For Policy’s Sake: Exploring FedRAMP


The process of getting a government organization to the cloud is entangled in deep bureaucracy. This article explores the sweeping policy of FedRAMP and why it works against the purposes it claims to endorse.

Between Russia, Cambridge Analytica and other nefarious-sounding news, the limelight is shining bright on foreign attempts to gain access and manipulateOpens a new window U.S. data. In the government itself, agencies’ shift to cloud computing has reached a tipping point Opens a new window where more data than ever before is online. Unfortunately, the process of getting a government organization to the cloud is still entangled in deep bureaucracy.

The Federal Risk and Authorization Management Program (FedRAMP) was first enacted the better part of a decade ago, when the “cloud” was then something that most people couldn’t define. A mandate to get into the cloud, FedRAMP purportedly enables government agencies “to rapidly adapt from old, insecure legacy IT to mission-enabling, secure and cost effective cloud-based IT” solutions.

In practice, the sweeping policy aimed at evolving government IT actually makes cloud adoption more expensive. Its simplicity isn’t grounded in reality and, in the end, increases the costs for all parties looking to host data in the cloud, right down to the taxpayers’ pockets. It is policy purely for policy’s sake, and works against the purposes it claims to endorse. Here’s why.

One Size Doesn’t Fit All

Traditionally, federal organizations, as with most organizations, stored their data in their own, on-premises data centers. With the introduction of the cost-saving benefits of the cloud, however, many agencies wanted to move their data to the cloud environment. In an effort to make sure this was done in a safe and secure manner, FedRAMP was introduced.

But the caveat, Federal organizations and their data come in a wide variety in regards to complexity of operations, differing technological requirements, funding and resources. By forcing a blanket regulation upon a vast spectrum of organizations, FedRAMP places an unnecessary burden on federal organizations’ efforts to move to the cloud.

Meanwhile, the regulatory organization itself is significantly understaffed and underfunded, making the compliance process for cloud service providers costly and time consuming. Undergoing the FedRAMP certification process can last anywhere from six months to two years and cost millions. These costs are then passed on to the government agencies being forced to used specific approved cloud service providers creating a hamster wheel of inefficiencies. Similar to the Healthcare marketplace, the FedRAMP marketplace restricts cloud products and services allowed to be used by U.S. Government entities to only vendors that can clear the high barriers to participate.

Passing the Costs On To You

Since the financial hurdle is steep to become one of FedRAMP’s approved cloud providers, cloud providers then charge government agencies more to make up for their time and efforts. The costs are then passed along from government entities to taxpayers. Since options are limited in the FedRAMP marketplace, often agencies are forced to pay significantly high prices for the solutions that have approval. This is a waste of taxpayer money and also negates the original intention of cost savings in moving to cloud.

The basic problem is that only large cloud services that have resources to go through the lengthy process and spend half a million to $2 million continue to apply for FedRAMP certification. In turn, this limits the choices federal organizations have when selecting cloud service providers. And at the same time, many of the innovations come from startups, not established players. Therefore, it’s not only the cost of the certification process that is passed on to these organizations, but they pay the price in innovation as well. Startups may be able to meet the security requirements of federal organizations, but they will not have resources to get FedRAMP certified.

In the end, given the higher investment costs for certification and the resulting lack of competition, the services with FedRAMP certification are significantly overcharging federal organizations in comparison to the normal market price for such services.

Making Policy Meet Intention

While the intention of FedRAMP may come from a good place, it fails in its execution. Right now, the process is time consuming and expensive for innovative, young companies to participate as it is inherently biased towards established firms that have the budget and resources to apply and adhere. Through inefficiency, it effectively negates the original intention for any organizations primary purpose in moving to the cloud, cost savings.

In order to make FedRAMP work, it needs to be more efficient and that efficiency needs to come at a fraction of the cost. Federal agencies need to have more freedom in choosing and adopting cloud technologies. Instead of forcing federal agencies to move to the cloud, they should be able to wait until there are enough choices available and the value naturally exists. Stepping back, instead of identifying cloud adoption as the end goal, take a broader approach to modernize data infrastructure, increase security, productivity and reduce costs. Letting agencies organically make moves to reduce costs may involve other methods instead of cloud adoption.

Regulations needs to reflect the reality on the ground of the organizations it intends to protect. In the particular case of FedRAMP, the marketplace needs to be incentivized for companies to join and build critical mass of suppliers and buyers to lower the costs of certification. More choices available to meet the unique needs of different governmental organizations encourages innovation and competition. The future of regulations lies in the ability to redesign workflows for a new, efficient and lean world. And that’s the true nature of progress.