Why FedRAMP? Why now?
One thing that’s become clear to me in the last few months is that many Cloud Service Providers, or CSPs as we’ll refer to them, are very UNCLEAR on what FedRAMP is, the commitment level, and how the process works. Many are being asked by government customers if they are FedRAMP authorized but aren’t sure how to get there.
Let’s start with an overview. FedRAMP is the process of the government authorizing government agencies to use a cloud service. There are over a hundred already authorized with many others in process or ready. Ultimately, if you want to do business with the Federal Government in the cloud space, you will need a FedRAMP authorization.
CSPs interested in FedRAMP authorization begin with the pre-authorization phase. Becoming familiar with required documents, taking the FedRAMP training, and reviewing the FedRAMP website will help you understand the requirements and expectations. This is also the phase where you will establish your certification path (JAB or Agency) and identify a Third Party Assessment Organization (3PAO) to work with you.
Once in the authorization phase, the CSP creates a System Security Plan, or SSP, that details how each control specified in NIST 800-53 is being met. The 3PAO develops the test plan, tests the controls to verify that what’s in the SSP is actually in practice, then prepares a report. The CSP creates a plan to address any outstanding items, known as a Plan of Action and Milestones, or POAM. The certifying agency then decides whether to grant the authorization.
Just like pickles and peanut butter, the FedRAMP process and authorization is not for every CSP.
Why would you want to pass on authorization, or at least think twice?
No Federal Sales Strategy: If you don’t have a strategy to sell to the Federal government, it may be tough to show a return on investment. FedRAMP is not cheap and will not only require intense commitment from your team during the pre-authorization and authorization phases, but during the continuous monitoring and post-authorization phase. FedRAMP was developed so that once a CSP offering is authorized, the accreditation can be re-used. If you don’t know how you’re going to build your government book and take advantage of the re-use principle, it may not be the right time to enter the process.
Resource Constraints: As mentioned above, if your network and security teams are constantly in reactive mode and don’t have the time to devote to creating a package, putting together the proper documentation will add a significant burden. You could hire external assistance to do so, but doing so will increase your cost. You are not required to use a 3PAO to help with pre-authorization or document development, but keep in mind if you choose to do so you will need to select a different 3PAO for the authorization.
Security Maturity: NIST 800-53 controls are INTENSE. For every control, you will need to not only have a policy that drives the control family, but matching procedures and technology to mitigate risk. If you aren’t there yet, and can’t get there quickly, you may not be ready for system authorization.
How We Can Help
Sera-Brynn is a 3PAO with years of experience in Federal and DoD markets. Contact us today for more information on the FedRAMP process.
By: Heather Engel, Sera-Brynn’s Chief Strategy Officer