FedRAMP Contracting Trends, FY 2021-2023

Market watchers may have read that the Program Management Office (PMO) for the Federal Risk and Authorization Management Program (FedRAMP) recently published a new roadmap. This document, according to an article posted by the PMO, has four primary goals: 1) to grow the number of customer experience (CX) applications; 2) to make the security expectations for FedRAMP authorization clearer and more consistent; 3) to cut the number of unnecessary reviews while automating those that are necessary; 4) to build an application programming interface (API) for FedRAMP that enhances digital authorization.

Some of these goals (e.g., automation, accelerating reviews) are things the FedRAMP PMO has been striving to accomplish for several years. The new roadmap adds, however, that federal agencies need both computing infrastructure and “everything that’s being built on top of it,” meaning Software-as-a-Service (SaaS) cloud offerings.

Regular readers of this blog know that federal spending on SaaS has been outpacing spending on all other service delivery types for a while now. The FedRAMP PMO is finally responding to this shift in the market, as well as other trends in IT spending, such as the focus on CX. Last November, I provided some figures showing how spending on CX had grown to $147M in FY 2023. The vast majority of this spending is on CX capabilities and the small businesses providing them. The FedRAMP PMO is responding to this trend, too, particularly since CX appears to be a market area where small businesses are holding their own.

What about other trends popping up in the adoption data?

Efforts/Awards Requiring FedRAMP Approval

Let’s start with the overall number of awards and announced contract efforts that require respondents to be FedRAMP certified. These have been growing steadily for several years.

The data shows that federal civilian agencies (the Department of Defense has its own certification process) continue to prefer Moderate level solutions to all others by a wide margin. The Moderate/High category includes requirements outlined in solicitation documents stating either level is acceptable for proposed solutions.

Efforts/Awards Requiring FedRAMP Approval vs. Not Requiring It

The data for this chart shows that while civilian agencies continue to grow the number of FedRAMP’ed solutions they buy, they are also still procuring a large number of solutions that are not FedRAMP certified.

There is some play in these numbers because while the need for a FedRAMP approved solution is not specifically called out the solutions procured could be deployed in FedRAMP certified environments, such as the one at the Department of Veterans Affairs. In addition, all types of efforts from across the cloud market are included here. This means engineering efforts, too, and FedRAMP certification doesn’t necessarily feature in those. Please note as well that FedRAMP Ready solutions have not been counted.

These caveats notwithstanding, the data shows a big shift in FY 2023 toward efforts/awards requiring FedRAMP certification.

Top Ten Civilian Agencies by FedRAMP Procurement

Finally, here are the leading federal civilian agencies ranked by the procurement of FedRAMP certified solutions.

Although the State Department ranks at the top of this list, the interesting thing about their data is that they have consistently held this position for all three fiscal years. Procurement at DHS and Commerce showed the same trend. This suggests that the demand for certification is strict at those agencies.

As for agencies such as DOJ and HHS, their procurement of FedRAMP certified solutions peaked in FY 2022 before falling off a cliff in FY 2023. Justice, for example, procured 303 FedRAMP’ed solutions in FY 2022. In FY 2023 this number fell to 6. This trend hints that cloud procurement at DOJ and HHS could be cyclical, with a lot of capabilities being purchased one year, but not the next.

Final Thoughts

Summing up, the following trends related to FedRAMP are evident:

• Agencies continue to procure SaaS more than any other type of capability.
• CX capabilities will be promoted by the PMO.
• FedRAMP Moderate is the most common level of certification required.
• Agencies purchased more FedRAMP’ed capabilities than non-certified capabilities in FY 2023.
• The demand for FedRAMP certification appears to be strict at DHS, Commerce, and State.