IT contractors have expressed mounting frustration with back-ups in the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP), a centralized, government-wide system for vetting cloud-services contractors. FedRAMP, launched in June 2012, was designed to streamline the security-screening process; an agency could select from a pool of pre-approved contractors for a cloud procurement, as opposed to conducting a separate security review. Nevertheless, the FedRAMP approval process has been painfully slow. To date, just two contractors have been certified.
While many agree that a rigorous screening of cloud providers is critical for data security and privacy, some contractors worry that GSA is ill-equipped to handle the time-intensive vetting process, which has resulted in a bottleneck that only exacerbates approval delays. Further, the slow pace of FedRAMP certification has sparked fears that the program will stifle competition by creating a two-tiered system in which FedRAMP-certified companies enjoy a considerable competitive advantage over IT contractors who, while qualified to do the work, are still awaiting approval. These concerns may well give rise to costly and time-consuming post-award bid protests that could negate the very efficiencies that FedRAMP was designed to promote.