Last Updated on January 8, 2024
Achieving a Federal Risk and Authorization Management Program Authority to Operate (FedRAMP ATO) is a critical goal for many cloud service providers (CSPs) looking to do business with the US government. But it’s a formidable, sustained effort even for market leaders. SMBs short on federal cyber compliance experience can benefit from lessons learned to avoid missteps.
Mike Craig, CEO at Vanaheim Security, talks about how he helps commercial companies navigate the “intricacies and nuances” of attaining a FedRAMP authorization.
Join us as we discuss:
- Considerations for deciding if a FedRAMP ATO is worth what it will take your business to get there
- 3 critical stages in the FedRAMP journey and how to get through each one
- The big reason to choose the JAB authorization route over the agency sponsorship route versus
What is FedRAMP?
Jointly formed in 2017 by the General Services Administration (GSA), Department of Defense (DoD), and Department of Homeland Security (DHS), the FedRAMP program manages the authorization of cloud services across the US federal government. This reduces risk and friction for all stakeholders versus authorizing cloud solutions via agencies’ individual programs.
The main governance and decision-making body for FedRAMP is called the Joint Authorization Board (JAB). Third-Party Assessment Organizations (3PAOs) audit candidate solutions against FedRAMP requirements.
“Find that 3PAO because they can help answer some of the more ambiguous questions,” Mike suggests.
By gaining important insights early in the process, orgs can sidestep common assessment preparation problems.
“Find that 3PAO because they can help answer some of the more ambiguous questions.”—Mike Craig
Is pursuing a FedRAMP ATO worth the effort?
The journey to a FedRAMP ATO should proceed from a solid business case that takes all salient factors into account. Deciding which FedRAMP authorization level to aim for can be a challenge in itself.
The next question is whether you already have a relationship with a sponsor agency.
“First, you need to have a sponsor agency, which means you must be selling directly to the US government already before you get this authorization,” says Mike. “And that agency must be willing to sponsor you into the collective whole.”
Then you need to balance a host of factors impacting time, effort, and cost against the benefits of selling to multiple federal agencies. It’s important to explore all possible options, including what agencies you may be able to work with in the future.
“First, you need to have a sponsor agency, which means you must be selling directly to the US government already before you get this authorization.”— Mike Craig
FedRAMP requirements can change your solution architecture
A significant factor in gauging the “lift” required to attain a FedRAMP ATO is what changes the FedRAMP requirements will drive in your commercial cloud service offering. Special requirements from your sponsor agency can add further modifications. You may also need to make staffing/HR changes to comply with government rules, such as “US persons only” at data centers, help desks, etc.
What will it take to “federalize” your solution? And will you end up with two versions of your solution? Or can you build a unified offering that meets both private- and public-sector demands?
“With that enterprise architecture approach of your people/process/technology, all the way through to operating your SaaS for federal clients, we look at what would actually need to change and how would you get there?” clarifies Mike. “We can start you down that path while you’re concurrently working your sponsor engagement strategy.”
“With that enterprise architecture approach of your people/process/technology, all the way through to operating your SaaS for federal clients, we look at what would actually need to change and how would you get there?”—Mike Craig
Preparing for a third-party assessment
Before you’re awarded a FedRAMP ATO, an authorized third-party assessment organization (3PAO) will meticulously audit your control environment against FedRAMP and agency requirements.
Prior to their final assessment, many CSPs will first need to pass a Readiness Assessment to from their 3PAO to “… document a Cloud Service Offering’s (CSO) management, technical, and operational capabilities and attest a CSO’s readiness for the FedRAMP authorization process.”
Another big hurdle is your FedRAMP System Security Plan (SSP), a foundational element of your policies and documentation that averages 500-600 pages. The better your planning and the more robust your current security posture, the easier it will be to develop your documentation.
“If you already have your processes and architecture built to the controls, and you know exactly what you’re doing, then the documentation goes much faster,” offers Mike. “There’s not a lot of changes and back-and-forth, which speeds up the process tremendously.”
“If you already have your processes and architecture built to the controls, and you know exactly what you’re doing, then the documentation goes much faster.”—Mike Craig
Is the “JAB route” right for your business?
There are two paths to FedRAMP authorization: working with a sponsor agency or submitting your application to the Joint Authorization Board (JAB).
The JAB is FedRAMP’s governing body, and consists of the CIOs from the three agencies that jointly created FedRAMP: the General Services Administration (GSA), the US Department of Defense (DoD), and the Department of Homeland Security (DHS).
Going the “sponsor agency route” is far more common and is comparatively much faster and simpler than the JAB approach.
“The JAB takes only a very select number of candidates from a pool of applicants in a given year,” explains Mike. “It’s much longer, it’s much harder. The controls are more exacting and they have a much stricter stance than most agencies.”
But the big downside of having a sponsoring agency is, if you lose that agency as a client, you will lose that FedRAMP ATO. Your offering must have at least one ATO to retain its authorization, because at least one agency needs to have oversight on your continuous monitoring program.
“The JAB takes only a very select number of candidates from a pool of applicants in a given year. It’s much longer, it’s much harder.—Mike Craig
Tips and lessons learned
To keep CSPs on the fast path to a FedRAMP ATO, Mike offers 3 tips:
- Top-down organizational alignment and executive commitment are essential from the beginning of a FedRAMP journey. Mike notes that often senior management issues a “we need a FedRAMP ATO” edict without adequate involvement. The result can be a process that moves in fits and starts, and which strains connections with the sponsor agency.
- If, like most CSPs, your cloud service leverages other third-party cloud native services, make sure these are all FedRAMP authorized and replace any that aren’t.
- Make sure your third-party encryption modules are FIPS Validated per the Federal Information Processing standard (FIPS) Publication 140-3. To meet FedRAMP requirements, a cloud offering must perform all its encryption operations in a FIPS 140-3 validated manner, and this must be carefully documented in your submission package.
FedRAMP time and cost factors
However you get there, the path to a FedRAMP ATO demands significant time and resources. A typical journey lasts about two years and costs between $500,000 and $1.5 million.
Major factors impacting your company’s unique FedRAMP roadmap include:
- The extent to which you need to rearchitect/”federalize” your commercial cloud offering
- Whether your sponsoring agency requires a Readiness Assessment Report (RAR) before your full-on authorization assessment
- Your company’s size and diversity, which affects timelines, communication, and other “people” and “process” factors in addition to governance and HR issues
“I set an expectation of somewhere between $500,000 and $1.5 million for your capital outlay for the whole process,” Mike states. “That includes both a readiness assessment and your full assessment.”
“I set an expectation of somewhere between %500,000 and $1.5 million for your capital outlay for the whole process.”—Mike Craig