As federal agencies increasingly turn to cloud-based solutions to meet their growing technological and operational needs, selecting the right cloud service provider (CSP) for any given application is critical.
To help with this complex, high-stakes process, the Federal Risk and Authorization Management Program (FedRAMP) certification program both offers a broad pool of potential vendors and simultaneously ensures that certified cloud services meet rigorous security standards. In turn, this simplifies the selection process by eliminating duplicative due diligence steps that agencies would otherwise have to conduct themselves. As the FedRAMP program itself states, “FedRAMP’s ‘do once, use many’ principle enables agencies to expand the marketplace of secure cloud services available to the federal government.”
However, identifying FedRAMP-certified providers is just the first step in the selection process. Once a pool of certified providers is established, agencies must still delve deeper to determine which vendor can best meet their specific requirements. In other words, the challenge is not just finding a certified vendor, but finding the right one for your agency’s unique mission and objectives.
Follow the Latest FedRAMP Guidance
The FedRAMP program doesn’t stand still. As the cloud marketplace has grown and the needs of federal agencies have evolved over time, FedRAMP has continued to develop better ways for agencies to simplify the logistics of finding, selecting, and adopting the right CSP for their needs. “To make this process even smoother, FedRAMP is piloting use cases, identifying new partners and processes that can safely speed up the security assessment process,” says the White House in a recent release of updated FedRAMP guidance designed to accelerate the secure adoption of cloud services by federal agencies.
Require FedRAMP Certification as Part of Selection Process, If Possible
It’s important to understand that there are constraints on what federal agencies can or can’t require as part of the selection process for technology vendors. For example, an agency can require a FedRAMP authorization as a condition of the contract award only if “there are an adequate number of vendors to allow for effective competition.” That said, FedRAMP provides one of the best third-party verifications of CSP quality and performance, so it makes sense to use it as either a condition of the contract or a factor to be considered whenever possible.
Go Beyond FedRAMP, When Necessary
However, agencies don’t have to limit themselves in their requirements to FedRAMP specifications alone: “FedRAMP sets a baseline for protecting federal information in a cloud environment.” In other words, FedRAMP offers a starting point rather than a high point. Agencies can and should identify any factors required to meet their mission- and technology-related needs, including factors that go beyond FedRAMP requirements if they are necessary to successful execution of the contract. Agencies can then use those additional factors to differentiate and choose between the pool of FedRAMP certified or any other competing CSPs available to them.
Continue to Do Due Diligence in the Selection Process
FedRAMP eases the process of cloud provider selection enormously, but it doesn’t substitute for a rigorous review and evaluation process. For example, if you are searching for a cloud-based records management solution, not all solutions are created equal—even among those with FedRAMP authorizations. Remember: just because a given technology solution can do something doesn’t mean it does it well or better than everyone else. If you want the best records management platform, FedRAMP certification is only the place to start.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.