You need FedRAMP, but how do you afford it?

Many IT companies are asking whether they should go forward with FedRAMP and if they, what are their choices for moving forward. We take a closer look at these questions.

One of the hottest topics for software vendors and federal systems integrators is how to approach the essential but arduous task of gaining FedRAMP authorization for their cloud services. These companies understand the need to comply with Federal Risk and Authorization Management Program requirements before they can sell their applications to federal government agencies as software as a service (SaaS). But most wrestle with how to address the cost and complexity of the process and overcome the required technical, compliance and documentation challenges.

Many IT companies are asking whether they should go forward with the authorization process at all – and if they do, whether to handle it themselves or outsource some or all of its components. In the next two columns, we’ll take a closer look at these questions.

Is FedRAMP the right move?

This past July, Reps. Gerry Connolly (D-Va.) And Mark Meadows (R-N.C.) introduced the bipartisan FedRAMP Authorization Act of 2019. Connolly has been quoted saying the process, originally intended to be a fast-track initiative requiring an investment of six months and $250,000, has instead taken some companies three or four years and millions of dollars to complete.

This cost and delay in time to market can all but prevent some small and medium-sized IT vendors from selling cloud services to the federal government. To its credit, the FedRAMP PMO acknowledged the issue in its recent FedRAMP Ideation Challenge, through which it solicited ideas from vendors and agencies in an attempt to streamline and improve the program.

But does your company really need FedRAMP authorization? The short answer is yes: SaaS apps will need to go through the FedRAMP process to ensure the security of government data and to comply with government requirements. If you are attempting to sell cloud services or solutions (like SaaS) into the federal market, now or in the future, FedRAMP is not something you can ignore.

The realities of IT budgeting in the federal government mean that agencies are moving away from capital expense (CapEx) procurements and increasing operational expense (OpEx) budgets to buy subscription-based offerings. Many companies are being told flatly that unless their product is FedRAMP authorized, it is unlikely to be purchased at all. FedRAMP allows for a product to be purchased more readily as a cloud-based service and greatly improves time to market by allowing your customers to re-use authorizations from other federal agencies.

Equally importantly, FedRAMP authorized applications are advertised on the FedRAMP Marketplace, which is where government agencies go to determine the types of solutions available to meet their requirements.

Authorization: DIY or Outsource?

Is it realistic to think you can accomplish FedRAMP authorization on your own? To answer that question, you must first understand the responsibilities involved.

This complicated and ongoing process requires a team with specific expertise applicable to FedRAMP authorization. Once you’ve selected or built a compliant hosting environment, you’ll require security compliance personnel such as certified information systems security professionals (CISSPs) who can write to FedRAMP controls (NIST 800-53), conduct continuous monitoring and manage annual reassessments. They’ll need to prepare and maintain a system security plan (SSP) consistent with FedRAMP requirements – a set of documents numbering in the hundreds of pages for each application you put through the process.

Additionally, you will require application engineers to configure your application to FedRAMP controls (NIST 800-53), as well as a seasoned project manager to guide the process through to authorization and manage all ongoing continuous monitoring requirements. You’ll need to select a third-party assessment organization (3PAO) to assess the application, SSP and all documentation. And to complicate matters, there is a re-authorization process that has to be completed with FedRAMP annually, so having access to experts who can recognize potential issues and changes in the requirements can be critical.

Even those companies with sufficient resources to undertake the process on their own recognize the need to bring in outside experts and hosting capabilities to accelerate their routes to market. But this usually rachets up the cost and complexity as multiple consultants and contractors get on (and stay on) the clock for unpredictable periods of time.

One possible better alternative is to utilize a services vendor who can bring these diverse resources under one roof and provide them to you on a predictable, flat-rate basis.

 FedRAMP Authorization: Can I Afford It?

What will authorization cost your company, and how can you ensure the investment is reasonable and predictable? The answers can vary widely depending on the technical nuances of your application and your available resources.

As mentioned previously, achieving FedRAMP authorization on your own can cost millions. There are significant costs for both DIY and crowdsourced options, involving multiple consultants or internal hires. Your ability to identify, plan for and manage those costs is critical to maintaining your profit margins when you begin selling to the federal government.

There are several additional considerations associated with authorization that can color your decision of whether or not to handle this process internally:

Hosting: Before placing your app in a FedRAMP authorized cloud, be sure to determine how many of the security controls it will inherit from the hosting environment itself. If you opt to host the software yourself, you’ll have to document and go through all of the controls for your own environment. Many companies that host their own apps in their own data centers still have to start from scratch, which can take more time than hosting in a third party cloud that already has the appropriate authorizations.

Managed Services: Most public cloud service providers will leave you with the responsibility of managing the application – from continuous monitoring to patching updates to application security. Look for a service provider that offers a more comprehensive approach and can manage the application on your behalf. This might include installing the application in the cloud, locking down continuous security and ensuring compliance with requirements on an ongoing basis.

Conclusion

FedRAMP authorization is a necessary but complicated process that can consume a significant amount of a company’s human and financial resources.

It is possible to handle the entire process internally – provided you have a team of experts who understand and can document the complex federal compliance, security technology and engineering details required for authorization. What’s more, you will need to host your application in an authorized environment, verified by a third-party assessment organization. And you must have competent project management to drive the process each year and continuously report to the FedRAMP PMO and your government customers.

For these and other reasons we’ll explore in a future column, it may make the most sense to continue to focus on your core business and to outsource the full authorization process to a provider that can improve your time to market while controlling your cost.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.