Stackarmour

What is meant by FedRAMP Authority-to-Operate (ATO) on AWS?

FedRAMP ATO on AWS Meetup Hosted by stackArmor – October 14th, 2019

stackArmor a leading provider of FedRAMP, FISMA and DFARS compliance solutions on AWS hosted a Meetup for Commercial ISV’s and SaaS providers looking to learn more about FedRAMP certification. The Meetup – FedRAMP Authority-to-Operate (ATO) on AWS, had a distinguished panel of speakers from stackArmor and Amazon Web Services (AWS) and 3 PAO’s : A-lign and Emagine IT. The Meetup was attended by large and small companies interested in pursuing FedRAMP accreditation for their AWS hosted solutions.

Key takeaways and questions covered during the meetup are summarized below.

Many Cloud Service Providers (Commercial ISV’s and SaaS Providers looking to pursue FedRAMP accreditation are referred to as CSP’s in FedRAMP terminology), do not adequately define and scope their system boundary. This leads to delays and potentially costly change late in the assessment cycle. A system boundary helps define the confines where Government data resides and how it is accessed. FedRAMP has provided guidance on how to define a cloud system boundary. A simple rule of thumb is to trace and define where government data is stored and transited. This simple analysis helps define the system boundary.

A number of audience members asked if they should first pursue ISO, SOC2 or other compliance certifications prior to pursuing a FedRAMP accreditation. Most panel members and speakers seemed to agree that FedRAMP accreditation can be daunting initially – but it provides the most comprehensive security framework that makes it easy to obtain other industry certification through readily available cross-walks. 

FedRAMP accreditation or a provisional authority to operate (ATO) provides a powerful license to hunt for cloud business. Based on the latest federal cloud market analysis, there is 105% growth in government cloud spending to nearly $9B in total contracts. There is a strong focus on acquiring SaaS based solutions with US Navy and US Airforce are accelerating cloud spending. A successful FedRAMP accreditation plan must include agency outreach to obtain sponsorship, help define the Impact Level needed and demand estimation.

FedRAMP certification costs are dependent on the level of preparedness and the sensitivity of the data being processed and stored. Based on the FIPS 199 standard, the system is assessed at the High, Moderate or Low level. FedRAMP certification or accreditation costs depend on the certification or impact level with a FedRAMP High likely to be more expensive than a FedRAMP Low. FedRAMP High certifications must cover 421 controls, FedRAMP Moderate has 325 controls, and FedRAMP Low has 125 controls. Typical a FedRAMP accreditation requires having a compliant technical architecture, policies and procedures that are compliant with FedRAMP requirements and templates. Organizations can acquire external consulting assistance to meet gaps in internal capabilities. Depending on the size of the system and level of assistance needed typical preparation costs can vary between $50,000 to $500,000. It is essential to hire a 3PAO to conduct the Readiness Assessment and assist with the Authority-to-Operate (ATO) process – typical 3 PAO charges can vary between $30,000 to $150,000. 

The speakers discussed best practices around using automation, standard architecture best practices such as AWS Landing Zones and leveraging FedRAMP accredited services to accelerate the Authority-to-Operate (ATO) process.

Are you a Commercial ISV or SaaS product owner interested in FedRAMP accreditation? Contact stackArmor to learn more about the firm fixed price FedRAMP ATO Accelerator Assessment for $5,000 to help you define the right strategy, roadmap and estimate accreditation costs.