Federal agencies have until June 5 to certify their cloud systems. Here is what will happen in the event that they miss the deadline.

As we reported last week in an in-depth analysis, cloud service providers are queuing up for a rigorous government review process that certifies their service meets a strict baseline of security standards. This certification, often called the Federal Risk and Authorization Management Program, or FedRAMP, is mandatory for any cloud merchant seeking to do business with federal agencies.

But the stakes are equally high for the federal agencies. The Office of Management and Budget, which mandated in 2011 that agencies begin using cloud services, has given them until June 5 to turn that those services meet federal security standards.

A big question now could be what happens if cloud service providers do not get the safety certification by the June deadline? And where does that leave agencies attempting to migrate slices in their IT operations to the cloud if their preferred provider’s services haven’t yet been approved?

The short answer: “Call us,” says Maria Roat, the final Services Administration director who oversees the FedRAMP certification program.  If agencies already are working with certain cloud providers, officials expect there’ll be some flexibility at the deadline.  

[Here’s why Defense Department CIO Teri Takai believes FedRAMP Helps Everyone.]

Whether agencies will find themselves within the hot seat for failing to fulfill the June deadline, however, is OMB’s call, not FedRAMP’s, say officials aware of the location. OMB didn’t immediately reply to requests for comment.

“Agencies could have legitimate reasons, but these requirements has been around for greater than two years,” says Tom McAndrew, executive VP of Coalfire Federal, which helps cloud service providers get FedRAMP-certified. The details of these requirements were spelled out in a seven-page OMB memo issued by US CIO Steven VanRoekel on Dec. 8, 2011.

Since then, OMB have been polling agencies every quarter through its PortfolioStat IT investment review program and other reports to work out in the event that they are:

• meeting the administration’s “Cloud First” policy, that requires agencies to make use of cloud alternatives when available;
• meeting FedRAMP requirements, demonstrating that a cloud service complies with the government’s minimum security standards; or
• able to justify why they are not meeting federal policies.

“If agencies do not have a sturdy plan to handle cloud and security by now, then there’ll likely be increased pressure at the agency managers, directors, and CIOs” about their IT investment decisions, says McAndrew. OMB, which controls agency budgets, views FedRAMP’s “certify once, use often” approach as a vital tool for reducing redundant costs for security and compliance. 

Time is running out, however, to fulfill the June deadline.

It typically takes cloud service providers six months to complete the FedRAMP certification process. The agency and cloud provider must first demonstrate that the service meets as much as 298 specific security controls. There aren’t any shortcuts, but once a service was certified, other agencies can adopt it quickly.

Although the FedRAMP process is rigorous and costly, its comprehensive baseline approach has caught the eye of cloud customers within the private sector.

That comes pretty much as good news for VanRoekel, who not just sees cloud computing producing significant IT savings across federal agencies, but additionally setting a more widely accepted security baseline for the cloud computing industry. As more cloud providers align with FedRAMP security standards, they’ll produce more cost-saving cloud services for agencies to choose between.

Find out how a central authority program is putting cloud computing at the fast track to raised security. Also within the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Wyatt Kash is Editor of InformationWeek Government. He have been covering government IT and technology trends since 2004. He served as Editor-in-Chief of presidency Computer News and Defense Systems (owned by The Washington Post Co. and subsequently 1105 Media), where he … View Full Bio

More Insights