The US Government Accountability Office (GAO) released a report on The Federal Risk and Authorization Management Program (FedRAMP®). The 37 page report provides highly relevant insights to both agencies and commercial organizations pursuing FedRAMP accreditations or ATOs. Highlights from the report are presented below.
Key Challenges Faced by Agencies and Cloud Service Providers (CSP)
- Receiving timely responses from stakeholders: Agencies and CSPs reported that they had issues with receiving timely responses from stakeholders throughout the authorization process. Sponsoring CSPs that were not fully prepared Agencies reported that CSPs did not fully understand the FedRAMP process and lacked complete documentation.
- Lacking sufficient resources: Agencies reported that they lacked the resources (e.g., funding and staffing) needed to sponsor an authorization.
- Meeting FedRAMP technical and process requirements: CSPs reported that they had to update the infrastructure to meet federal security requirements.
- Finding an agency sponsor: CSPs reported that finding an agency sponsor was difficult.
- Engaging with third-party assessment organizations (3PAO): CSPs reported that they faced issues (e.g., lack of consistency) when engaging with organizations that were responsible for performing independent assessments of their cloud services—3PAOs
The reported findings do not offer any new information as most of these challenges are fairly well known within the FedRAMP ATO community. However, a number of these findings are important for both agencies and businesses to consider when partnering for a FedRAMP ATO.
- Be well prepared: Both agencies and CSP can avoid costly delays by being well prepared with complete documentation, a compliant architecture and knowledgeable FedRAMP team. Given that agencies have limited resources, it is incumbent on CSPs to make sure that their solution, documentation and staff are well-prepared to address FedRAMP ATO requirements. Please read our white paper on how to prepare for FedRAMP.
- Understand the sponsorship process: CSP should invest some time in understanding the sponsorship process by preparing a sponsorship/briefing presentation that provides the right levels of information that include Impact Level (High, Moderate, Low or LI-SaaS), Service Model (SaaS, PaaS or IaaS) and Deployment Model. A well prepared and informative briefing deck with reference architectures, data flows, and evidence of preparedness can help instill confidence in the sponsoring agency. Please read our blog post on sponsorship.
- Develop a federally compliant cloud solution: Understanding specific FedRAMP and Federal (or DOD) specific security requirements is essential to avoid costly rework that cause delays and increase costs for both agencies (due to multiple rounds of reviews) and the CSP (due to rework). A number of specific technical requirements that need to be addressed include FIPS 140-3 compliant encryption, adherence to DISA STIG hardening standards, defense in depth/secure by design principles, and data segmentation & separation are just some of the requirements.
- Select a strong partner: Many times CSPs just focus on selecting a 3PAO to assist in their FedRAMP journey. However, within the 3PAO community there are different levels of services, specialization and focus areas. Additionally, one must have access to specialized services like FIPS remediation, security architecture & engineering as well as FedRAMP advisory services. Engaging with a strong and reliable security engineering partner is one of the biggest decisions that a CSP can make which can have a material impact on the success of their project.
Increasing Consumption of FedRAMP Accredited Cloud Services
The GAO study states that FedRAMP accredited cloud services consumption has increased over time. There is a 60% increase in authorization from 2019 through 2023. It is interesting to note that nearly 65% of the authorizations are for SaaS services. This continues the demonstrate that Federal agencies are looking for new and innovative software solutions provided by commercial companies (versus IaaS or PaaS solutions).
Understanding FedRAMP Accreditation Costs
A critical question that is often asked is “How much does it cost to get a FedRAMP ATO?”. The report offers some insightful information for both agencies (for sponsoring FedRAMP ATOs) and for CSPs looking to pursue FedRAMP accreditation.
- Agency Sponsorship Costs: The GAO report states that the agency sponsorship costs varied between $69,000 and $400,000. These costs can vary depending on the Impact Level eg. it takes more time and effort to sponsor a FedRAMP High system versus a Moderate system and also by Service Level e.g. it takes less time to accredit a SaaS (especially if it is inheriting controls from a FedRAMP IaaS). Having this information is very valuable to CSPs, who can advise their prospective sponsors on likely costs. Additional techniques to reduce the cost for the agency sponsor is by making sure that complete documentation, compliant architecture and knowledgeable staff are available to address questions and reduce the need for multiple rounds of corrections and reviews.
- CSP Accreditation Costs: A survey of 13 cloud service providers reported spending a total of $12.4 million for initial accreditation. The costs varied between $300,000 to $3.7 Million. Assuming we take an average, the number comes to around $900,000. CSP costs for FedRAMP are typically incurred in documentation, architecture & deployment, security software and 3PAO assessment. Costs are heavily dependent on the level of internal expertise available to navigate the various requirements. Please read our blog on FedRAMP ATO costs.
In our experience, CSPs can cut down on their FedRAMP costs (and for their Agency sponsors) by implementing a compliant architecture, complete documentation including SSP, Policies & Procedures and knowledgeable staff who can rapidly address assessment related questions and provide requested evidentiary information quickly.
Please feel free to schedule a free consultation with our FedRAMP ATO Acceleration experts to see how we could help you reduce the time and cost of ATOs by 40% using our ThreatAlert(R) ATO Accelerator. You can also chat with us about your FedRAMP Rev 5 or FedRAMP Rev 4 to 5 transition needs.
