"The bar for what the JAB will accept or risk is pretty high," says Roat. "When you're looking at the risk posture, [individual] agencies can accept risk more readily."
While the JAB review may be tougher, and drag on for months, the companies that come through it have an instantly recognizable credential that signifies to all agencies that their services have been vetted and proven secure.
"If you can get through that, then it is kind of a single line drawn in the sand that everyone can look at," says Susie Adams, CTO of Microsoft's federal division.
Prepare for Scrutiny
FedRAMP evaluators are professional sticklers. Vendors looking to win certification must be prepared to lay their cards on the table. In all likelihood, this will mean furnishing more documentation for, and allowing the government to peer more deeply into, the technology than they are accustomed to with private-sector clients.
"Be prepared to be transparent, because there will be a lot of eyeballs on your solutions, and transparency is a requirement," Keese says, adding that JAB reviews aren't necessarily a group that's simply "willing to ... take your word for it."
Remember, FedRAMP Isn't Just the Feds
By June, all federal agencies are expected to have their cloud service providers meet baseline FedRAMP guidelines. That doesn't mean that every cloud provider will have to have been certified by the JAB, but they must at least meet the standards that agencies have devised on their own, patterned after the FedRAMP template.
It's not just the U.S. government that's paying attention to the FedRAMP standard, though. Companies that can boast that they have received the certification might find it easier to do business with other government entities - at home and abroad - that want to go to the cloud but still worry about cloud security.
"Other countries are looking at this, and they're looking at this in depth," Adams says. "So now we're seeing RFPs come out in other countries and state and local governments that say if you're FedRAMP-certified, we're good."
Nor Are FedRAMP Clouds Limited to Government Applications
In a word, no. The notion that a FedRAMP-approved cloud can only house government data and applications is fiction, according to Adams.
"FedRAMP doesn't say that it has to be a government-community cloud, and there is no law on the books that I know of that says what users can be in a government-community cloud," Adams says. The so-called "industry definition," set by Google years ago to dictate how to create government-community cloud with federal, state, local and tribal authorities, was done largely to align with purchasing off a GSA schedule. (Plus, if you think about it, tribal regions include casinos, she says.)
Sign up for Computerworld eNewsletters.