FedRAMP, StateRAMP cultivate small biz providers
Leaders from the federal and state cloud security authorization programs said they want to “open the aperture” for small businesses that offer secure services to government agencies.
The leaders behind two cloud certification programs designed to help government agencies do business with cloud providers authorized to offer secure services said they are both looking for ways to “open the aperture” to allow more small businesses to participate.
The Federal Risk and Authorization Management Program (FedRAMP) and the State Risk and Authorization Management Program (StateRAMP) both authorize cloud services federal and state governments, respectively, can use, ensuring they satisfy standardized security requirements.
But the cost of becoming certified by one of the organizations and then maintaining that authorization through regular audits and monitoring has a reputation—some say undeserved—for being onerous, especially to smaller businesses.
In a bid to encourage broader provider participation beyond the traditional cloud services giants, the leaders of both programs said they are determined to get more companies and technologies certified, while still maintaining a commitment to robust cybersecurity practices.
“Our challenge is lowering the barriers to entry, without lowering the cybersecurity bar,” Brian Conrad, acting FedRAMP director and program manager for cybersecurity at the General Services Administration, said at GCN and Nextgov’s Emerging Technology and Modernization Summit. “Protecting federal information is a team sport, and everybody has to play their part. But we can still look at ways to lower those barriers to entry into the marketplace.”
Conrad said currently, around 10% of the almost 300 companies certified by FedRAMP are small businesses, but the hope is to “open the aperture” and get more in, while ensuring that they can easily find an “agency dance partner” to work with on their application. He said conversations about how to make that a reality are ongoing.
StateRAMP has already taken concrete steps to bolster its still-expanding membership. Executive Director Leah McGrath said the organization opened its certification process to any company, regardless of whether it has a government or agency partner.
StateRAMP voted to tier its membership pricing structure based on a company’s annual revenue, she said. It is also getting ready to roll out a “Security Snapshot” program that provides companies interested in certification with an assessment of where the gaps are in their security, with consulting services to show them how to correct vulnerabilities.
“We're all trying to improve and make these incremental adjustments and improve the process while we're still executing the process,” McGrath said. “We're always focused on what's coming next. But our teams are really helping support what's happening today, so that we can stay on that cutting edge of wherever the threats are coming from, and how we evolve.”
FedRAMP’s mission received a boost late last year as lawmakers included the FedRAMP Authorization Act in the FY 2023 National Defense Authorization Act. That action codified the program and many of its processes, while also establishing a Federal Secure Cloud Advisory Committee to promote dialogue between GSA, agency cybersecurity officials and procurement officers and businesses and encourage feedback.
Conrad said the legislation “doesn’t change the overall mission” of the FedRAMP program, but formalizes its provisions, adding that agency leadership is still poring over the text and implementing it.
From StateRAMP’s perspective, while the program is voluntary, McGrath said she anticipates adding more than a dozen states as participating government members, in addition to more certified vendors. She also said the organization is speaking with state officials beyond the executive-level offices, reaching out to treasurer’s officers, comptrollers, secretary of state and attorneys general in a bid to raise awareness of their efforts. “There are a lot of layers to peel back,” she said.
McGrath said StateRAMP is also working on how to harmonize federal security requirements with needs of state and local governments around managing tax and Medicaid information systems. The organization and its various committees are having discussions about “driving towards standardization,” which she said will benefit governments and their vendors.
FedRAMP will make sure to keep track of the “ever evolving realm of threats” and make policy changes where necessary, Conrad said, pledging to communicate those risks with vendors and be “collaborative” with them.