Of the roughly US$80 billion the federal government spends on IT each year, an increasing share is heading to cloud service providers.
Is it any wonder, then, that cloud vendors large and small are queuing up to solicit contracts from the country's single largest IT buyer?
Attitudes about the cloud are changing in the federal government. Advocates of flexible, usage-based technology are even winning converts among the hardline "rack huggers," says Maria Roat, the director of FedRAMP. Short for Federal Risk and Authorization Management Program, FedRAMP is the government's central security certification program that evaluates cloud offerings from the private sector.
"I think the outcome of this is proving that the cloud is secure," she says. "Things are moving and that culture is changing and that perception is changing."
But doing business with the government is not, to borrow an industry phrase, a turnkey exercise. There's also considerable confusion about what's still a relatively new process. A group of experts from industry and government recently gathered in the nation's capital to offer some best practices and bust some myths about the FedRAMP process.
Know What You're Getting Into
Doing business with the government can be a jolt for some conventional business-to-business enterprises. Tech leaders who've gone through the review process stress that newcomers should go into it with appropriate expectations. Some things are non-negotiable, and there are no guarantees - save for the fact that the review process will be costly and time-consuming.
That means that businesses shouldn't take things process lightly and must be prepared to commit resources to the effort, says John Keese, president and CEO of Autonomic Resources, a cloud provider that has gone through the FedRAMP process.
"Embrace the process, because you're not going to change the process. This is not a paper process," Keese says. "It's clear that management has to support the endeavors of the FedRAMP accreditation process. It's clear the staff will have to spend an inordinate amount of time."
Keese continues: "This is not a contractual process, so nobody's paying for any of these efforts. The government is not paying for these efforts. Staff has to be assigned with no promise of any revenue until you're accredited. And that's a reality check."
Weigh Centralized vs. Agency-specific Cloud Options
One of the first decisions cloud providers angling for government contracts will have to determine is whether to target their services to a single agency, and navigate an agency-specific approval process, or to make their offerings available across the federal government. If it's the latter, they will have to submit to what is generally a more rigorous review by the Joint Authorization Board, or JAB, which is comprised of tech experts from the General Services Administration (GSA) and the Departments of Defense and Homeland Security.
Sign up for CIO Asia eNewsletters.