Quzara LLC, a consulting firm based in Reston, Va., has rolled out a FedRAMP readiness assessment tool, conducting 30 reviews of independent software vendors and cloud providers in its first 60 days of availability.
FedRAMP, which stands for the Federal Risk Authorization Management Program, is a government-wide initiative to provide a seal-of-approval of sorts for companies offering cloud services to federal agencies. The program spells out a standard process of security assessment and authorization.
The Office of Management and Budget established FedRAMP in 2011, and requires any cloud service holding federal data to be authorized under the initiative. It conceived the program to facilitate cloud adoption, but industry executives have viewed the process of vetting cloud security as time-consuming and expensive. Smaller cloud providers, in particular, have balked at the expense and complexity of getting their offerings FedRAMP authorized.
Against that backdrop, Quzara launched its FedRAMP readiness assessment tool, dubbed FRAT. Saif Rahman, Quzara’s co-founder and managing director, said the big players in cloud — AWS and Salesforce, among others — had the deep pockets to invest in FedRAMP compliance six or seven years ago. But that potentially leaves thousands of other cloud providers on the sidelines.
“We have a bunch of smaller ISVs and SaaS [providers] that want to get into the federal market, but are finding it extremely difficult,” Rahman said.
The FRAT tool aims to reduce the expense of FedRAMP. The authorization process starts with a FedRAMP readiness assessment, which determines the extent to which a vendor’s cloud meets FedRAMP controls — or fails to do so. The readiness assessment typically costs around $50,000 on average, with the price tag rising to $100,000 in some cases, Rahman said. The cost of the preliminary cloud check is a deal breaker for many FedRAMP aspirants.
“Seventy percent of the conversations die there,” Rahman said.
FRAT, however, is a free, web-based tool that lets cloud vendors conduct a self-assessment based on a reduced set of security controls. For example, FRAT narrows the 325 controls for a FedRAMP moderate security baseline to 100 of the most critical controls, Rahman explained.
Quzara and its cloud customer discuss the results of the self-assessment in a two-hour workshop, also free of charge. After the talks, clients come away with an understanding of the cost and level of effort required to achieve FedRAMP compliance, Rahman said.
“We help them build a FedRAMP roadmap,” he said. That guidance includes an initial timeline for achieving authorization and a prioritized to-do list for meeting FedRAMP requirements.
Companies participating in FRAT assessments thus far have included the expected smaller ISVs, but also larger entities. Rahman cited the example of a defense contractor with multiple data center-based applications it plans to turn into cloud services. The contractor needs FedRAMP authorization for each one, a costly proposition for even a sizable enterprise.
For Quzara, the no-cost FedRAMP readiness assessment has kept alive conversations with prospective customers, and could lead to fee-based business down the road. In the meantime, Rahman said the early interest in the assessment is encouraging.
“There’s a market that is hungry for real data,” Rahman said.