GSA to Agencies: Don’t Use FedRAMP to Screen Out Potential Bidders


Requiring companies to have FedRAMP authorizations up front before being allowed to bid on work will limit competition, official says.

Some federal agencies are beginning to require that contracting vendors have FedRAMP authorizations before bidding on cloud computing contracts.

At first blush, it seems like a good thing that agencies would require contractors to adhere to the Federal Risk and Authorization Management Act, the government’s standardized approach to ensuring security in cloud computing.

Yet because FedRAMP is still only a few years old, making compliance with FedRAMP a prerequisite to bidding on contracts could limit competition.

“Agencies – contracting officers – are starting to require FedRAMP authorizations as a condition for bidding on work,” said Stan Kaczmarczyk, director of the Cloud Computing Services Program Management Office in the General Services Administration’s Federal Acquisition Service.

“That’s going to severely limit competition and hurt small business,” he said Tuesday at the Federal IT Acquisition Summit in Washington, D.C.

Instead, agencies should allow qualified bidders to bid on projects under the stipulation that if they do not already have an authorization to operate under FedRAMP, they get one before the contract goes operational.

“What we’re telling agencies is that it’s OK – it’s preferable – to use FedRAMP authorization as an evaluation criteria,” Kaczmarczyk said. “That should be an evaluation criteria, but it should not screen out from the start.”

Kaczmarczyk’s words were quickly conveyed  to FedRAMP Director Matt Goodrich via a series of tweets.  

Goodrich said the FedRAMP office is “working on procurement guidance that will help clarify” how FedRAMP authorizations should be handled in contractual dealings.

Here’s his full tweet response:

Now, there may well come a time when FedRAMP’s growth – coupled with the government’s continued, specific demand for secure cloud services – calls for agencies to intentionally require bidding contractors to have secured FedRAMP authorizations upfront. In that scenario, competition wouldn’t be hindered because there would be a whole lot more FedRAMP-compliant solutions for agencies to choose from.

Until then, it appears best to use FedRAMP authorizations as an evaluation tool and a requirement prior to operation rather than a mandatory requirement for vendors to meet before they can bid, officials say.

(Image via Stokkete/