You need FedRAMP, but how do you afford it?
Many IT companies are asking whether they should go forward with FedRAMP and if they, what are their choices for moving forward. We take a closer look at these questions.
One of the hottest topics for software vendors and federal systems integrators is how to approach the essential but arduous task of gaining FedRAMP authorization for their cloud services. These companies understand the need to comply with Federal Risk and Authorization Management Program requirements before they can sell their applications to federal government agencies as software as a service (SaaS). But most wrestle with how to address the cost and complexity of the process and overcome the required technical, compliance and documentation challenges.
Many IT companies are asking whether they should go forward with the authorization process at all – and if they do, whether to handle it themselves or outsource some or all of its components. In the next two columns, we’ll take a closer look at these questions.
Is FedRAMP the right move?
This past July, Reps. Gerry Connolly (D-Va.) And Mark Meadows (R-N.C.) introduced the bipartisan FedRAMP Authorization Act of 2019. Connolly has been quoted saying the process, originally intended to be a fast-track initiative requiring an investment of six months and $250,000, has instead taken some companies three or four years and millions of dollars to complete.
This cost and delay in time to market can all but prevent some small and medium-sized IT vendors from selling cloud services to the federal government. To its credit, the FedRAMP PMO acknowledged the issue in its recent FedRAMP Ideation Challenge, through which it solicited ideas from vendors and agencies in an attempt to streamline and improve the program.
But does your company really need FedRAMP authorization? The short answer is yes: SaaS apps will need to go through the FedRAMP process to ensure the security of government data and to comply with government requirements. If you are attempting to sell cloud services or solutions (like SaaS) into the federal market, now or in the future, FedRAMP is not something you can ignore.
The realities of IT budgeting in the federal government mean that agencies are moving away from capital expense (CapEx) procurements and increasing operational expense (OpEx) budgets to buy subscription-based offerings. Many companies are being told flatly that unless their product is FedRAMP authorized, it is unlikely to be purchased at all. FedRAMP allows for a product to be purchased more readily as a cloud-based service and greatly improves time to market by allowing your customers to re-use authorizations from other federal agencies.
Equally importantly, FedRAMP authorized applications are advertised on the FedRAMP Marketplace, which is where government agencies go to determine the types of solutions available to meet their requirements.
Authorization: DIY or Outsource?
Is it realistic to think you can accomplish FedRAMP authorization on your own? To answer that question, you must first understand the responsibilities involved.
This complicated and ongoing process requires a team with specific expertise applicable to FedRAMP authorization. Once you’ve selected or built a compliant hosting environment, you’ll require security compliance personnel such as certified information systems security professionals (CISSPs) who can write to FedRAMP controls (NIST 800-53), conduct continuous monitoring and manage annual reassessments. They’ll need to prepare and maintain a system security plan (SSP) consistent with FedRAMP requirements – a set of documents numbering in the hundreds of pages for each application you put through the process.
Additionally, you will require application engineers to configure your application to FedRAMP controls (NIST 800-53), as well as a seasoned project manager to guide the process through to authorization and manage all ongoing continuous monitoring requirements. You’ll need to select a third-party assessment organization (3PAO) to assess the application, SSP and all documentation. And to complicate matters, there is a re-authorization process that has to be completed with FedRAMP annually, so having access to experts who can recognize potential issues and changes in the requirements can be critical.
Even those companies with sufficient resources to undertake the process on their own recognize the need to bring in outside experts and hosting capabilities to accelerate their routes to market. But this usually rachets up the cost and complexity as multiple consultants and contractors get on (and stay on) the clock for unpredictable periods of time.
One possible better alternative is to utilize a services vendor who can bring these diverse resources under one roof and provide them to you on a predictable, flat-rate basis.
FedRAMP Authorization: Can I Afford It?
What will authorization cost your company, and how can you ensure the investment is reasonable and predictable? The answers can vary widely depending on the technical nuances of your application and your available resources.
As mentioned previously, achieving FedRAMP authorization on your own can cost millions. There are significant costs for both DIY and crowdsourced options, involving multiple consultants or internal hires. Your ability to identify, plan for and manage those costs is critical to maintaining your profit margins when you begin selling to the federal government.
There are several additional considerations associated with authorization that can color your decision of whether or not to handle this process internally:
Hosting: Before placing your app in a FedRAMP authorized cloud, be sure to determine how many of the security controls it will inherit from the hosting environment itself. If you opt to host the software yourself, you’ll have to document and go through all of the controls for your own environment. Many companies that host their own apps in their own data centers still have to start from scratch, which can take more time than hosting in a third party cloud that already has the appropriate authorizations.
Managed Services: Most public cloud service providers will leave you with the responsibility of managing the application – from continuous monitoring to patching updates to application security. Look for a service provider that offers a more comprehensive approach and can manage the application on your behalf. This might include installing the application in the cloud, locking down continuous security and ensuring compliance with requirements on an ongoing basis.
Conclusion
FedRAMP authorization is a necessary but complicated process that can consume a significant amount of a company’s human and financial resources.
It is possible to handle the entire process internally – provided you have a team of experts who understand and can document the complex federal compliance, security technology and engineering details required for authorization. What’s more, you will need to host your application in an authorized environment, verified by a third-party assessment organization. And you must have competent project management to drive the process each year and continuously report to the FedRAMP PMO and your government customers.
For these and other reasons we’ll explore in a future column, it may make the most sense to continue to focus on your core business and to outsource the full authorization process to a provider that can improve your time to market while controlling your cost.