Cloud vendors worry small businesses are shut out of the federal market

Liz Lynch/National Journal file photo

Report calls out the Obama administration for certifying existing large contractors before newcomers.

This story has been updated with comment from the General Services Administration.

The cloud computing industry is appealing to the Obama administration for small businesses to get a piece of the action this week, when the government starts accepting applications to become certified governmentwide Web services suppliers.

In a Tuesday report advising the White House to obey its 2010 25-point plan for reforming federal information technology management, the Software and Information Industry Association warns that the administration is falling short on point 16: reducing barriers to entry for small innovative companies.

A shift to cloud computing, or outsourcing data storage and applications to the Web, also is embedded in the plan as a cost and energy saver. To make agencies comfortable with essentially handing their IT systems and data to non-government institutions, the administration on June 6 will launch a certification process that will simplify acquisitions by ensuring all cloud offerors maintain a standard level of security.

The General Services Administration, which coordinates the Federal Risk and Authorization Management Program and is partly responsible for instituting the small business reforms, has promoted FedRAMP as a way for small providers to economically win government contracts.

“The FedRAMP model of ‘do once, use many times’ actually removes a barrier to entry for small businesses to work with Federal Agencies,” states the program’s website. “Instead of [cloud service providers] having to expend resources for security authorizations with each federal agency customer, they can complete a FedRAMP authorization once and reuse with subsequent federal agency customers – saving both time and money.”

But the cloud association contends that many agencies consider the FedRAMP controls insufficient and will demand customized safeguards from companies that require extra security inspections.

After passing FedRAMP certification, “the company must then work with their customer agency to receive their formal [approval], an additional and potentially costly step depending on whether or not the contracting agency accepts the FedRAMP certification.”

By some estimates, as many as half of agencies in certain cases believe FedRAMP does not satisfy their unique security requirements, according to the association. “In practice, it is likely that the FedRAMP certification process will be seen as an additional step to the certification process,” the report states.

The order in which cloud firms will be evaluated also drew criticism from industry. GSA officials have said the application process initially will prioritize contractors that already have won cloud infrastructure deals, such as Amazon and AT&T. “These companies will have a distinct market advantage over those approved later in the process, putting small businesses at a particular disadvantage,” the association states.

After Tuesday’s report was released, GSA officials said they welcome feedback from any providers experiencing challenges while seeking certification, and GSA is working with interested parties as they navigate the requirements.

The officials maintained that FedRAMP does not create an additional costly step in the certification process. A White House policy memo mandates that departments take advantage of the program, they noted. If a department requires tests on protections beyond the FedRAMP basic specifications, a cloud service provider would need to demonstrate compliance with those controls regardless of whether FedRAMP is used, GSA officials said.

Departments are allowed to seek an exemption from FedRAMP if the baseline doesn’t reflect their security needs, according to the memo.

Federal auditors recently chastised the administration for overstating its progress on the 25 point plan, partly by prematurely declaring it had finished moving to a “cloud-first” policy for buying IT. The deadline for checking off the items in the plan is this month.