Federal spending on information technology and cybersecurity continues to increase. Federal spending on information technology has exceeded $80 billion for several years1 and the fiscal 2017 federal budget seeks almost $90 billion.2 The administration reports that it will spend 8.2 percent on cloud computing, and invest $19 billion in cybersecurity, which includes retiring old information technology systems and moving toward more secure systems.3 The General Services Administration (GSA) recently added a cloud computing service category to its Schedule 70 (SIN 132-40), and technical refresh awards for Schedule 70 contractors, focusing on this service category, are ongoing.4 GSA also plans to issue its long-awaited, government-wide, multiple-award, indefinite-delivery/indefinite-quantity (IDIQ) solicitation this year. This solicitation, known as ‘‘Cloud Config,’’ will include a robust array of cloud services, and will likely require FedRAMP compliance.5
As the federal government’s need for cloud computing services continues to increase, and contractor IT systems expand the use of cloud services, many federal contractors will either provide cloud computing services to the government or use cloud computing services when performing a federal contract. The federal government requires secure contractor IT systems and secure cloud offerings.
The GSA release of significant program changes to FedRAMP in 2016 is in line with an increasing appetite for cloud computing and the increasing federal policy emphasis on cybersecurity. The release of the high baseline security requirements and FedRAMP Accelerated enhance the process for cloud service providers (CSPs) to achieve the authority to operate in compliance with FedRAMP security control standards and broaden CSP access to high-impact cloud computing opportunities. For those CSPs that have FedRAMP moderate-impact authorizations, the recently released FedRAMP high baseline requirements pose a new opportunity for these CSPs to obtain authorization for high-impact systems and increase their cloud service offerings (CSOs) to the federal government. Because FedRAMP is mandatory for low/moderate and now high-risk impact levels, for all cloud service models, CSPs that have not previously been approved by FedRAMP have the option to use FedRAMP’s Accelerated process to achieve certification at either the low/ moderate or high-impact levels.