Here at Rackspace we firmly believe that FedRAMP — the Federal Risk and Authorization Management Program — is the foundation that U.S. government technical superiority will be built on, by providing a common framework that allows innovative technology to be made rapidly available for government use.
FedRAMP was established in 2011 to provide a standardized government-wide approach to security assessment, authorization and continuous monitoring of cloud computing services. In short, FedRAMP’s aim is to reduce the redundancies of federal cloud migration.
As someone who spent 13 years at the Department of Defense, on the forefront of the fight to drive innovation and cloud adoption in the federal government, I can tell you that FedRAMP represents one of the best options for winning that battle. Federal customers know how much a FedRAMP authorization can streamline their acquisition cycle — and when speed to mission is critical, the case makes itself.
I can’t tell you how often I wished for some type of top-level framework that made the “yes, but can we actually buy it?” conversation easier. FedRAMP is that framework, because it streamlines the assessment process for customers while providing a standardized approach to cloud security for providers. The FedRAMP reciprocity approach also decreases overhead for everyone, while allowing the government to get innovative solutions deployed to its customers faster.
Even when we managed to acquire software solutions, it often took months for the administrative process to be completed and still longer to test, get an Authority to Operate (ATO) and deploy the solution. This process could take a year or more. This is not an exaggeration, though I wish it were.
With its software-as-a-service focus, FedRAMP represents an opportunity for the government to develop a realistic transition plan away from its legacy infrastructure to the cloud. It also gives private businesses a low risk strategy for breaking into the federal market by providing a trusted platform for potential customers to find their solutions via the FedRAMP marketplace.
But the real magic of FedRAMP is the standardization, allowing vendors to go through the security process once and adhere to a single set of security requirements. Any agency can easily ‘reuse’ the security package, accept risk, and issue its own ATO.
With the current average reuse approximately eight times per authorization, that means the 143 cloud products currently authorized equal roughly 1,141 authorization reuses, translating into an estimated $285 million in cost avoidance for the federal government.
That’s just the tip of the iceberg. The U.S. government plans to spend over $90 billion this fiscal year on information technology. Unfortunately, most of that will be used to operate and maintain aging (also called legacy) systems. FedRAMP is designed to solve for that, to drive more dollars into innovative new technology such as cloud and software-as-a-service (SaaS), positioning the federal government for the future, versus maintaining what they have.
The federal government continues to show its commitment to improving FedRAMP, most recently through the U.S. House Committee on Oversight and Reform’s recent hearing to get feedback on what the program is doing well and where it needs to improve.
Currently, more than 150 agencies participate, and there are 144 FedRAMP-authorized cloud service offerings. That’s good but, it’s not nearly enough. As I’ve said before, the federal government tackles problems across every technical area imaginable and it needs the most innovative and effective solutions at its disposal as quickly as possible. For that to happen, those solutions must be FedRAMP authorized — and that’s where Rackspace comes in.
Rackspace does technology services better than anyone on the planet and FedRAMP is no different. Through our Rackspace Inheritable Security Controls (RISC) solution, we enable independent software vendor (ISVs) and systems integrator (SIs) to achieve FedRAMP ATO in a fraction of the time it takes for those trying to go it alone and with a cost savings of up to 70 percent. RISC, which is part of our cloud portfolio management for government, is a turnkey, collaborative approach to FedRAMP compliance and authorization for SIs and ISVs, offering three clear steps to affordable FedRAMP compliance. By leveraging the power of FedRAMP inheritance, which allows you to build on the security requirements we’ve already addressed via Rackspace’s existing ATO, you can add FedRAMP-authorized solutions to your portfolio.
Think of it as FedRAMP-as-a-service.
As part of our RISC approach, we hold regular workshops where solution providers can come learn, in a one day session, exactly what goes into getting FedRAMP authorized and whether it makes sense for their business. Lots of providers believe the initial authorization process is more complicated than it is — probably because they’re attempting to tackle it on their own. And it’s not just large companies competing — 34 percent of cloud service providers that have received FedRAMP designations (FedRAMP Ready, FedRAMP In-Process, FedRAMP Authorized) are in the small business category.
The bottom line is that if you haven’t at least done your due diligence to determine whether there is a market for your solution in the federal space, you are leaving business to your competitors who will.
Visit rackspace.com/fedramp to learn more.