cloud-confusion
In a move that could have big implications for the budding civic innovation space, this morning Salesforce became the first outfit to be granted authorization to provide both software-as-a-service (SaaS) and platform-as-a-service (PaaS) cloud services to U.S. Federal Government agencies.

Before explaining why this is so significant, here’s some background on the government’s IT management system:

Back in 2010, the Obama administration announced a “cloud first” policy for improving and cutting the costs of the government’s IT management. Because it’s the government, this meant a healthy serving of alphabet soup as numerous new designations, programs, and committees were created to manage the technical transition.

The Federal Risk and Authorization Management Program (FedRAMP) was introduced in 2011 as a central, standardized process for cloud service providers (CSP’s) to obtain the security authorization necessary to secure government contracts. FedRAMP is part of a streamlining initiative by the Office of Management and Budget and is overseen by the General Services Administration (GSA). An Authorization to Operate (ATO) can be obtained either through a direct application to the FedRAMP Joint Authorization Board (JAB) or with the sponsorship of the agency a company wishes to contract with. By either avenue, a CSP needs to employ the services of a qualified FedRAMP third-party assessment organization (3PAO).

If this sounds like a Kafkaesque and convoluted bureaucratic boonshwaggle, that’s because it is. But it’s also important, so I’ll try my best to continue in plain English.

On June 5, FedRAMP will become mandatory for any CSP that currently or in the future contracts with a Federal Government agency.  Thus far, only about a dozen CSP’s have succeeded in clearing this hurdle — most of them big names like Amazon, Microsoft, Hewlett-Packard and now Salesforce. With the authorization process currently taking at least four months (and as many as nine), this means the technology industry is facing a pretty dramatic bottleneck when it comes to obtaining or simply maintaining a government contract.

The intention of the FedRAMP is to decrease the time and cost of achieving security clearance for CSP’s by standardizing the process across all federal agencies and thereby removing redundancies. But the FedRAMP team itself has limited capacity, with only six information system security officers employed to conduct the exhaustive reviews. The bottleneck is compounded by the fact that, in typical rich get richer fashion, companies with existing authorized contracts get priority in the queue over companies applying for the first time.

Salesforce, like Amazon before it, obtained authorization with the sponsorship of the Department of Health and Human Services (HHS). Because the FedRAMP ATO is a government-wide standard, getting authorized to provide service to HHS means that, theoretically, any government agency can now contract with Salesforce. In practice though there is a bit of a gap, as Salesforce’s HHS ATO is live but full FedRAMP, cross-agency authorization hasn’t been finalized.

“We anticipate being on the GSA website in June,” Salesforce’s North American Public Sector SVP Dave Rey told Pando.

The announcement that Salesforce has been granted a platform-as-a-service authorization does offer some potential relief to interested CSP’s. Rather than incurring the costs and time commitments of an independent FedRAMP authorization, companies can instead build cloud-based apps for government use directly on the Salesforce1 Platform, thereby piggy-backing on the Salesforce ATO. There are currently more than 100 apps in the Salesforce AppExchange for government use.

Intentionally or not, Salesforce has positioned itself as a middle-man for the countless smaller technology companies that would like to provide cloud software solutions to the federal government. And it certainly didn’t hurt that Vivek Kundra, the first Chief Innovation Officer of the Federal Government and a principal architect of the “cloud first” policy, is now a Salesforce executive.

So far, most of the civic innovation products that have garnered attention and investment are targeted at the state and local levels. But that may not offer as much relief as it initially suggests. Rey says that state and local governments have shown interest in meeting FedRAMP standards when contracting with cloud service providers, wanting to ensure a level of security that has fed-level endorsement. For this reason, FedRAMP approval may also appeal to smaller CSP’s looking to scale up to targeting federal government agencies.

Much of the promise of “civic innovation” lies in the opportunity for governments to improve their IT and data management practices, opening up a competitive new market for startups that can target individual pieces of those systems and demonstrate the benefits their products provide.

“Security and compliance needs to operate at the same velocity of the cloud or start-ups will need to hire more lawyers than coders,” says Greg Elin, the former Chief Data Officer of the FCC and founder and CEO of GovReady, a platform that helps smaller civic innovators meet these weighty paperwork demands without needing to hire IT security experts and audit staff, with the goal of a fully automated FedRAMP authorization.

“As the baby boomers fade and the Instagram infants emerge, the winning countries and cities will be those that treat their data supply chain with as much attention as they do the food supply chain,” Elin says.

If the FedRAMP approval process builds an effective moat around those contracts by limiting them to established companies with the resources and relationships to navigate the bureaucratic obstacle course, it could instead have a chilling effect. More and more companies are becoming aware of the FedRAMP requirements and are thus initiating the authorization process as the deadline for compliance approaches – Google, AT&T, and Verizon among them.

Should this bottleneck persist, we could see major tech corporations holding all the keys to government contracts, leaving smaller outfits forced to ride their coattails. Ultimately, it looks as if efforts to bring government systems up to 21st century speeds may get hung up in a bureaucratic briar patch of the government’s own making.

[illustration by Brad Jonas for Pando]