FedRAMP Consulting
Pre-Engagement Support
Is Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO) the right move for your business? Subject matter experts at Pivot Point Security can help you determine whether you should pursue authorization, and what approach to take (Agency ATO versus GSA/JAB provisional authorization).
Pivot Point can also help you understand the impact of FIPS 199 security categorization (Low, Moderate or High) on your work effort, costs and operations. Another important point of discussion would be your options for integrating/leveraging FedRAMP efforts with other information security (ISO 27001, HITRUST) or regulatory compliance (PCI, HIPAA) frameworks.
As part of its consulting services, Pivot Point Security will help FedRAMP ATO candidates to:
✔ Determine proper FIPS-199 Security Categorization (800-60 Impact Level Determination) to drive Scope determination
✔ Determine optimum FedRAMP scope to balance client needs and project resource requirements (personnel, third-party support, expenditures, and time)
✔Formally initiate the FedRAMP Authorization Process with Agency or GSA personnel
✔ Select a Third Party Assessor Organization (3PAO) to conduct the required testing
✔ Develop all required documentation—most notably the System Security Plan (SSP)
✔ Act as a liaison for the ongoing and iterative communications between the Cloud Service Provider, 3PAO, and GSA/Agency
✔Coordinate 3PAO testing
✔ Update any documentation and/or develop a Plan of Action and Milestones as required for GSA/Agency/3PAO testing
✔Prepare the final paperwork submission for ATO
Why partner with Pivot Point Security?
Success: Our consultative process and roadmap have been vetted across dozens of FedRAMP and ISO 27001 projects, resulting in a 100% success rate for PPS clients.
Expertise: The Pivot Point team is exceptionally knowledgeable about NIST/FISMA, with considerable experience on both the 3PAO and consultative sides of the process.
Continuity: Pivot Point Security’s pure information assurance focus, deep expertise, and complementary services (e.g., ISO 27001 and SOC2 certification, and application and network penetration testing) give you the option of a simpler, single-vendor approach across all of your assurance, attestation and/or security initiatives.
Certainty: Pivot Point Security will make your satisfaction a certainty via our services guarantee, make your costs a certainty via our fixed price agreement, and make your success a certainty via our Authorization guarantee.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program that establishes a standardized approach for validating that a Cloud Service Provider is “secure.” Organizations that conform to the FedRAMP requirements are deemed to be “Authorized to Operate” (ATO), which essentially means that they are a “pre-approved” vendor for federal agencies wishing to purchase their cloud services. No additional security validation is required for additional agencies to purchase these services.
The driver behind FedRAMP was a December 2011 OMB Policy that mandated federal agencies move all existing and new services to the cloud, with the goal of many billions of dollars in cost reductions.
Why did the US Government develop FedRAMP instead of using an existing and well-vetted security standard or framework, such as ISO 27001, SOC 2, or Cloud Control Matrix (CCM)?
FedRAMP really isn’t new—it’s essentially a formal “certification” process using the NIST/FISMA information security framework (especially NIST 800-37 and NIST 800-53) that the U.S. government has been using since 2002. FedRAMP added the concept of independent/objective third-party validation of a provider’s security posture (the equivalent of the registrar in ISO 27001 or the CPA in SOC 2).
NIST/FISMA guidance differs from other frameworks in that the risk assessment process yields one of three discrete risk levels (Low, Moderate, and High), each of which mandates the implementation of specific controls. Because other frameworks do not specify these restrictions, FedRAMP was a necessity.
How do I know if I am a Cloud Service Provider (CSP) and need FedRAMP to sell to the U.S. government?
Essentially, any company providing a service that involves processing U.S. government agency information that is running in a non-agency controlled environment is a CSP. “Conventional” deployment models including Infrastructure-as-a -Service (IaaS), Platform-as-a-Service (PaaS), and Hardware-as-a-Service (HaaS) are specifically cited by supporting FedRAMP information sources such as cloud.cio.gov. Hybrid cloud service provider scenarios are also addressed by FedRAMP. Thus, virtually any company offering a data processing service to the federal government agency could arguably be a CSP.
What are the goals of FedRAMP?
From the government’s perspective:
✔ Drive billions of dollars in cost reductions by moving existing and new services to the cloud
✔Increase confidence in security of cloud solutions
✔ Achieve consistent security authorizations using a baseline set of agreed standards and accredited, independent, third-party assessment organizations
✔ Increase automation and near real-time data for continuous monitoring
From the Cloud Service Providers perspective:
✔ Drive millions of dollars in revenues based on being a pre-approved vendor of cloud services to federal agencies that are mandated to move these services to the cloud by the OMB
✔ Achieve a security posture proportional to the risk associated with the data by effectively implementing the NIST/FISMA guidance specific to the data being processed
What are the challenges or pursuing FedRAMP Authorization to Operate?
FedRAMP is definitely not for the faint of heart. It can be a significant undertaking, but for many organizations the payoff can be easily justified. Typical challenges include:
xpertise: The NIST/FISMA framework is a very well done and robust framework. It can also border on perplexing at first due to the hierarchical and interdependent nature of the dozens of standards that comprise it.
Time: FedRAMP applications typically encompass 600 to 1,000 pages of security-related documentation (e.g., System Security Plan, Incident Response Plan, IT Contingency Plan, Configuration Management Plan, etc.). The time to produce this documentation (including research and driving internal consensus) is quite significant. Doing this while still holding down your “day job” is nearly impossible.
Funding: Even if you have resources on staff with the expertise and time to prepare your FedRAMP submission, you will need to engage a Third Party Assessor Organization (3PAO) to develop and execute the test plan that the GSA (or Agency) will review for conformance. It’s not unusual for this testing to cost in excess of $150,000. There are also notable ongoing costs for ongoing monitoring/testing to maintain the Authorization To Operate.
More time: Even with a consultant doing the bulk of the preparation, finding the time to perform the necessary due diligence/“blessing” of all deliverables to ensure that they align with your culture and capacity to execute are critical. A further time challenge is that the FedRAMP process is a series of document submissions, reviews, comments, resubmissions, and interim approvals. It’s not unusual for it to take a year for a company to get through the entire process. This situation is currently exacerbated by a backlog of applications at GSA.
Why FedRAMP
The main reason to consider FedRAMP certification is the significant business opportunity that it represents. The OMB policy driving FedRAMP is a “Cloud First” policy, which requires agencies to use cloud alternatives when available. OMB is tracking compliance with the agencies as part of a multi-year multi-billion dollar cost-cutting effort.
If you provide Cloud Services and you want to sell these cloud services to the U.S. federal government, you will need to become FedRAMP Authorized to Operate.
Vision – Establish an over-arching vision for privacy and a roadmap to achieve and maintain it.
What are the Benefits of FedRAMP?
From the governments perspective; the major benefit of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
From a Cloud Service Provider’s perspective, the major benefits of FedRAMP is that it makes you a “preapproved” vendor, so it simplifies the procurement process. You also only need to report on your security to one entity rather than every client, saving you time and money.
FedRAMP Cost
How much does it cost to become FedRAMP Authorized?
FedRAMP Cost Factors
✔ Scope: How many and how complex are the cloud services your company provides?
✔ Approach: Agency or JAB? A JAB Authorization is generally more challenging to get through.
✔ Risk: Does the data you are processing require Low, Moderate, or High security categorization for your FedRAMP authorization?
✔Current Information Security Maturity: How big is the “gap” between how you currently operate and the level of documentation you have to support that, and where you need to be to close that gap?
✔ Resources: Do you have resources on-staff with the time and expertise to take you through the Authorization Process? Or will you need to hire a consulting firm to so that?
FedRAMP Cost Considerations
As most of the early companies that are pursuing tend to be larger companies these numbers are likely skewed a bit in that direction. However, the cost to implement a FedRAMP environment will not differ notably between a 50 person and a 5,000 person CSP as the process, controls, and required documentation is the same.
Preparation Cost: How much does it cost to get ready to be “certified” by the 3PAO?
Consultant Costs (if needed):
✔ 80% likelihood to be $60K +/- $25K for Low Security Categorization
✔ 80% likelihood to be $90K +/- $25K for Moderate Security Categorization
✔TBD for High Security Categorization (too early to estimate)
Capital Expenditures (if needed):
✔ 80% likelihood to be < $40K for Low Security Categorization
✔ 80% likelihood to be < $60K for Moderate Security Categorization
✔ TBD for High Security Categorization (too early to estimate)
Certification Cost: How much does it cost to have the 3PAO perform the required testing?
✔ 80% of Low Security categorizations would fall into a $TBD range (its uncommon to pursue low – so we have not yet seen enough 3PAO pricing to estimate)
✔80% of Moderate Agency Security categorizations would fall into a $130K +/- $30K range
✔ 80% of Moderate JAB Security categorizations would fall into a $200K +/- $50K range
Ongoing Operation & Continuous Monitoring Program Compliance How much does it cost to maintain your Authorization?
✔TBD (requirements are still evolving at this time)
FedRAMP FAQ
How much does it cost to become FedRAMP Authorized?
What Will It Take to Become FedRAMP-Compliant?
Even with expert support, achieving a FedRAMP Authorization to Operate (ATO) is not a “checkbox exercise” that Cloud Service Providers can accomplish quickly and easily—it is among the most rigorous of compliance efforts.
Achieving ATO means that your organization has developed and is operating an information security management system (ISMS) that has been independently tested and validated by a third-party to conform to NIST/FISMA guidance in accordance with the risk level of the information you will be processing on behalf of a federal agency.
The top-level steps involved in becoming FedRAMP-compliant are:
Review CIO.gov’s Guide to Understanding FedRAMP.
To get a sense of the scope of your effort, download and review the FedRAMP templates (called System Security Plans). These templates are the foundation for authorization. The primary template within the SSP is 400 pages in length.
Determine the risk classification for the data that you will be processing, usng the FIPS 199 categorization template.
Document your information security controls per the FedRAMP templates in a manner that will demonstrate to the GSA that the design of your controls is consistent with the requirements specified. This documentation is likely to exceed 750 pages.
Engage a registered third-party assessment organization (3PAO) to verify that your controls are in compliance with the ISMS you have documented, such that your FedRAMP scoped systems are secure.
For additional information:
View a list of FedRAMP authorized CSPs
FedRAMP Cost Considerations
As most of the early companies that are pursuing tend to be larger companies these numbers are likely skewed a bit in that direction. However, the cost to implement a FedRAMP environment will not differ notably between a 50 person and a 5,000 person CSP as the process, controls, and required documentation is the same.
Preparation Cost: How much does it cost to get ready to be “certified” by the 3PAO?
Consultant Costs (if needed):
✔ 80% likelihood to be $60K +/- $25K for Low Security Categorization
✔ 80% likelihood to be $90K +/- $25K for Moderate Security Categorization
✔TBD for High Security Categorization (too early to estimate)
Capital Expenditures (if needed):
✔ 80% likelihood to be < $40K for Low Security Categorization
✔ 80% likelihood to be < $60K for Moderate Security Categorization
✔ TBD for High Security Categorization (too early to estimate)
Certification Cost: How much does it cost to have the 3PAO perform the required testing?
✔ 80% of Low Security categorizations would fall into a $TBD range (its uncommon to pursue low – so we have not yet seen enough 3PAO pricing to estimate)
✔80% of Moderate Agency Security categorizations would fall into a $130K +/- $30K range
✔ 80% of Moderate JAB Security categorizations would fall into a $200K +/- $50K range
Ongoing Operation & Continuous Monitoring Program Compliance How much does it cost to maintain your Authorization?
✔TBD (requirements are still evolving at this time)
FedRAMP Certification Requirements
What Will It Take to Become FedRAMP-Compliant?
Even with expert support, achieving a FedRAMP Authorization to Operate (ATO) is not a “checkbox exercise” that Cloud Service Providers can accomplish quickly and easily—it is among the most rigorous of compliance efforts.
Achieving ATO means that your organization has developed and is operating an information security management system (ISMS) that has been independently tested and validated by a third-party to conform to NIST/FISMA guidance in accordance with the risk level of the information you will be processing on behalf of a federal agency.
The top-level steps involved in becoming FedRAMP-compliant are:
- Review CIO.gov’s Guide to Understanding FedRAMP.
- To get a sense of the scope of your effort, download and review the FedRAMP templates (called System Security Plans). These templates are the foundation for authorization. The primary template within the SSP is 400 pages in length.
- Determine the risk classification for the data that you will be processing, usng the FIPS 199 categorization template.
- Document your information security controls per the FedRAMP templates in a manner that will demonstrate to the GSA that the design of your controls is consistent with the requirements specified. This documentation is likely to exceed 750 pages.
- Engage a registered third-party assessment organization (3PAO) to verify that your controls are in compliance with the ISMS you have documented, such that your FedRAMP scoped systems are secure.
For additional information:
View a list of FedRAMP authorized CSPs