As an extension of FISMA, the U.S Federal Government had to enact stricter parameters for the service providers they choose to work with. Thus, FedRAMP was established in 2012 and is managed by the U.S. General Services Administration. The FedRAMP marketplace for government focused cloud solutions continued to grow and scope with over 200 authorized solutions. Federal agencies seeking to buy commercial cloud services are required to acquire only FedRAMP authorized services. There are many services to choose from listed in the FedRAMP.gov marketplace with more to come. Since 2012, the adoption of commercial cloud services has continued to grow year after year presenting a growth opportunity for ISV’s, Startups, and Small Businesses to deliver new and innovative solutions to an IT market with over $80 Billion in annual spending. If you are interested in pursuing a FedRAMP ATO, continue to read some insights and tips to help you make the right FedRAMP ATO investment decisions in 2021.
FedRAMP ATO Authorizations in 2020
There were 74 authorizations in 2020 of which 9 were performed by the JAB and the remaining were Agency sponsored ATO’s. A total of 24 agencies participated in the program in 2020 and accredited 65 systems. The top agency with FedRAMP sponsored ATO’s continued to be the Department of Health and Human Services (HHS) followed by GSA. The list below provides an overview of the Top 10 agencies that successfully authorized FedRAMP accredited systems in 2020:
| Rank | Name of Agency | Number of ATO’s |
| 1 | Department of Health and Human Services | 12 |
| 2 | General Services Administration | 7 |
| 3 | Department of Commerce | 5 |
| 4 | Department of Veterans Affairs | 5 |
| 5 | Department of Defense | 4 |
| 6 | Department of Energy | 4 |
| 7 | Department of Justice | 4 |
| 8 | Department of Homeland Security | 3 |
| 9 | Department of the Treasury | 3 |
| 10 | Department of Agriculture | 2 |
| 10 | Department of State | 2 |
| 10 | Department of Transportation | 2 |
| 10 | Federal Communications Commission | 2 |
Source: FedRAMP.gov Marketplace
A quick analysis of the systems that received an Agency sponsored FedRAMP ATO in 2020 demonstrated an overwhelming majority of SaaS services over PaaS:
| Deployment Model | Number |
| SaaS | 55 |
| PaaS | 4 |
| PaaS, SaaS | 6 |
Source: FedRAMP.gov Marketplace
Selecting the right assessment partner is essential to ensure a creditable and successful FedRAMP ATO accreditation:
| 3PAO Assessor | Number of Assessments |
| Coalfire Systems, Inc. | 20 |
| Schellman & Company, LLC | 18 |
| Kratos | 16 |
| A-LIGN Compliance and Security, Inc. dba A-LIGN | 8 |
| Lunarline, Inc. | 5 |
Source: FedRAMP.gov Marketplace
stackArmor has worked with all the top 3PAO’s and provides extensive consultation support in helping pick the right 3PAO partner at the right price. As more and more startups, ISV’s and commercial organizations seek to provide cloud services to public sector and Federal agencies, achieving a FedRAMP ATO is a critical pre-condition.
Making the right FedRAMP ATO investment decisions for 2021
A recent market research study by Marketing Connections, Inc demonstrates that government buyers prefer to use FedRAMP-authorized cloud services. However, given the significant investment and time commitment associated with obtaining a FedRAMP ATO, a strategic approach to selecting the right architecture and deployment model is essential. As a case in point, hyper-scale cloud platform providers such as AWS provide two FedRAMP Moderate hosting options – AWS East/West or AWS GovCloud. The AWS GovCloud is a government community cloud with higher levels of security but also a higher cost which could be 20-25% higher than the East/West Region. Often ISV’s and commercial organizations must understand government buyer psychology and their risk tolerance. The FedRAMP market research study clearly identifies buyer preference for using a government-only community cloud.
stackArmor’s ThreatAlert ATO Accelerator solution provides a strategic framework for optimizing and accelerating FedRAMP, FISMA/RMF, and CMMC compliance. Clearly, positioning commercial cloud solutions for likely government buyers must take into consideration buyer preferences. Focusing on the right agency sponsor with the right deployment models is critical. Schedule a call with your stackArmor ATO specialist for some tips and guidance if you are interested in pursuing a FedRAMP ATO in 2021.
