Press Release
Achieving a FedRAMP Authority to Operate (ATO) can be lucrative—in part because the barrier to entry is so high. Little hard data is available, but anecdotal evidence suggests that 40% to 60% of FedRAMP initiatives end in failure or are cut short.
Why does a FedRAMP ATO elude so many organizations? It often comes down to misconceptions at the start, leading to poor planning and unpleasant surprises that could have been avoided.
This article covers four of the biggest reasons why so many firms “flunk FedRAMP” and explains the vital importance of beginning your FedRAMP journey with expert strategic guidance to position your effort for success.
Reason 1: Incomplete view of the time, effort, and cost involved
It’s hard to make a sound business decision about profitability and return on investment from a large-scale initiative like FedRAMP authorization if you have grossly underestimated the time, cost, and complexities involved.
Businesses may expend considerable capital and get partway, halfway or even further on the FedRAMP journey, only to learn that profitability is nowhere in sight. At that point, senior decision-makers and/or financial controllers often balk and pull the plug, especially if their relationship to the initiative had been minimal.
A realistic timeframe to gain a FedRAMP ATO for most cloud service offerings is three to five years of capital outlay to get to federal business contract start, leading to profitability and eventually reaching a return on equity point on a FedRAMP investment.
This scenario creates a high bar that eliminates many potential competitors. But if it works for you, your offering may enjoy minimal competition for the immediate future.
Mike Craig, founding principal and CEO at Vanaheim Security, explains: “If you’re offering a unique service that the federal government doesn’t have and you make it all the way through [FedRAMP], you’re the only one who’s going to make it through for a while, right? Because it’s so hard. If you do punch through to the other side, there’s a lot of money to be made there. But you have to set the expectations up front.”
Reason 2: Lack of buy-in from senior leadership
It is common for boards and C-suite executives to view FedRAMP as akin to a SOC 2 audit in terms of scope, and/or to see it as primarily a technical problem for IT to solve. In fact, attaining a FedRAMP ATO is an order of magnitude larger and more complex effort than a acquiring a positive SOC 2 report.
FedRAMP takes top-down buy-in and participation from many parts of the business besides IT, such as HR, marketing, and finance. Putting your FedRAMP program in the hands of a mid-level manager with no C-suite backing and no cross-functional engagement dooms it to failure.
“I tell my clients this is much more aligned with the level of effort and brain juice and investment of a product launch,” Mike Craig states. “It’s a dedicated subset of your existing commercial product in the federal space for a unique market with its own unique requirements and preferences.”
Thinking of FedRAMP compliance like a product launch puts organizations ahead of the curve and increases the chances of success. It also increases the chances of recognizing early on that pursuing a FedRAMP ATO may not make strategic sense for your company right now.
FedRAMP is far more than a technical challenge and needs to involve senior leaders from the outset. It also takes almost every organization at least two years.
“You’ve got to be thinking about those obligations and your liabilities going into year two,” advises Mike Craig. “What’s that going to look like in your projections?”
Reason 3: Failure to anticipate third-party compliance impacts
While achieving a FedRAMP ATO is far more than a technical problem, it does have a major technical component. Among the key technical elements is your offering’s reliance on third-party services.
FedRAMP requires than any external product or service your offering uses that has any impact on cybersecurity whatsoever must itself be FedRAMP authorized at the same level your business is seeking. This can directly impact your solution architecture.
For example, if you are using a CRM tool like Zoho or HubSpot, you may need to switch to Salesforce to meet FedRAMP requirements. Do you have Salesforce expertise already, or do you need to hire people?
These architectural impacts have multiple components that need to be planned for upfront. The further along you go before recognizing third-party compliance impacts, the more time and money you tend to lose in addressing them.
Reason 4: Challenges finding the right sponsor agency
FedRAMP success usually requires a continuous pipeline of solid federal sales to justify the investment (a $500,000 to $1.5 million total capital outlay on average). If you don’t already have US government clients, you will need to identify an agency to sponsor your offering as a starting point.
But all agencies are not equally viable as sponsors for a given cloud service. Health-related agencies (e.g., DHHS) often have significantly different requirements from national security or intelligence agencies (e.g., FBI or DoD).
The sponsorship process should be approached strategically, viewed as highest priority, and factored into the earliest planning stages. An agency that is currently using your cloud service might be more motivated to take on the risk of championing it.
The FedRAMP website enables you to look up the number of packages that an agency has sponsored, and what those packages are. This is a good starting point to evaluate whether one agency or another is likely to pick you up as a sponsor.
The solution: Get strategic advice at the outset
As stated above, FedRAMP compliance should be approached like a product launch or new business unit launch, with careful planning and cross-departmental buy-in. Critical steps include:
- Educating senior leaders
- Evaluating costs and resource requirements along with ROI objectives
- Identifying skills gaps and planning skills acquisition
- Planning for technical implementation of your offering to meet all control requirements
- Laying out a realistic roadmap
- Planning your sales pipeline and market penetration
- Charting the many complexities and pitfalls that await you in the US government realm, e.g., Federal Acquisition Regulation (FAR) compliance
- Preparing for assessment
For all but the most experienced organizations, pursuing a FedRAMP ATO without a strategic advisor can compromise your results and increase your effort level. The FedRAMP authorization process is long and complicated, and what you don’t know can definitely hurt you.
Even determining the economic justification and business case for FedRAMP is a significant challenge. A trusted expert can get you started on the right foot and keep you moving forward efficiently, while taking into account your unique situation and challenges.
What’s next?
For more guidance on this topic, listen to Episode 144 of The Virtual CISO Podcast with guest Mike Craig, founding principal and CEO at Vanaheim Security.
