will get FedRAMP-certified as agencies ramp up their cloud activities and seek options that meet their security needs.
“We have already made the corporate decision that FedRAMP was going to be the eye of the needle through which all of the camels would pass,” Keese said.
Some companies are hesitant to get certified, he said. He attributed that to the fact that cloud services are highly disruptive and cut into the revenues of well-established companies that operate legacy systems for federal customers.
But as agencies push more of their operations into the cloud, that will change, he said.