Commercial organizations looking to sell cloud-based solutions to Federal agencies must comply with FedRAMP security requirements. This blog post by stackArmor helps organizations understand critical cost drivers with some commonly observed costs for FedRAMP compliance or certification.

Growing Federal market for FedRAMP accredited cloud services

US Federal Agencies buy over $80 billion worth of IT products and services every year. There has been a continued shift towards acquiring cloud-based solutions as greater business agility and higher levels of customer experience are required. Leading market research firm, Deltek’s latest cloud computing market report, projects cloud computing purchases valued at $9.1 billion by 2024. In 2018 alone, Federal agencies purchased $3.7 billion of cloud services and $2.6 billion the year before that. The recent finalization of OMB’s CloudSmart policy, TIC 3.0 guidance and DOD’s acceptance of FedRAMP for accreditation of commercial cloud services will accelerate cloud adoption across the DOD and US Federal enterprise. The increasing acceptance of FedRAMP as the de facto standard for cloud security and compliance requires that cloud-solutions have an Authority to Operate (ATO) to access the Federal market.

The first question most commercial providers ask is “How much does FedRAMP certification cost?”. The answer, as one might imagine, is a complex one. The cost and time associated with FedRAMP compliance depend heavily on three (3) factors:

  • The FedRAMP compliance or accreditation level being requested
  • Compliance of existing technical architecture with NIST SP 800-53 security controls
  • Availability of written policies and procedures aligned with 17 control families prescribed by NIST SP 800-53

The cost for FedRAMP certification or compliance is heavily influenced by the answers to the three questions above as it will drive the required labor, technology and compliance documentation required to obtain an ATO. In general, there are four (4) cost line items associated with a typical FedRAMP accreditation project, that include:

  • Consulting professional services to develop FedRAMP ATO package
  • Assessment by a Third-party Assessment Organization (3PAO)
  • Software and COTS purchases associated with meeting NIST SP 800-53 control requirements
  • On-going post-ATO costs for compliance, reporting and annual assessments

In order to dive deeper into the various costs, it is important to understand the FedRAMP program and how it works.  Click here to read more…