Is “FedRAMP Ready” Status in your PaaS, IaaS, or SaaS’ Future?

are you ready written over laptop“FedRAMP Ready” is an official designation from the Federal Risk and Authorization Management Program, or FedRAMP. The status of “FedRAMP Ready” is awarded to cloud service providers who undergo an independent security assessment to show they are ready to move ahead with the full FedRAMP authorization process.  Achieving FedRAMP Ready status is typically a singular step in a more comprehensive strategy. It generally appeals to companies that want to market a cloud-based product or service to the U.S. federal government.

 

What type of companies are FedRAMP Ready?

Presently, there are 14 FedRAMP Ready products listed on the FedRAMP marketplace.

These products are commonly described as “government community clouds.” This means the cloud infrastructure is shared or intended to be shared between several government agencies with a shared interest.  The cloud infrastructure could be shared by 2, or even 60, of the departments, agencies, and sub-agencies that make up the U.S. federal government.

The typical FedRAMP Ready product is an IaaS, SaaS or PaaS.  Some examples of FedRAMP Ready solutions on the market include:

  • Employee engagement tools
  • Systems to track vehicles and other assets
  • Secure health care development, managed and hosting services
  • “Government editions” of secure platforms
  • Customer feedback management tools
  • DRSaas (disaster recovery as a service)
  • Human capital management solutions
  • And others

What exactly is “FedRAMP Ready” status?

In one of FedRAMP’s “Weekly Tips & Cues,” the program office answered the question like this:

FedRAMP Ready is a designation intended to demonstrate a CSP’s ability to complete the full FedRAMP Authorization process. It is a mandatory step in pursuing a JAB Provisional Authorization to Operate (P-ATO). It is optional for those pursuing an Agency-based FedRAMP Authorization. Although it is optional for agencies, some agencies may prefer to work with CSPs that are “FedRAMP Ready” since it offers key insight into their capabilities and ability to achieve an authorization.

The FedRAMP Authorization process is rigorous and intensive. It involves a lot of hard work and effort. So, it makes sense that a CSP would want some assurance that their cloud offering is likely to attain authorization. Therefore, reaching “FedRAMP Ready” is an important first step in the FedRAMP process.

Pursuing FedRAMP Ready status is generally a lessor effort than undergoing a full FedRAMP audit. However, achieving a favorable Readiness Assessment Report (RAR) is a serious effort. FedRAMP describes the process as “rigorous and intensive.” We agree.

If you want to peek at what FedRAMP Ready entails, check out the RAR templates on the FedRAMP website.

What’s the 3PAO’s Role in FedRAMP Ready?

Here’s the deal: only a FedRAMP 3PAO can assess and provide the Readiness Assessment Report (RAR) that gets submitted to FedRAMP. Only FedRAMP can award the FedRAMP Ready status.

During the assessment process, the 3PAO performs a detailed assessment on the provider’s compliance with the appropriate Impact Baseline security controls.  If you are thinking about taking this on, your 3PAO should be able to provide the methodology, steps, and timeline for this type of engagement.

The 3PAO can perform a stand-alone FedRAMP Ready assessment, as well as the subsequent full audit.  A full audit would only be feasible if the company secures an agency or Joint Authorization Board sponsorship.

Note, this early 2019 information! If you are reading this and it’s 2020 or later, please give our future selves a call.  FedRAMP has been rolling out programmatic changes regularly since its inception.


Cost

Sera-Brynn understands that the decision to pursue FedRAMP Ready status involves strategic resource decisions. As such, we can discuss business impact and pricing to help with this decision.


About Sera-Brynn

sera-brynn's logo spooky

Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is internationally ranked as a top-tier cybersecurity firm. Sera-Brynn is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and a certified FedRAMP assessor. To speak to a team member, contact us at info@sera-brynn.com or via www.sera-brynn.com.

 

© Sera-Brynn 2019.
View Sera-Brynn