FedRAMP 3PAO Acquisition Raises Concerns for Small Businesses

(Illustration: MeriTalk)

Editor’s Note: This story has been updated to include Coalfire’s statement.

The merger of the two leading FedRAMP third-party assessment organizations (3PAO) is raising significant concerns about the ability of small and midsized businesses to compete for Federal cloud contracts.

Coalfire, the No. 2 FedRAMP 3PAO, announced last month it has acquired Veris Group, the leading provider of the mandatory security assessments for cloud service providers that want to sell their products and services to Federal agencies. The acquisition gives Coalfire nearly five times the number of FedRAMP authorizations than its nearest competitor.

“We are looking at a consolidation of the market with almost an oligopoly,” a CEO of a cloud security firm told MeriTalk on the condition of anonymity. The CEO explained that, in combining two of the biggest market players, Coalfire and Veris Group would have the capability to significantly lower or significantly raise their prices in ways that their small and midsized 3PAO competitors would not be able to compete with.

These price changes could also affect cloud providers looking to get FedRAMP authorization through 3PAOs, making it difficult for these providers with fewer resources to pay for an assessment.

“The concern is that further consolidation might increase the costs of these audits, making FedRAMP authorization for small and midsized cloud companies more expensive,” an industry analyst told MeriTalk on condition of anonymity.

According to the Coalfire press release on the acquisition, Coalfire and Veris Group now account for “the largest provider of advisory and assessment services to the cloud service provider (CSP) market” and are “the leading FedRAMP third-party assessment organization (3PAO), whose services are required by CSPs who want to do business with the U.S. Federal Government.”

According to data on the FedRAMP website, before the acquisition Veris Group and Coalfire already led the industry with twice as many authorizations as the next nearest competitor. The merger of the two companies increases that lead significantly.



The company with the third most authorizations has a total of 14, with most of the other companies listed accounting for authorizations in the single digits. According to the cloud security CEO, this listing of already completed authorizations disproportionately drives business to the 3PAOs with already high numbers, making it increasingly difficult for the small 3PAOs to compete.

“In essence, you are undercut by the number of assessed listed on the right-hand side,” the CEO said, adding that the $20,000 to $30,000 price tag for staying in the 3PAO market becomes increasingly difficult to meet when business is harder to capture.

“Coalfire is a leader in the FedRAMP 3PAO marketplace because of our recognized competent practices and quality of assessments. We welcome competition from the other 44+ assessors and we would recommend to companies seeking FedRAMP accreditation that they shop around to ensure a successful assessor relationship,” Coalfire told MeriTalk in an email. “The primary goal is to move organizations beyond compliance and to be secure. This philosophy is intrinsic to our brand and company, which contributes to the growth of our company.”

Industry observers also worry that the combined power of Veris Group and Coalfire would enable the companies to drastically increase the pay offered to licensed 3PAO assessors, draining the market of available talent for those that cannot afford such high salaries.

“If there’s one large provider, what are the implications of trying to hire somebody?” the CEO said, adding that FedRAMP requires 3PAOs to report the number, names, resumes, and training evidence of all FedRAMP assessors.

“They are forcing us to prove our experience when our resources are dwindling,” the CEO said, questioning whether this process favors certain businesses while increasing the barrier to entry for others. “How are they going to prove to the other small businesses and medium businesses that they do not have a conflict of interest?”

According to an analyst with detailed knowledge of the FedRAMP process, the FedRAMP program management office has no antitrust authority to weigh in on the proposed merger. “However, it can make life difficult for the new combined firm in a host of ways,” the analyst said.

  1. Anonymous | - Reply
    The anon-CEO is absolutely correct, and my company has experienced this (in fact, repeatedly) as well, but a different information technology subject matter. The last paragraph of this story pretty much says it all... A PMO with no antitrust authority or *accountability, yet can "make life difficult for a firm" sounds like a racketeering biography. DOJ and IG investigations work is not done yet, not by a long shot.
  2. Anonymous | - Reply
    ---> Industry observers also worry that the combined power of Veris Group and Coalfire would enable the companies to drastically increase the pay offered to licensed 3PAO assessors, draining the market of available talent for those that cannot afford such high salaries. <--- Typically when a merger occurs, salaries for employees don't go up, its the opposite and layoffs occur. You have to pay for an acquisition somehow... There are several providers that have done very good work for major CSPs that will serve as alternatives. Where the PMO and A2LA will have their hands full will be around potential conflicts of interest between audit and advisory services which are prohibited to be performed by the same organization.
  3. Anonymous | - Reply
    A couple of things the author and the anonymous CEO failed to state are : 1) Both of these businesses were, until fairly recently, small or mid-sized and trying to make their way as 3PAOs. They happened to do a much better job (in many ways) than anyone else and became true experts in their field. They became the largest, most successful 3PAOs, because they set the gold standard for FedRAMP professional services. As a result, their customers, the FedRAMP PMO, JAB and agencies recognize them for their efforts. 2) The wage discussion is completely off-base. If anything, all 3PAOs face the wage barrier challenge every time a cloud service provider (usually the 3PAOs customer) poaches a 3PAO assessor or advisory professional to become an in-house expert. It is not uncommon for CSPs to promote and increase wages of a very junior, yet qualified 3PAO assessor by more than 40% to gain a small edge over their nearest competitor. And they have the bankroll and counsel to fight the legal battle to retain the talent despite breaching service agreements with the 3PAOs they poach from.

Leave a Reply