FedRAMP 3PAO Acquisition Raises Concerns for Small Businesses

(Illustration: MeriTalk)

Editor’s Note: This story has been updated to include Coalfire’s statement.

The merger of the two leading FedRAMP third-party assessment organizations (3PAO) is raising significant concerns about the ability of small and midsized businesses to compete for Federal cloud contracts.

Coalfire, the No. 2 FedRAMP 3PAO, announced last month it has acquired Veris Group, the leading provider of the mandatory security assessments for cloud service providers that want to sell their products and services to Federal agencies. The acquisition gives Coalfire nearly five times the number of FedRAMP authorizations than its nearest competitor.

“We are looking at a consolidation of the market with almost an oligopoly,” a CEO of a cloud security firm told MeriTalk on the condition of anonymity. The CEO explained that, in combining two of the biggest market players, Coalfire and Veris Group would have the capability to significantly lower or significantly raise their prices in ways that their small and midsized 3PAO competitors would not be able to compete with.

These price changes could also affect cloud providers looking to get FedRAMP authorization through 3PAOs, making it difficult for these providers with fewer resources to pay for an assessment.

“The concern is that further consolidation might increase the costs of these audits, making FedRAMP authorization for small and midsized cloud companies more expensive,” an industry analyst told MeriTalk on condition of anonymity.

According to the Coalfire press release on the acquisition, Coalfire and Veris Group now account for “the largest provider of advisory and assessment services to the cloud service provider (CSP) market” and are “the leading FedRAMP third-party assessment organization (3PAO), whose services are required by CSPs who want to do business with the U.S. Federal Government.”

According to data on the FedRAMP website, before the acquisition Veris Group and Coalfire already led the industry with twice as many authorizations as the next nearest competitor. The merger of the two companies increases that lead significantly.

fedramp-3pao1

fedramp-3pao2

The company with the third most authorizations has a total of 14, with most of the other companies listed accounting for authorizations in the single digits. According to the cloud security CEO, this listing of already completed authorizations disproportionately drives business to the 3PAOs with already high numbers, making it increasingly difficult for the small 3PAOs to compete.

“In essence, you are undercut by the number of assessed listed on the right-hand side,” the CEO said, adding that the $20,000 to $30,000 price tag for staying in the 3PAO market becomes increasingly difficult to meet when business is harder to capture.

“Coalfire is a leader in the FedRAMP 3PAO marketplace because of our recognized competent practices and quality of assessments. We welcome competition from the other 44+ assessors and we would recommend to companies seeking FedRAMP accreditation that they shop around to ensure a successful assessor relationship,” Coalfire told MeriTalk in an email. “The primary goal is to move organizations beyond compliance and to be secure. This philosophy is intrinsic to our brand and company, which contributes to the growth of our company.”

Industry observers also worry that the combined power of Veris Group and Coalfire would enable the companies to drastically increase the pay offered to licensed 3PAO assessors, draining the market of available talent for those that cannot afford such high salaries.

“If there’s one large provider, what are the implications of trying to hire somebody?” the CEO said, adding that FedRAMP requires 3PAOs to report the number, names, resumes, and training evidence of all FedRAMP assessors.

“They are forcing us to prove our experience when our resources are dwindling,” the CEO said, questioning whether this process favors certain businesses while increasing the barrier to entry for others. “How are they going to prove to the other small businesses and medium businesses that they do not have a conflict of interest?”

According to an analyst with detailed knowledge of the FedRAMP process, the FedRAMP program management office has no antitrust authority to weigh in on the proposed merger. “However, it can make life difficult for the new combined firm in a host of ways,” the analyst said.

Recent