FedRAMP Consulting

Why did the federal government develop FedRAMP instead of using an existing and well-vetted security standard or framework, such as ISO 27001, SOC 2 or Cloud Control Matrix (CCM)?

FedRAMP really isn’t new. This formal “certification” process employs the NIST/FISMA information security framework (especially NIST 800-37 and NIST 800-53) that the U.S. government has been using since 2002. FedRAMP added the concept of independent, objective third-party validation of a provider’s security posture.

NIST/FISMA guidance differs from other frameworks in that the risk assessment process yields one of three discrete risk levels — Low, Moderate, and High — each of which mandates the implementation of specific controls. Because other frameworks do not specify these restrictions, FedRAMP was a necessity.

The main reason to consider FedRAMP certification is the significant business opportunity that it represents. The OMB policy driving FedRAMP is a “Cloud First” policy, which requires agencies to use cloud alternatives when available. OMB is tracking compliance with the agencies as part of a multi-year, multi-billion dollar cost-cutting effort.

If you provide Cloud Services and want to sell these solutions to the U.S. federal government, you must become FedRAMP Authorized to Operate.

Virtually any company offering a data processing service to a federal government agency could arguably be a CSP, specifically those handling U.S. government agency information in a non-agency controlled environment. This includes “conventional” deployment models such as:

• Infrastructure-as-a-Service (IaaS)
• Platform-as-a-Service (PaaS)
• Hardware-as-a-Service (HaaS)
• Hybrid cloud service provider scenarios

From the government’s perspective, FedRAMP has the following objectives:

• Drive billions of dollars in cost reductions by moving existing and new services to the cloud
• Increase confidence in the security of cloud solutions
• Achieve consistent security authorizations using independent 3PAOs
• Increase automation and near real-time data for continuous monitoring

As a cloud service provider, your goals for FedRAMP certification may include:

• Increased revenues based on being a preapproved vendor of cloud services to federal agencies that are mandated to move these services to the cloud by the OMB
• A strong security posture proportional to the risk associated with the data by effectively implementing the NIST/FISMA guidance specific to the data being processed.

From a government agency’s perspective, FedRAMP saves significant time, costs and resources in evaluating the security of cloud provider­s.

From a cloud service provider’s perspective, FedRAMP’s major benefit is that it makes you a “preapproved” vendor, simplifying the procurement process. This means you only need to report your security to one entity rather than every client, saving you time and money.

FedRAMP is definitely not for the faint of heart. It can be a significant undertaking — yet the payoff can be easily justified. Typical challenges your organization may face include:

• Expertise: The NIST/FISMA framework is a well-constructed and robust system, though it can seem perplexing at first due to the hierarchical and interdependent nature of its many standards. With decades of experience, our team is uniquely equipped to navigate this complexity and guide organizations through the maze of compliance requirements.
• Time: FedRAMP applications typically encompass 600 to 1,000 pages of security-related documentation, including the System Security Plan, Incident Response Plan, IT Contingency Plan and Configuration Management Plan, among others. The time to produce this documentation, including research and driving internal consensus, is quite significant. Doing this while still holding down your “day job” is nearly impossible unless you partner with a trusted FedRAMP consulting firm.
• Funding: Even if you have resources on staff with the expertise and time to prepare your FedRAMP submission, you will need to engage a 3PAO to develop and execute the test plan that the JAB (or agency) will review for conformance. It’s not unusual for the cost of this testing to be significant. There are also notable ongoing costs for continuous monitoring/testing to maintain FedRAMP ATO. With CBIZ Pivot Point Security, you can be sure your money is well spent, as we only get paid if we meet your FedRAMP compliance goals.
• Even more time: A further time challenge is that the FedRAMP process is a series of document submissions, reviews, comments, resubmissions and interim approvals. Even with a consultant doing the bulk of the preparation, finding time to perform the necessary due diligence on all deliverables to ensure they align with your culture and capacity to execute is critical. It’s not unusual for the entire process to take up to a year, a situation currently exacerbated by a backlog of applications at JAB. Our team provides a reliable yet flexible timetable based on your needs, so you always know where you are in the process and what’s coming next.

The preparatory process for FedRAMP authorization is an investment that could dramatically increase your revenue once you become a preapproved CSP to federal agencies. While price varies, here are some factors that could impact the cost of your FedRAMP authorization process:

• Scope: How many and how complex are the cloud services your company provides?
• Approach: Agency or JAB? A JAB authorization is generally more challenging to get through.
• Risk: Does the data you are processing require Low-, Moderate- or High-security categorization for your FedRAMP authorization?
• Current Information Security Maturity: How big is the “gap” between how you currently operate with the level of documentation you have to support and where you need to be to close that gap?
• Resources: Do you have resources on staff with the time and expertise to take you through the authorization process? Or will you need to hire a consulting firm, like CBIZ Pivot Point Security, to assist you?

Even with expert support, achieving a FedRAMP ATO is recognized as one of the most demanding compliance endeavors.

Achieving ATO means that your organization has developed and is operating an information security management system (ISMS) that has been independently tested and validated by a third party to conform to NIST/FISMA guidance in accordance with the risk level of the information you will be processing on behalf of a federal agency.

The top-level steps involved in becoming FedRAMP-compliant are:

1. Review the FedRAMP program basics.
2. To get a sense of the scope of your effort, download and review the FedRAMP templates (called System Security Plans). These templates are the foundation for authorization. The primary template within the SSP is 400 pages in length.
3. Determine the risk classification for the data that you will be processing using the FIPS 199 categorization template.
4. Document your information security controls per the FedRAMP templates in a manner that will demonstrate to JAB or an agency that the design of your controls is consistent with the requirements specified. This documentation is likely to exceed 750 pages.
5. Engage a registered 3PAO to verify that your controls are in compliance with the ISMS you have documented, such that your FedRAMP scoped systems are secure.