Updated in 2023 with additional information on How to Prepare for FedRAMP and Whitepaper.
Commercial organizations looking to sell cloud-based solutions to Federal agencies must comply with FedRAMP security requirements. This blog post by stackArmor helps organizations understand critical cost drivers with some commonly observed costs for FedRAMP compliance or certification.
Growing Federal market for FedRAMP accredited cloud services
US Federal Agencies buy over $80 billion worth of IT products and services every year. There has been a continued shift towards acquiring cloud-based solutions as greater business agility and higher levels of customer experience are required. Leading market research firm, Deltek’s latest cloud computing market report, projects cloud computing purchases valued at nearly $19 billion by 2024. This is significant growth. An earlier report projected only $9.1 billion in cloud spend by 2024. In 2018 alone, Federal agencies purchased $3.7 billion of cloud services and $2.6 billion the year before that. The recent signing of the FedRAMP Authorization Act, and the earlier finalization of OMB’s CloudSmart policy, TIC 3.0 guidance and DOD’s acceptance of FedRAMP for accreditation of commercial cloud services as well as the recent award of the JWCC contract continue to accelerate cloud adoption across the DOD and US Federal enterprise. The increasing acceptance of FedRAMP as the de facto standard for cloud security and compliance requires that cloud-solutions have an Authority to Operate (ATO) to access the Federal market.
The first question most commercial providers ask is “How much does FedRAMP certification cost?”. The answer, as one might imagine, is a complex one. The cost and time associated with FedRAMP compliance depend heavily on three (3) factors:
- The FedRAMP compliance or accreditation level being requested
- Compliance of existing technical architecture with NIST SP 800-53 security controls
- Availability of written policies and procedures aligned with 17 control families prescribed by NIST SP 800-53
The cost for FedRAMP certification or compliance is heavily influenced by the answers to the three questions above as it will drive the required labor, technology and compliance documentation required to obtain an ATO. In general, there are four (4) cost line items associated with a typical FedRAMP accreditation project, that include:
- Consulting professional services to develop FedRAMP ATO package
- Assessment by a Third-party Assessment Organization (3PAO)
- Software and COTS purchases associated with meeting NIST SP 800-53 control requirements
- On-going post-ATO costs for compliance, reporting and annual assessments
In order to dive deeper into the various costs, it is important to understand the FedRAMP program and how it works.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for accrediting Cloud Services for consumption by US Federal and DOD Agencies. The program is managed by the General Services Administration (GSA) FedRAMP Program Management Office (PMO). Every cloud service (IaaS, PaaS or SaaS) must receive a Joint Accreditation Board (JAB) Provisional Authority To Operate (P-ATO) or Agency ATO prior to consumption by a US Government agency.
It is important to understand some of the terms associated with the FedRAMP program. The FedRAMP security and compliance program is based on the NIST Special Publication (SP) 800-53. NIST SP 800-53 provides the baseline set of security requirements, policies, and procedures that must be met. Typically, a commercial solutions provider is referred to as a CSP (Cloud Service Provider) that undergoes an authorization and assessment phase (A&A) to obtain a P-ATO through the JAB, or an Agency ATO through a sponsoring agency. The actual assessment is performed by a Third-Party Assessor (3PAO) on behalf of the FedRAMP PMO (Program Management Office) at the GSA.
Every Cloud Service Provider (CSP) must be categorized based on a FIPS 199 standard that evaluates the confidentiality, integrity, and availability of the data hosted in the environment. From that determination the cloud service provider is assessed as follows:
- FedRAMP High: the system generally contains sensitive information
- FedRAMP Moderate: the vast majority of systems fall in this category
- FedRAMP Low: primarily dealing with public information
- FedRAMP Low-Impact SaaS: used primarily for business/office productivity apps
Every CSP should consult their sponsor(s) or Government customer to understand what categorization your service will need. In the event the CSP intends to provide services to the Department of Defense, then additional accreditation work with DISA will be required to meet specific compliance standards typically classified as IL-2, IL-4, IL-5 or higher.
Key Steps for FedRAMP Accreditation including Post-ATO Activities
There are typically seven (7) key activities involved in going through a FedRAMP accreditation process:
- Have a compliant technical architecture that meets NIST SP 800-53 standards including FIPS 140-2 validated crypto-modules, multi-factor authentication, continuous monitoring, and other security controls.
- Demonstrate mature policies and procedures related to operating a Cloud service for hosting government data that meets the FIPS 199 categorization levels for the system.
- Develop and maintain mature management processes with completed documentation that includes FedRAMP mandated artifacts such as System Security Plans (SSP) amongst others.
- Hire an external assessor to perform independent verification and validation by a Third-Party Assessment Organization (3 PAO) to conduct a Readiness Assessment and submit the package.
- Respond to and remediate any clarifications or requests for information by sponsor agency or FedRAMP JAB.
- Perform continuous monitoring, reporting and compliance activities as mandated by FedRAMP to ensure that the system stays in compliance after the initial P-ATO is granted.
- Conduct an annual assessment by a 3PAO to ensure that the system meets US Federal security standards as prescribed in NIST SP 800-53.
Most CSPs hire compliance specialists to assist with managed services, managed security services and/or compliance reporting for FedRAMP accreditation.
Typical FedRAMP Accreditation Costs
As described earlier, FedRAMP accreditation costs can vary by compliance level, the current state of the CSP’s platform and the availability of in-house expertise. In general, based on nearly 10 years of ATO experience in FedRAMP, FISMA and DFARS compliance, we have found the following indicative costs:
- FedRAMP advisory services to develop the SSP, associated appendices, and review policies & procedures to ensure they meet Federal standards for a FedRAMP moderate system is in the $75,000 – $175,000 range.
- 3 PAO assessment costs for conducting an assessment at the moderate level including conducting a penetration test and submitting the Readiness/Security Assessment Report (R/SAR) can vary between $125,000 to $175,000. An LI-SaaS assessment could be lower and might only cost $30,000-$40,000.
- 3 PAO annual assessments can cost anywhere between $75,000 to $125,000 depending on the selected organization and level of assistance requested.
- Additional costs for architecture, engineering, monitoring and tools might also be required depending on the nature of the solution and gaps found as part of the initial assessment. Commonly required external technical services include anti-virus/malware protection, firewall protection, centralized authentication with MFA, SIEM, FIPS 140-2 validated VPN, etc.
In practice, a typical FedRAMP accreditation budget may range between $250,000 to $3 million depending on the project model, nature of the services purchased and assistance required. stackArmor’s pre-engineered ATO Acceleration solution can help reduce the time and cost of ATOs by 40%. By leveraging a pre-engineered secure by design security boundary, integrated security services and automated continuous monitoring can reduce the cost of a FedRAMP project to less than $750,000.
Ready to dive deeper into preparing for your FedRAMP journey? Read our whitepaper.
There is considerable focus on streamlining the process and making it easier for organizations to obtain an ATO. CSP’s should develop a strong understanding of the requirements by visiting www.fedramp.gov.
Common Showstoppers and FedRAMP Certification Cost Drivers
Commonly observed challenges and causes for cost escalations include:
- Lack of policies and procedures that adequately cover NIST SP 800-53 control families and demonstrate organizational maturity. Developing these artifacts takes time and is a significant cost line item on most engagements. Organizations that have gone through other certifications such as SOC2, ISO 27001 or others find it easier to comply with the documentation requirements.
- Technology architecture has deficiencies and there is a backlog around the use of FedRAMP accredited services and robust continuous monitoring for users, data and application stack.
- Use of non-FIPS 140-2 validated crypto modules for various data protection modules for both data in motion and data at rest encryption. Typically, there is an expense associated with third-party solution purchases and/or remediations.
- Lack of adequate understanding of the target market, agency-specific security needs and poorly defined data segmentation between commercial and government customers. US Federal and DOD agencies have specific security requirements that will drive the eventual ATO (authorization of the system). It is important to understand and architect for appropriate levels of segmentation and the ability to add security overlays. Early market research can help greatly alleviate any issues that can help prevent costly remediations at a later stage.
ATO Acceleration with stackArmor ThreatAlertTM
stackArmor’s certified Cloud, Security and Compliance architects have performed cloud migrations and compliance projects for US Federal and Department of Defense agencies since 2009 and developed an audit ready solution.
We could not have achieved our FedRAMP and DOD ATO’s without the engineering and compliance ready solution from stackArmor — Mark Willis, CISO, Bluescape.
Clearly, there is significant cost and complexity associated with being ready to host and secure government data. Using FedRAMP-accredited cloud services such as Amazon Web Services (AWS) can help reduce the cost of compliance as well as accelerate the ability to meet NIST SP 800-53 requirements. AWS cloud services offer a variety of tools and capabilities for continuous monitoring, encryption and “certified” components that reduce the compliance “footprint”. Additionally, as part of the ATO on AWS program, there are vetted partner solutions that help reduce the cost and time associated with obtaining a FedRAMP ATO.
stackArmor is an Advanced AWS Partner specializing in FedRAMP, FISMA and DFARS compliance on hyperscale cloud services like AWS and AWS GovCloud for Commercial organizations. As part of the ATO on AWS partner program, stackArmor offers a Cloud GSS (security system) called stackArmor ThreatAlertTM that is specifically tailored to meet NIST SP 800-53 security requirements on AWS and AWS GovCloud. The stackArmor ThreatAlert solution includes the following key components:
- Dedicated Security Boundary – A FedRAMP compliant security boundary with an integrated security system meeting NIST SP 800-53 security control requirements including FIPS 140-2 compliant remote access; MFA authentication & authorization; boundary protection; continuous monitoring & SIEM (Security Incident Event Management); and segmentation for production data.
- Complete FedRAMP Package – Pre-filled FedRAMP templates and documentation including technical control descriptions, policies and procedures (based on the shared responsibility model) for nearly 50% of the control requirements.
- Post-ATO Continuous Monitoring – Pre-ATO and Post-ATO managed security and compliance services to meet FedRAMP compliance requirements for continuous monitoring reporting and management.
stackArmor ThreatAlertTM helps reduce the time and cost associated with a FedRAMP accreditation process by 40-50% by using automation and pre-filled templates that are tailored for AWS-based applications.
Are you looking to become FedRAMP compliant? Contact us and ask about our ATO Accelerator Assessment, which is a firm-fixed-price offering worth $10,000 available for free to qualified AWS customers. The ATO Accelerator Assessment is conducted by certified AWS and Security Professionals covering business, technology and security topics specific to the customer’s environment. The Assessment report includes a gap analysis report that highlights critical deficiencies and also helps develop a budget and roadmap for FedRAMP compliance.
Community Input and Comments from Experienced Subject Matter Experts:
Martin Rieger, CISSP/CCSP, CISA/CRISC/CISM, GSLC:
“This is a great article, but there are a couple of things I would adjust. The only costing that appears off is in the second bullet under the section titled “Typical FedRAMP Accreditation Costs”. It should say the Security Assessment Report (SAR) and the cost range is more like $125-190k depending on the 3PAO. The RAR happens separately and before the assessment even begins. The RAR is a tool to help obtain sponsorship and demonstrate readiness to an agency. It also gets you in the marketplace where everyone wants to be.
3PAO assessment costs for conducting an assessment at the moderate level including conducting a penetration test and submitting the Security Assessment Report (SAR) can vary between $125,000 to $195,000. An LI-SaaS assessment could be lower and might only cost $30,000-$45,000.
In addition to the RAR being out of place, it is not mentioned as an activity. While it is required by the JAB, it is not required by all agencies, but some will request it before they agree to work with you as a sponsor. Which leads me to the most important activities missing from the article, obtaining Sponsorship is the most critical component. Under the section titled “Key Steps for FedRAMP Accreditation including Post-ATO Activities”, Obtaining Sponsorship is the single most important and in many cases the most difficult task. Sponsorship is half the battle. As a CSP you can begin your FedRAMP journey without a sponsor, but to complete the accreditation process, you have to have one.”
John Keese, Head of Compliance, Zoom Video Communications (via LinkedIn):
“Good write-up here. One note on advisory services. One should note that advisory services are often viewed by a new CSP entering FedRAMP as a “hand-off” and the advisory firm will get it all done for them. Not accurate in my experience (having completed over 7 authorizations). I would suggest using advisory on a T&M basis only for assumption verification through a CSPs journey to FedRAMP authorization, vs thinking that a traditional Gap analysis and notional SSP and policies are the end state for a CSP. Automation is key to getting this done and keeping continuous compliance. Selecting the right GRC tool is as important as any of the items pointed out. Thanks for sharing!”
Ready to take next steps in your FedRAMP Journey?
How long does it take to get a FedRAMP ATO?
Schedule a free discovery consultation and get a tailored budgetary and time estimate.