In its recent study, Contracts in the Cloud Promise More Contracts, An Executive’s Guide to Understanding FedRAMP, Bloomberg Government (BGOV) found that Cloud Service Providers (CSPs) holding “a government-wide cloud-services contract, such as CGI … will have an advantage in winning more work because FedRAMP gives them priority in the review process.”

We thank BGOV for recognizing CGI’s unique position to deliver cloud services to federal customers. We hold this position because security came first in the design of our government community cloud. This unique focus to our cloud enabled us to be the first certified CSP to deliver secure cloud services under GSA’s Blanket Purchase Agreement (BPA) for Infrastructure as a Service (IaaS). (See Paul Douthit’s previous blog post, “Preparing for FedRAMP: Building security into the fabric of our cloud,” for further insight.)

The BGOV study notes that FedRAMP seeks to save money for agencies and vendors alike by setting a government-wide baseline for cloud security. And, while efficient certification is a key goal, at its core FedRAMP remains a risk management program intended to heighten and maintain cloud system security over time. As a result, it is designed to support an agency’s ability to manage change as the cloud advances, as depicted in the diagram below.

How FedRAMP seeks to heighten and maintain cloud system security over time

By leveraging a common Authority to Operate (ATO), agencies and providers can shift spending on “certifications” to provide a truly robust risk management program with significant continuous monitoring and defense in depth.

The BGOV study also points out that it will take significantly longer to achieve FedRAMP accreditation ─ as long as 6 months compared to maybe 90 days for a typical Certification & Authorization (C&A). This is because FedRAMP assessments test the controls at a much more granular level, with 3-4 times the number of tests per control vs. a typical C&A. The extra controls and more in-depth testing reduce risks associated with a shared cloud environment, and FedRAMP looks to ensure separation and security of systems that co-exist.

While keeping systems secure form intruders remains the focus of security, in reality FedRAMP controls have a broader scope that includes the confidentiality, integrity and availability of systems. Recent major electrical outages in the Washington, DC metro area demonstrated that physical controls can be just as critical in maintaining the availability of systems. Cloud providers must provide higher grades of Uninterruptible Power Supplies (UPS) and generators to meet FedRAMP controls than were demonstrated recently. 

CGI received the first ATO of any IaaS BPA holder and plans to continue our focus on security as an early adopter of FedRAMP. This focus enables us to help agencies move to the cloud with the least amount of risk. We believe this is and will continue to be one of our strongest differentiators as a government cloud provider.