The IaaS Medallion Program

Well, our FedRAMP opportunities just keeps getting better, but before we can take all of this to market, the Williams Mullen’s legal vetting of our offering will be essential to us creating a product that will be in sync with the FAR’s requirements and, ultimately, marketable.  We plan on providing Williams Mullen with the full offering on February 1st, and the anticipated completion of the legal vetting is February 15th [at which time we will be good to go].

Note:  The Federal Acquisition Regulations System is established for the codification and publication of uniform policies and procedures for acquisition by all executive agencies.  The Federal Acquisition Regulation (FAR) is the principal set of rules in the Federal Acquisition Regulation System.  This system consists of sets of regulations issued by agencies of the Federal Government to govern what is called the acquisition process.  This is the process through which the government purchases [acquires] goods and services.  The single most heavily regulated aspect of acquisition is contract pricing.  The FAR System regulates the activities of government personnel in carrying out that process.  It does not regulate the purchasing activities of private sector firms, except to the extent that parts of it are incorporated into government solicitations and contracts by reference.

Here is a quick update of our remarkable FedRAMP opportunities as of this time:

1.  Powered by ARC-P™ is a combination of our ARC-P IaaS and our secure data center.  This is the big dog as far as I see it, but, believe me, I wouldn’t mind being left with any of the several other opportunities I am going to profile in this memo.  While this has been, up to recently, depicted and invested in as a service provider resource for Autonomic Resources, I believe that it is much more valuable as a simple stand-alone product.  I see our FedRAMP IaaS ATO as very similar to NYC’s taxi cab medallion program.


Note:  Medallion taxi cabs in NYC are named for the official medallion issued by the TLC and attached to a taxi’s hood.  The medallion may be purchased from the City at infrequent auctions, or from another medallion owner. Because of their high prices [often over $700,000] medallions [and most cabs] are owned by investment companies and are leased to drivers.  An auction was held in 2006 where 308 new medallions were sold. In October 2011, due to the longtime trend in the medallions’ supply and demand, auction prices first topped $1 million.

It is important to recognize that our FedRAMP ATO simply means that we can host the IaaS platform with our secure and authorized data center, but it does not mean that the attached SaaS will be authorized.  The software, in conjunction with our IaaS, must pass the FedRAMP scrutiny regardless of our IaaS ATO.  This is true for all applications regardless of the IaaS ATO it is built on.

Once again, the NYC taxi cab medallion analogy helps to illuminate this aspect of our offering.  While the medallion gives the holder the authority to operate a cab in NYC, it does not mean that it can be placed on any old car and have it be compliant as a cab based on the TLC’s criteria for cabs.  The cab itself must past through the eye of the needle as well.  I definitely see this as both a competitive advantage, and, as we will discuss later, another revenue resource.

Nevertheless, the mere fact that we are the only one who has so far received the FedRAMP’s ATO articulates, punctuates, and substantiates the difficulty in securing this vital link in the chain to our potential customers.  While they may not completely understand it, there’s no denying that everyone else has failed – and it isn’t like they haven’t been trying.  As an aside, I would certainly like to build the list of the 80 or so tech companies that have tried and failed to be one of the 12 awardees.

So, what is the Gold Medallion IaaS ATO?  Well, it is nothing more than an authorized access point.  An access point that the Federal Government is urging us to provide an indiscriminate number of.

The Bronze IaaS Medallion. Cost: $250k. The Bronze level of access provides the medallion holder with the opportunity to test the worthiness of our IaaS open source platform. In the event they feel that this IaaS solution will work for them, they can upgrade to the full resource level medallions, the first of which is the Silver level.

The Silver IaaS Medallion. Cost: $500k. The Silver level of access provides the medallion holder with the opportunity to use our IaaS ATO for a specific software application. While the use of this application is limitless, it is specific to only that application.

The Gold IaaS Medallion. Cost: $1M. The Gold level of access provides the medallion holder with the opportunity to use our IaaS ATO for any suitable software application in any industry. The use of this ATO is limitless unless restricted by a previous Platinum level restriction.

The Platinum IaaS Medallion. Cost: $2-10M. The Platinum level of access provides the medallion holder with the opportunity to use our IaaS ATO for any suitable software application in a specific industry or resource category. The use of this Platinum level ATO is not only limitless in this specific industry or resource category, but it is also exclusive. This means that a Platinum level user would secure the only ATO from us in that specific industry going forward. We would not issue a medallion of any kind to anyone else for use in that market space. Of course, any previous Gold level medallion holder would not be affected by this exclusive arrangement.

2.  c1 Secure 3PAO.  Third Party Assessment Organizations [3PAO] perform initial and periodic assessment of Cloud Service Provider [CSP] systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  Once engaged with a CSP, 3PAOs develop Security Assessment Plans, perform testing of cloud security controls, and develop Security Assessment Reports.  FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

To become a FedRAMP Independent Third Party Assessment Organization [3PAO], organizations must undergo a rigorous conformity assessment process before being accredited by FedRAMP.  This conformity assessment process qualifies 3PAOs according to the following requirements:

  • Independence and quality management in accordance with ISO/IEC 17020: 1998 standards.
  • Information assurance competence that includes experience with FISMA and testing security controls.
  • Competence in the security assessment of cloud-based information systems.

We have met all of the GSA and FISMA standards as a accredited 3PAO.  c1 Secure actually did the 3PAO work for our original ATO granted by the GSA, however, since they required a greater degree of separation, we recently used Veris Group as our FedRAMP accredited 3PAO.  We are now working on our own FedRAMP 3PAO accreditation.

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA was established to promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act including:

  • Standards for categorizing information and information systems by mission impact.
  • Standards for minimum security requirements for information and information systems.
  • Guidance for selecting appropriate security controls for information systems.
  • Guidance for assessing security controls in information systems and determining security control effectiveness.
  • Guidance for the security authorization of information systems.
  • Guidance for monitoring the security controls and the security authorization of information systems.

As you can see, there are several Federal agencies that have their fingers in the soup when it comes to securing an authority to operate. As we navigate through the process, we are becoming accredited and certified in each aspect of the creation, security, governance, monitoring, and fulfillment agenda of the Federal government – and each presents a new business opportunity for Autonomic Resources, Consilium, and several of our teaming partners. Our ability to become a FedRAMP accredited 3PAO is an opportunity to create a new business that will be available for all Federal Cloud Service Providers [CSP].

3.  c1 Secure Process Navigation for FedRAMP ATO.  Along with the opportunity to be the FedRAMP accredited 3PAO, we also have the opportunity to be the consultant to prospective Cloud Service Providers who want to participate in the Federal space.  Consilium has successfully navigated Autonomic Resources through the accreditation process, and, to date, we are the only consultant to successfully navigate the Federal rapids.


Sir Edmund Hillary was a New Zealand mountaineer.  On May 29, 1953 aged 33, he and Sherpa mountaineer Tenzing Norgay became the first climbers to reach the summit of Mount Everest.  Think of this Consilium offering as the sherpas of Mount FedRAMP.  Without us, you simply won’t get to the top of the mountain.

4.  The FedRAMP CMaaS ATO.  Once you have the FedRAMP IaaS ATO, you then have to get your application software to work with the IaaS platform, and then you must secure the FedRAMP ATO for the actual SaaS.  Now, you would think you are all done, but you are not.  You will still need the FedRAMP ATO for your constant monitoring component [CMaaS].  And guess who is getting that ATO?  That’s right – Autonomic Resources.

5.  Consilium System Integration and Replatforming for FedRamp Compliance.  But let’s not get ahead of ourselves, you still have to make your application software work with our IaaS, and who can help you re-platform your software application to make it work with ARC-P?  Right again, Consilium can.

6.  Consilium Identity Management.  Another opportunity that comes our way via the GSA’s requirements is Identity Management.  The GSA helps government meet the variety of policy requirements and addresses the need for comprehensive Identity, Credential, and Access Management [ICAM] products, services, and consulting.  As the lead agency for providing ICAM solutions, the GSA strives to eliminate cost redundancies by offering inter-operable and compliant products and services.  Consilium Identity Management will offer Cloud Service Providers [CSP] the appropriate and accredited products, services, and consultation for ICAM compliance.

7.  Consilium ongoing support.  And, last but not least, once you have your software working and the whole bundle from application software to data center processing is working and accredited with the several ATO’s necessary for compliance, who is going to be able to provide the ongoing support [along with the CMaaS]?  That’s right again, Consilium.

2 thoughts on “The IaaS Medallion Program

  1. This report – as well as the others below – are so helpful in starting to understand the enormous opportunities ahead. Your comparison with Medallion taxi cabs in NYC made it easy to follow.

  2. Tony,

    Thank you for putting this program together for all of us. I encourage everyone to really read this and enjoy the possibilities. We can always put together any questions we have for Tony and Joe to clarify.


Leave a Reply to Ron Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s