Stackarmour

How much does it cost to get FedRAMP compliant and obtain an ATO?

Commercial organizations looking to sell cloud-based solutions to Federal agencies must comply with FedRAMP security requirements. This blog post by stackArmor helps organizations understand critical cost drivers with some commonly observed costs for FedRAMP compliance or certification. 

Growing Federal market for FedRAMP accredited cloud services

US Federal Agencies buy over $80 billion worth of IT products and services every year. There has been a continued shift towards acquiring cloud-based solutions as greater business agility and higher levels of customer experience are required. Leading market research firm, Deltek’s latest cloud computing market report, projects cloud computing purchases valued at $9.1 billion by 2024. In 2018 alone, Federal agencies purchased $3.7 billion of cloud services and $2.6 billion the year before that. The recent finalization of OMB’s CloudSmart policy, TIC 3.0 guidance and DOD’s acceptance of FedRAMP for accreditation of commercial cloud services will accelerate cloud adoption across the DOD and US Federal enterprise. The increasing acceptance of FedRAMP as the de facto standard for cloud security and compliance requires that cloud-solutions have an Authority to Operate (ATO) to access the Federal market.  

The first question most commercial providers ask is “How much does FedRAMP certification cost?”. The answer, as one might imagine, is a complex one. The cost and time associated with FedRAMP compliance depend heavily on three (3) factors:

The cost for FedRAMP certification or compliance is heavily influenced by the answers to the three questions above as it will drive the required labor, technology and compliance documentation required to obtain an ATO. In general, there are four (4) cost line items associated with a typical FedRAMP accreditation project, that include:

In order to dive deeper into the various costs, it is important to understand the FedRAMP program and how it works. 

Understanding FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for accrediting Cloud Services for consumption by US Federal and DOD Agencies. The program is managed by the General Services Administration (GSA) FedRAMP Program Management Office (PMO). Every cloud service (IaaS, PaaS or SaaS) must receive a Joint Accreditation Board (JAB) Provisional Authority To Operate (P-ATO) or Agency ATO prior to consumption by a US Government agency.

It is important to understand some of the terms associated with the FedRAMP program. The FedRAMP security and compliance program is based on the NIST Special Publication (SP) 800-53. NIST SP 800-53 provides the baseline set of security requirements, policies, and procedures that must be met. Typically, a commercial solutions provider is referred to as a CSP (Cloud Service Provider) that undergoes an authorization and assessment phase (A&A) to obtain a P-ATO through the JAB, or an Agency ATO through a sponsoring agency. The actual assessment is performed by a Third-Party Assessor (3PAO) on behalf of the FedRAMP PMO (Program Management Office) at the GSA. 

Every Cloud Service Provider (CSP) must be categorized based on a FIPS 199 standard that evaluates the confidentiality, integrity, and availability of the data hosted in the environment. From that determination the cloud service provider is assessed as follows:

Every CSP should consult their sponsor(s) or Government customer to understand what categorization your service will need. In the event the CSP intends to provide services to the Department of Defense, then additional accreditation work with DISA will be required to meet specific compliance standards typically classified as IL-2, IL-4 or higher.

Key Steps for FedRAMP Accreditation including Post-ATO Activities

There are typically seven (7) key activities involved in going through a FedRAMP accreditation process:

  1. Have a compliant technical architecture that meets NIST SP 800-53 standards including FIPS 140-2 validated crypto-modules, multi-factor authentication, continuous monitoring, and other security controls.
  2. Demonstrate mature policies and procedures related to operating a Cloud service for hosting government data that meets the FIPS 199 categorization levels for the system.
  3. Develop and maintain mature management processes with completed documentation that includes FedRAMP mandated artifacts such as System Security Plans (SSP) amongst others. 
  4. Hire an external assessor to perform independent verification and validation by a Third-Party Assessment Organization (3 PAO) to conduct a Readiness Assessment and submit the package.
  5. Respond to and remediate any clarifications or requests for information by sponsor agency or FedRAMP JAB.
  6. Perform continuous monitoring, reporting and compliance activities as mandated by FedRAMP to ensure that the system stays in compliance after the initial P-ATO is granted.
  7. Conduct an annual assessment by a 3PAO to ensure that the system meets US Federal security standards as prescribed in NIST SP 800-53.

Most CSPs hire compliance specialists to assist with managed services, managed security services and/or compliance reporting for FedRAMP accreditation.

Typical FedRAMP Accreditation Costs

As described earlier, FedRAMP accreditation costs can vary by compliance level, the current state of the CSP’s platform and the availability of in-house expertise. In general, based on nearly 10 years of ATO experience in FedRAMP, FISMA and DFARS compliance, we have found the following indicative costs:

In practice, a typical FedRAMP accreditation budget may range between $250,000 to $750,000 depending on the nature of the services purchased and assistance required. There is considerable focus on streamlining the process and making it easier for organizations to obtain an ATO. CSP’s should develop a strong understanding of the requirements by visiting www.fedramp.gov.

Commonly observed challenges and causes for cost escalations include:

ATO Acceleration with Amazon Web Services (AWS) and stackArmor ThreatAlertTM

Clearly, there is significant cost and complexity associated with being ready to host and secure government data. Using FedRAMP-accredited cloud services such as Amazon Web Services (AWS) can help reduce the cost of compliance as well as accelerate the ability to meet NIST SP 800-53 requirements. AWS cloud services offer a variety of tools and capabilities for continuous monitoring, encryption and “certified” components that reduce the compliance “footprint”. Additionally, as part of the ATO on AWS program, there are vetted partner solutions that help reduce the cost and time associated with obtaining a FedRAMP ATO.

stackArmor is an Advanced AWS Partner specializing in FedRAMP, FISMA and DFARS compliance on AWS and AWS GovCloud for Commercial organizations. As part of the ATO on AWS partner program, stackArmor offers a Cloud GSS (security system) called stackArmor ThreatAlertTM that is specifically tailored to meet NIST SP 800-53 security requirements on AWS and AWS GovCloud. The stackArmor ThreatAlert solution includes the following key components:

stackArmor ThreatAlertTM helps reduce the time and cost associated with a FedRAMP accreditation process by 40-50% by using automation and pre-filled templates that are tailored for AWS-based applications. 

Are you looking to become FedRAMP compliant? Contact us and ask about our ATO Accelerator Assessment, which is a firm-fixed-price offering worth $10,000 available for free to qualified AWS customers. The ATO Accelerator Assessment is conducted by certified AWS and Security Professionals covering business, technology and security topics specific to the customer’s environment. The Assessment report includes a gap analysis report that highlights critical deficiencies and also helps develop a budget and roadmap for FedRAMP compliance.

Community Input and Comments from Experienced Subject Matter Experts:

Martin Rieger, CISSP/CCSP, CISA/CRISC/CISM, GSLC:

“This is a great article, but there are a couple of things I would adjust. The only costing that appears off is in the second bullet under the section titled “Typical FedRAMP Accreditation Costs”. It should say the Security Assessment Report (SAR) and the cost range is more like $125-190k depending on the 3PAO. The RAR happens separately and before the assessment even begins. The RAR is a tool to help obtain sponsorship and demonstrate readiness to an agency. It also gets you in the marketplace where everyone wants to be.

3PAO assessment costs for conducting an assessment at the moderate level including conducting a penetration test and submitting the Security Assessment Report (SAR) can vary between $125,000 to $195,000. An LI-SaaS assessment could be lower and might only cost $30,000-$45,000.

In addition to the RAR being out of place, it is not mentioned as an activity. While it is required by the JAB, it is not required by all agencies, but some will request it before they agree to work with you as a sponsor. Which leads me to the most important activities missing from the article, obtaining Sponsorship is the most critical component. Under the section titled “Key Steps for FedRAMP Accreditation including Post-ATO Activities”, Obtaining Sponsorship is the single most important and in many cases the most difficult task. Sponsorship is half the battle. As a CSP you can begin your FedRAMP journey without a sponsor, but to complete the accreditation process, you have to have one.”

John Keese, Head of Compliance, Zoom Video Communications (via LinkedIn):

“Good write-up here.  One note on advisory services. One should note that advisory services are often viewed by a new CSP entering FedRAMP as a “hand-off” and the advisory firm will get it all done for them. Not accurate in my experience (having completed over 7 authorizations). I would suggest using advisory on a T&M basis only for assumption verification through a CSPs journey to FedRAMP authorization, vs thinking that a traditional Gap analysis and notional SSP and policies are the end state for a CSP.  Automation is key to getting this done and keeping continuous compliance. Selecting the right GRC tool is as important as any of the items pointed out. Thanks for sharing!”