Request A Consultation

Becoming FedRAMP and StateRAMP Authorized, Part 2 — Common FedRAMP Mistakes You Can Avoid

FedRAMP & StateRAMP Authorized Part II Hero image with Isaac Hur

Becoming FedRAMP & StateRAMP Authorized, Part II

Common FedRAMP Mistakes You Can Avoid

By Isaac Hur, Senior FedRAMP/ StateRAMP/ CMMC Practice Lead and Quality Assurance

As a compliance auditor and practitioner in the FedRAMP space, I see a lot of mistakes cloud service providers (CSPs) make that cause them a tremendous amount of grief when seeking authorization. The process is painful enough on its own, but many of the people you hear venting frustration have made missteps. Either way, I’ll say that if this is an important part of your business plan, make it as easy on yourself as humanly possible. In that vein, I’ll outline for you the four biggest mistakes I see and how to avoid them. After all, our role is to help people get through FedRAMP with their sanity!

Mistake #1: Not Mapping to FedRAMP Security Requirements Up Front

Remember “pretests” in school? Nobody likes them because they make you feel like you don’t know something you should. In an effort to avoid feelings of failure, as well as save money, many organizations choose to skip the Readiness Assessment Report (RAR) component in FedRAMP preparation. The thought process goes like this, “I know I won’t pass this assessment, because I haven’t even started. I’ll just follow suggested steps until we are finished, then do an assessment.” However, you’re missing an important leg up if you go this route because the RAR (or alternative suggested below) will help map your existing cloud service offering (CSO) to the FedRAMP requirements in a very definitive way that can become your roadmap.

It’s important to note that many CSPs fail their readiness assessment at first. That is fine and completely acceptable, because the report will then give you a list of gaps in your current readiness that need to be addressed. In this way, your findings are serving as a cheat sheet – telling you exactly what to do next in order to ensure your cloud service offering meets FedRAMP requirements. Trust me, there is nothing more frustrating than investing lots of time and money into the SAR assessment with a third-party FedRAMP-authorized organization (3PAO) only to realize that your cloud service offering doesn’t meet FedRAMP requirements. Better to get this information up front. It’s worth the investment.

One alternate route you could take would be to find a FedRAMP adviser who is not going to be your 3PAO and hire them to do a gap assessment. This will cost you a bit less in the long run than an accredited 3PAO will, and it gives you the same cheat sheet you needed to begin with. Then, your RAR can function more as confirmation that you have met initial milestones and are ready to move forward.

Either way, if FedRAMP renamed the RAR anything other than “assessment” more people might take advantage of it. Would you be more willing to pay for something called a cheat sheet? In reality, that’s exactly what the RAR (or gap assessment with an adviser) is.

Mistake #2 Lack of Organizational Commitment Up Front

Getting key stakeholders, executives, and technical subject matter experts to buy into the FedRAMP program may seem intimidating, but it’s well worth your time for a successful authorization process. Most business executives require clear ROI on any project they approve. In the case of cloud service providers seeking FedRAMP authorization, senior leadership may be hesitant if they know how long the process is likely to take before the first sale is made. It benefits the entire organization, however, to continue working with your leaders to show them the long-term benefit before undertaking authorization. There may be expenditures, and there will definitely be a significant time investment, so their full support will be essential to your success.

The good news is that while you may not see the ROI right away, you can gain government agency sponsorship before starting (meaning an agency formalizes their intent to work with your organization). This should provide you with some clear numbers to show your board and leadership before starting. Additionally, when the process is complete and you have obtained FedRAMP authorization, you are ready for guaranteed contracts, listing on the FedRAMP Marketplace, and the ability to cross-sell into the StateRAMP Marketplace. StateRAMP has been a significant boon to CSPs in this way, because many state contracts are easier, and the agencies are more accessible, for project bidding.

As part of demonstrating ROI, working with an accredited and reputable FedRAMP advisor or going through the Readiness Assessment can help you pinpoint any costs and resources you will need to complete the FedRAMP authorization process. This ensures that what you present to decision makers is accurate, and they have all the information needed to fully support your team’s endeavor.

Mistake #3: Not Understanding the Rigorous Security Requirements

As an update to the FedRAMP authorization standard, Cloud Service Providers now also need to meet all security requirements for NIST 800-53 Revision 5. It’s important to understand that while some compliance standards are measured at a point in time, FedRAMP authorization is ongoing. Authorized CSPs must stay compliant 100% of the time – with no lapse – to maintain “Authority to Operate” in the FedRAMP program. If you set expectations with your internal stakeholders ahead of time and have a plan for continuous monitoring, you will avoid causing frustration among team members. Often, the challenge simply boils down to clear communication – keeping everyone in the loop about what will be required to continue as a FedRAMP Authorized CSP, which allows you to keep existing contracts. One major benefit of this requirement, however, is that your organization will work at staying more secure, rather than letting standards slide once an audit has been completed.

Mistake #4: Not Having a Clear Operational Boundary Defined Ahead of Time

Defining your authorization boundary visually will be essential as part of developing a cloud security service. You will want to formally diagram that boundary, as well as your data flow diagram, to demonstrate in great detail your offering’s internal components, connections to, or communications with external services. Additionally, you will need to have a clear definition of the data flow for all federal information and metadata throughout the information system. Together, these diagrams will visualize all the security controls scoped in your information system and System Security Plan, serving as the source that will control the federal data in your cloud environment, including how it flows throughout the information system and to outside services.

If FedRAMP Were Easy, How Would It Affect the Program?

You should know that while it’s frustrating to many organizations that FedRAMP is difficult to achieve, the government intended it to be that way. In the current threat landscape and given everything that could be at stake in a compromise of government systems, the last thing anyone needs is a standard that anybody can pass at the drop of a hat. Cybersecurity is a culture, not a quick-fix issue. Federal regulators created the FedRAMP requirements to ensure that once someone receives FedRAMP Authorization, their status as a secure CSP can be reasonably trusted. This prevents a situation that would be even more difficult – that of revoking contracts and causing agencies to switch providers with little notification. Further, it prevents time and money waste in the government, helping to protect the ability of agencies to contract with private companies at all.

There are two paths for a CSP(s) to become FedRAMP authorized:

  1. JAB – Joint Authorization Board can grant a Provisional Authority to Operate (P-ATO):
    • To be granted P-ATO status, you will have the highest effort level, as your security authorization package has to undergo an extensive review and approval process by the JAB.
      • NIST defines that package as, “At a minimum… [the] system security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.
    • In this scenario, you are assigned a person called a FedRAMP ISSO, who will support you through the documentation development, review, and overall assessment process.
    • The authorizing board, or JAB, is comprised of officials from the General Services Administration (GSA), Department of Homeland Security (DHS), and the Department of Defense (DoD).
  1. FedRAMP Agency – an agency can grant Authority to Operate (ATO):
    • If you have received agency sponsorship as a Cloud Service Provider, you qualify for this route.
    • The granting Agency in this case is responsible for accepting and taking on the risk associated with your CSP cloud service offering, which motivates them to be extremely thorough in your review.
    • The ATO route leaves room for some level of variation in regards to the security authorization package content and overall authorization process. The level of risk tolerance is solely up to the sponsoring Agency.

Advice to Reduce the Process

  1. CSP(s) are wise to begin building a strong cloud service offering early on, as it can really speed up the FedRAMP authorization process, as well as spreading the cost out over time. This is of note when it comes to your ROI conversations, while getting stakeholders on-board with the project. Spreading out costs always helps ease financial burdens for significant spends.
  2. As mentioned earlier, working with an accredited 3PAO as a FedRAMP advisor and/ or undergoing a readiness assessment, will help your organization understand your existing security posture and how you measure up against the FedRAMP security requirements.
  3. Leverage your FedRAMP PMO. These folks are there to assist you throughout the process of implementing and documenting controls that ensure you meet the rigorous FedRAMP security requirements. They are very knowledgeable, and communication with your FedRAMP PMO will help you get answers to any questions or concerns about the FedRAMP authorization arise.

What Will the Assessment Cost?

The cost of your assessment will depend on how complex your defined CSP environment is, security impact level, and which path you choose to achieve authorization. Also, it will vary depending on whether this is an initial assessment or an annual continuous monitoring assessment.

If you have chosen to work with an authorized and accredited FedRAMP 3PAO early on, they can also give you a better understanding of what the initial cost would be for an assessment.

CISO Global offers expert compliance support, with certified and highly experienced 3PAO auditors, a full suite of government contracting compliance support, and end-to-end services needed to implement security controls in your environment. If you’d like to talk to an expert about your compliance needs, you can reach out to us here. If you would like more information on our approach to security and compliance, our team, or anything else, explore our Strategy and Risk offerings.