Straight talk about whether FedRAMP accreditation is right for you.
In the world of FedRAMP, you are either a cloud service provider (CSP) or a user of cloud services.
Many of our CSP clients are asked about FedRAMP accreditation. In some cases, a government user has told them they should be FedRAMP accredited. This is not necessarily true.
CSPs are often very UNCLEAR on what FedRAMP is, the commitment level, and how the process works.
Let’s start with an overview. FedRAMP offers a CSP the opportunity to get sponsored and accredited, then re-use that accreditation to sell to other government agencies. There are over a hundred already authorized with many others in process or ready.
Just like pickles and peanut butter, the FedRAMP process and authorization is not for every CSP.
CSPs interested in FedRAMP authorization begin with the pre-authorization phase. Becoming familiar with required documents, taking the FedRAMP training and reviewing the FedRAMP website will help you understand the requirements. You also need to find a government sponsor and establish your certification path (JAB or Agency). Finally, identify a Third Party Assessment Organization (3PAO) to work with you.
Once in the authorization phase, the CSP creates a System Security Plan, or SSP, that describes in detail how they have met each control specified in NIST 800-53.
The 3PAO develops the test plan, tests the controls to verify that what is in the SSP is actually in practice, then prepares a report.
The CSP creates a plan to address any outstanding items, known as a Plan of Action and Milestones, or POAM. The certifying agency then decides whether to grant the authorization.
Why would you want to pass on authorization, or at least think twice?
No Federal Sales Strategy: If you do not have a strategy to sell to the Federal government, it may be tough to show a return on investment. FedRAMP is not cheap. It requires intense commitment from your team during the pre-authorization and authorization phases, and an ongoing commitment in continuous monitoring and post-authorization phases.
Post-authorization, the CSP accreditation can be re-used by other government agencies. But if you don’t know how you’re going to build your government book and take advantage of the re-use principle, it may not be the right time to enter the process.
Resource Constraints: As mentioned above, if your network and security teams are constantly in reactive mode and don’t have the time to devote to creating a package, putting together the proper documentation will add a significant burden. You could hire external assistance to do so, but doing so will increase your cost. You are not required to use a 3PAO to help with pre-authorization or document development, but keep in mind if you choose to do so you will need to select a different 3PAO for the authorization.
Security Maturity: NIST 800-53 controls are INTENSE. For every control, you will need a policy that drives the control family, and matching procedures and technology to mitigate risk for each control and sub-control (there are thousands). If you aren’t there yet, and can’t get there quickly, you may not be ready for system authorization.
How We Can Help
Sera-Brynn is a 3PAO with years of experience in Federal and DoD markets. We can help with getting FedRAMP ready, or with the authorization process. Contact us.
Heather Engel is Chief Strategy Officer of Sera-Brynn. She has nineteen years of experience in cyber security, with an emphasis on cyber risk management including regulatory compliance, incident response, crisis communications, Continuity of Operations (COOP) planning, development and exercise execution; policy development, and computer network operations.
Sera-Brynn is internationally ranked as a top-tier cybersecurity firm. Sera-Brynn is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and a certified FedRAMP assessor. To speak to a team member, contact us at firstname.lastname@example.org or via www.sera-brynn.com.