Coalfire announced key findings of its Federal Risk and Authorization Management Program (FedRAMP) marketplace report, “Securing Your Cloud Solutions for Government Adoption.” The report analyzes the FedRAMP program, the federal cloud market landscape, best practices when entering the FedRAMP authorization process and changes since the last edition of Coalfire’s FedRAMP report in 2017.

While the FedRAMP process has traditionally been considered expensive, difficult and lengthy, the report found the number of FedRAMP authorizations granted between 2016 and 2018 increased roughly 33% year over year. This trend was likely in response to the growing demand for cloud services in government (agencies spent $6.5B in cloud services in FY2018, up 32% year over year) and due in part to an improved authorization process. Structural changes in the FedRAMP program and greater efficiency through security automation have shortened times to FedRAMP authorization by up to 25% as measured from initial preparation to authorization. The report further indicated that healthy opportunity exists across Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions, with SaaS solutions showing the greatest rate of growth from 2017-2019.

In addition, the report also notes that agencies are challenged to comply with a multitude of changing federal guidelines requiring them to embrace secure cloud solutions whenever possible. The report findings examine how recent and pending legislation will benefit CSPs and agencies, strategies that have worked for CSPs in navigating FedRAMP, and the time and cost considerations that organizations should factor into their FedRAMP efforts.

Key Findings in the Report:

  • Structural changes in FedRAMP are enabling federal market access to CSPs of all sizes, with tailored paths and opportunities based on service type.
  • FedRAMP preparation efforts leveraging Security Orchestration, Automation, and Response (SOAR) are showing great promise in reducing time to compliance and improving security: automation helps companies achieve audit-ready status in as little as six months, vs 12+.
  • Time to FedRAMP authorization (from the time of assessment initiation by a CSP) decreased from roughly 12-16 months in early 2016 to as little as six months in late 2018-early 2019, with average time taking roughly 9-12 months as of early 2019 (a 25% reduction).
  • SaaS applications now make up more than 84% of CSPs publicly preparing or undergoing FedRAMP authorization.

“Secure cloud computing is essential for federal agencies to move beyond their costly and inefficient legacy infrastructure – and there are mounting pressures to do so. But agencies continue to face security and compliance challenges as they move into the cloud,” said Michael Carter, vice president, Cyber Assurance – FedRAMP, Coalfire. “The FedRAMP program is designed to help agencies choose cloud solutions with confidence. Program improvements and innovation are providing more opportunities to CSPs than ever before; but they should follow the best practices and lessons identified in this research to alleviate much of the pain historically attributed to FedRAMP.”

Download the full report here.