How Resilient are FedRAMP Clouds Anyway?

December 8, 2014 / G C Network / Comments Off on How Resilient are FedRAMP Clouds Anyway?

Leading Federal Integrators Address Tactical Cloud Computing

By G C Network | October 7, 2009

Yesterday during the first annual Government IT Conference and Expo, tactical cloud computing was cited as a critical component within this new paradigm. Joining me to address the issue were:…

Carpathia Creates Government Solutions Business Unit

By G C Network | October 6, 2009

In a strong statement of focus, Carpathia Hosting has announced the formation of Carpathia Government Solutions, a unit dedicated to providing solutions specifically for federal civilian and defense agencies. This…

INPUT FedFocus 2010

By G C Network | September 30, 2009

Please join me at the 7th Annual FedFocus Conference, November 5, 2009, at the Ritz Carlton in McLean, VA. This conference has been designed to provide crucial information on upcoming…

Dataline, Lockheed Martin, SAIC, Unisys on Tactical Cloud Computing

By G C Network | September 25, 2009

I’m proud to announce that representatives from Lockheed Martin, SAIC, and Unisys will join me in a Tactical Cloud Computing “Power Panel” at SYS-CON’s 1st Annual Government IT Conference &…

GSA, DoD and NCOIC to Collaborate on Government Cloud Computing

By G C Network | September 22, 2009

Yesterday, during the NCOIC Cloud Computing Workshop, collaboration seemed to be the focus as Katie Lewin, GSA Cloud Computing Initiative Program manager, and Dan Risacher, DoD Cloud Computing Storefront project…

FederalNewsRadio Highlights Government Cloud Computing

By G C Network | September 20, 2009

Last week’s Apps.gov announcement was the latest steps in the government’s “at the quick step” march into cloud computing. FederalNewsRadio, a Washington metro area media fixture, highlighted the event with…

NCOIC Officially Launches Cloud Computing Working Group

By G C Network | September 14, 2009

On Wednesday, 9 September 2009 the Network Centric Operations Industry Consortium (NCOIC) Technical Council formally approved the creation of a Cloud Computing Working Group (CCWG). Organizationally this new working group…

1 Billion Mobile Cloud Computing Subscribers !!

By G C Network | September 10, 2009

Yes. That’s what I said! A recent EDL Consulting article cites the rising popularity of smartphones and other advanced mobile devices as the driving force behind a skyrocketing mobile cloud…

NCOIC Holding Full-Day Cloud Computing Workshop

By G C Network | September 4, 2009

The Network Centric Operations Industry Consortium will be holding an all day Cloud Computing Workshop on September 21, 2009 in Fairfax, VA. Open to the public, this workshop will focus…

Pentagon Reviews Unisys Stealth

By G C Network | August 31, 2009

According to a Newtworkworld.com article, the United States Joint Forces Command (USJFC) is currently evaluating Unisys Stealth technology at the Joint Transformation Command for Intelligence (JTC-I) in Suffolk, Virginia. “Unisys…


By Jodi Kohut
For the uninitiated, FedRAMP is the Federal Risk Authorizationand Management Program, a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Implemented to support the Administration’s “Cloud First” policy, some have pointed to FedRAMP as a great model for commercial industry’s adoption of cloud as well. But when it comes to disaster recovery in the cloud, is that necessarily the case?
One of the questions I’ve been asked from the beginning of the Federal Cloud First initiative, is, “If my data is in   The answer is not as clear-cut as the question.  In theory, most cloud services offer extremely resilient platforms and a modicum of disaster recovery is built in. In fact, those cloud service provider (CSP) systems that have received an ATO through the FedRAMP program do have fairly sophisticated contingency plans in place, with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) clearly articulated- and plenty of alternate processing sites, policies, and procedures in place in the event of a contingency.  So, it’s in there right?

Not so fast- it depends on what services you are acquiring and how you are deploying and managing them.  The baseline of this discussion is however rooted in availability and uptime. 

the cloud, isn’t my disaster recovery built in? Isn’t that the benefit of being in the cloud?”

A CSP may be able to provide a more resilient infrastructure than an Agency can build internally.  For example, recent research from the International Working Group on Cloud Computing Resiliency (IWGCR) reported 2013 total downtime hours from major providers as follows:

  • Amazon – 28.23 hours
  • Rackspace – 97.98 hours
  • Verizon – 136 hours

The availability percentages of these providers range from 98.44-99.68%.  Even though the IWGCR believes this data may under report outages, the data may also overstate service downtime.  Let me explain.
The cloud providers mentioned here provide SLA’s for individual services.  Often these are subject to separate SLA’s rather than aggregated ones.   In practice, CSPs orchestrate these services in such a way that a customer can expect 100% availability at a fraction of a cost of building the same solution internally. Considering that only 8% of federal government agencies report confidence in being able to recover 100% of the data required by their governing SLA’s, FedRAMP authorized clouds seem to be perfect for addressing disaster recovery. These same agencies also report an inability to test their disaster recovery plans as often or as thoroughly as they would like. In addition, from an alternative processing site standpoint, Cloud Service Providers offer more, geographically distributed sites for a fraction of the cost of building equivalent solutions internally.  And contrary to the emotions of some, moving disaster recovery to the cloud does not mean relinquishing control of the process or data.  FedRAMP mandatory contractual clauses give the government absolute control of all of its data, all of the time.
So with this in mind, “Is FedRAMP a good model?” Compared to the current state of government IT affairs, the answer is an unequivocal YES! Budget cuts, rapidly increasing IT requirements and the rising threat of cyber-attack are also great arguments for rapid adoption of commercially available, FedRAMP authorized cloud baseddisaster response services. Commercial companies operating in government-regulated industries should leverage this process as well by making FedRAMP provisional approval a minimum requirement for their own cloud service providers.   The list of companies currently in process to receive provisional authorization status for FedRAMP shows industry commitment to security of systems “In the cloud”.   

(This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are our own and don’t necessarily represent Dell’s positions or strategies.)

Bookmark and Share

Cloud Musings

( Thank you. If you enjoyed this article, get free updates by email or RSS – © Copyright Kevin L. Jackson 2012)

Follow me at https://Twitter.com/Kevin_Jackson
Posted in

G C Network

Cloud Computing

Cybersecurity