Commercial organizations selling cloud-hosted applications to US Federal and Department of Defense (DoD) agencies must have a FedRAMP accreditation. FedRAMP is a US Government program for certifying cloud-based solutions for use by US Government customers. The program has been in existence for many years but is rapidly gaining acceptance and agencies are requiring commercial cloud service providers (SaaS, PaaS or IaaS) to demonstrate a FedRAMP Authority To- Operate (ATO).
FedRAMP certification and compliance costs are based on the level of FedRAMP certification (or accreditation) being requested. FedRAMP certifications are available for High, Moderate, Low or Low-Impact SaaS (LI-SaaS) levels depending on the sensitivity of the data.
FedRAMP accreditation costs are composed of three elements:
- Cloud and cybersecurity engineering costs to perform technical engineering tasks to ensure a compliance cloud architecture and deployment that meets NIST SP 800-53 technical security controls. Typical activities involved include implementing a Firewall, Multi-Factor Authentication, Continuous Monitoring & Logging, Encryption, etc.
- Assessment and authorization tasks that include developing the documentation associated with the management and operation of the system. This includes using FedRAMP provided templates for the Systems Security Plan (SSP) amongst others. In industry, the terminology is typically referred to as “Advisory” services.
- Audit activities performed by an independent Third-Party Assessment Organization (3PAO) that involve conducting a Readiness Assessment (RAR) (optional) and a Security Assessment Report (SAR). The Security Assessment Report (SAR) contains the results of the comprehensive security assessment of a CSP’s cloud service offering, including a summary of the risks associated with vulnerabilities of the system identified during testing. The purpose of a SAR is to evaluate the system’s implementation of, and compliance with, the FedRAMP baseline security controls, and thus the system’s compliance with FISMA security mandates.
Commercial organizations looking to pursue FedRAMP certification and accreditation need to assess the level of internal expertise available to perform some of the key preparatory activities with either internal resources or external services.
The costs for FedRAMP accreditation having been coming down consistently over the past few years with the ready availability of automation services, wider understanding of requirements and availability of accelerator solutions such as ATO on AWS. Generally, a budget varying between $250,000 and $750,000 provides a reasonable starting point for an organization seeking to pursue FedRAMP certification.
Conducting market research and getting a sense of cost drivers, options and trends are essential to making an informed cost and budgetary estimate for obtaining a FedRAMP ATO (Authority To Operate). Here are some available links with additional content for research.
This blog post provides details on specific cost line items and critical drivers. The blog post also includes comments from FedRAMP SMEs and CISO/CTOs of companies that have successfully achieved FedRAMP compliance.
Here is an article from Matt Goodrich, the former Government Executive responsible for the FedRAMP program at GSA. The article is somewhat dated and does not adequately reflect the significant advances made in automation since 2016. However, the article does a good job of highlighting key cost elements and educating decision-makers considering FedRAMP certification
This is an interesting recent podcast that describes the FedRAMP certification journey for a SaaS provider. The podcast does a good job in describing the FedRAMP accreditation journey, costs, organizational needs as well as the number of staff used by this organization. The content uses commonly understood terms.
Are you interested in obtaining FedRAMP compliance and certification? Schedule a consultation to learn more about our FedRAMP Accelerator Assessment for AWS (Amazon Web Services) hosted applications. We have developed a fixed price consulting offer for a free 2-week engagement that covers business, technical and security issues associated with a FedRAMP accreditation. The output includes FedRAMP certification strategy & roadmap and a detailed cost budget for planning purposes. Such engagements typically cost between $40,000 to $50,000.