Becoming FedRAMP & StateRAMP Authorized Part III
The Journey to FedRAMP is Arduous —
When and Why Should You Bother?
Author: Baan Alsinawi, CISSP, CCSP, CISM, CGEIT, CASP+ ce, and Managing Director at CISO Global
You’re in your company’s go-to-market meeting. You’re excited about a new cloud application your team is developing. Your leaders are trying to understand the application’s market and ideal clients. Someone in the room suggests, “We should sell this to government agencies. It would solve so many of their problems.” Your sales team gets excited, someone pitches it to the board, but when it lands on your CEO or compliance officer’s desk, they say, “Are you serious!? Have you heard what Company X went through in trying to become FedRAMP authorized? I need to see the business case before we invest in that amount of effort.” In fairness, this scenario is accurate because, well, it’s true.
Undergoing the processes and investments needed to become FedRAMP authorized, a requirement you must meet before contracting with any agency in the U.S. Government, is somewhat painful. How do I know? I not only guide clients through the process every day, but developed and received FedRAMP accreditation for a cloud application that supports continuous monitoring. Yes, I had to take that application and our team through the entire process, myself. It’s like the commercials where the man says, “I’m not only the founder. I’m a client!” That’s me, and I will happily give you the insider’s perspective on realities of FedRAMP compliance. If you find yourself apprehensive and want to know 1) the advantages and 2) just what’s required to prepare for FedRAMP authorization, check out the first and second articles in this series. For our purposes here, I’ll assume you’re already interested and jump in.
I speak to issues and ROI for FedRAMP authorization as someone who has been both the head of a 3PAO (FedRAMP consultancy) group and a client. Our software as a service (SaaS) platform, TiGRIS, solves governance, risk, and compliance (GRC) challenges and is not only one of the few on the market that’s FedRAMP authorized – making it usable for government contractors to track and manage their compliance, but it’s also supported by a full team of experts for continuous monitoring capabilities (Continuous monitoring means you actively monitor your IT systems and networks to demonstrate to the government that you remain compliant, identifying and remediating threats, system performance issues, and /or compliance problems.) For our context with TiGRIS, undergoing the lengthy authorization process made sense.
Still, I will be transparent about the fact that we had to do two things at once – become compliant and continue running our business. It’s not easy to fulfil your existing clients’ needs, support ongoing sales cycles in the pipeline, and still drive major change in your company’s policies, documentation, procedures, and technology. Most often, companies wanting to sell cloud services to the government are startups. Startups are under a lot of pressure to continue developing their applications and perform financially; hiring full-time internal staff to help them execute on all the steps needed to become (and stay) compliant isn’t realistic while focus is on dev, sales, and delivery. Cloud app companies need outside assistance, and they won’t be able to realize the return on those investments for a full year, at best.
Our FedRAMP Roadmap
Believe it or not, I have undergone this process not once, but twice. First, my group developed a SaaS called ECMS and achieved FedRAMP authorization in 2015 with the sponsorship support of a government agency backing us all the way. When we saw all the advantages of moving our offering to the AWS cloud, including elasticity, scalability, and more, we realized these would directly benefit our sponsoring agency. Moving to a new environment meant architectural changes, and that meant starting over. The agency agreed to help sponsor the development of what is now known as TiGRIS, a cloud application designed with FedRAMP in mind. The FedRAMP milestone was achieved for TiGRIS in 2019. At that point in time, we already had a stable group of clients and decided to invest in the internal staff needed to not only meet the demands of continuous compliance, ourselves, but to support clients who wished to do the same.
Two-pronged Litmus Test for FedRAMP Certification
When you consider whether or not becoming accredited is worthwhile, it’s important to think through your leaders’ existing contacts and whether or not you have the ability to gain support from a specific agency that wants to buy – and is willing to sponsor for that purpose – your cloud offering. That agency will serve as your FedRAMP sponsor throughout the process. Additionally, it’s important to build consensus among your company’s stakeholders that FedRAMP is an avenue you wish to pursue. Having agency sponsorship is a significant part of that business case. What will further support your case is an understanding of your commercial buyers. If your cloud application becomes FedRAMP authorized, will that further incent them to buy from you? For many, especially in regulated industries, FedRAMP certification is a feather in their cap – an achievement that speaks to the trustworthiness and merit of their brand. That was definitely the case for us. In addition to agencies we were actively serving, our other clients wanted to know we could meet incredibly stringent requirements in our own compliance program. So, if FedRAMP accreditation would serve as a differentiator for your brand, that’s another reason to consider taking the road to compliance.
For our group, the benefits were clear. Even beyond providing our services to agencies, we believe in the importance of maintaining FedRAMP compliance as evidence of our ongoing commitment to the highest standards of excellence in managing cloud applications. Trust me, if you’re willing to jump through the FedRAMP hoops, no one will question your commitment to security in the cloud!
Issues That Would Make FedRAMP Unwise for an Organization
Many organizations approach us seeking FedRAMP support after a just few internal discussions where they have concluded that federal agencies would be ideal customers for their business, I can point you to some telltale signs that your organization may not be ready.
- Lack of viable strategic and tactical plans for FedRAMP
If you don’t have a clear vision for how you plan to work with agencies, which agency will sponsor your process (the easier of the two possible routes to authorization), and your tactical plan doesn’t account for all the work and investments involved, you probably aren’t ready. If every stakeholder doesn’t have a clear picture of what this effort will require, it could lead to internal frustration, division, and derailments. It’s better to take the time necessary to research and plan for everything your organization will need to do up-front than to jump in and find out mid-process that some people weren’t fully aware, or don’t support the vision.
Working closely with your finance team to plan for estimated expenses that will arise at each point in the process will enable them to ensure that 1) funding is available when you need it and 2) proper planning is done to either bring in new revenue sources or cut back elsewhere in the business to accommodate for these planned costs. Additionally, if they lack buy-in on the length of time it will take for your sales team to begin driving FedRAMP ROI, you are likely to put them under pressure that could lead to resentment. Business is hard enough without internal strife, so taking the extra time to bring finance along is well worth it. Finance supports the viability of your company, so make sure you listen to and achieve consensus with the people you’ve entrusted with your organization’s spending and profitability.
- Understaffed teams that don’t have the expertise or time needed to support FedRAMP compliance
You likely hired your cloud developers based on their ability to build out all the functionalities you foresaw as being valuable to clients – not on their experience as secure coders. Those are two very different skillsets, and few organizations have the foresight to architect applications, environments, and functionalities that are secure by design at the code level. Further, it’s hard to convince investors that you need funding for a cybersecurity architect. Those specialists are both rare and in great demand, so their salaries will be higher than others (if you can find and hire them). You may need to engage an outsourced cybersecurity specialist to help build (or overhaul) your cloud architecture to ensure its security. This is not optional if you want to contract with federal agencies, so go ahead and include that in your budget.
Achieving and Demonstrating Internal Compliance
How many startups budget for a compliance expert as part of the founding team and build their cybersecurity program out of the gate? You don’t even have to answer that. I already know that unless your business is cybersecurity, it’s a resounding none. Yet, you will need to change your company’s practices and procedures, build documentation, and develop policies that align with requirements under the FedRAMP framework. Security isn’t just about technology; it’s about operational controls, as well. Becoming compliant under FedRAMP rules means meeting standards in each of those areas. Like achieving cloud security, you will likely need to engage an outsourced expert to help you build and implement these controls – something that can’t happen overnight. Again, a realistic roadmap will accommodate the time and investments needed to drive these efforts.
- Understanding of What Comes Next
Once you achieve FedRAMP authorization as a cloud service provider (CSP), you will still have actions to take. You will need to maintain continuous monitoring to demonstrate your continued adherence to FedRAMP requirements. The government doesn’t just care that you can do something at a point in time. They want to know that you continue to remain secure and follow best practices as you deliver their services on a daily basis. Continuous monitoring of your SaaS application is required to retain FedRAMP accreditation. You will either need to garner full-time internal staff dedicated to this task or outsource it to someone who has the expertise and may be a more financially viable option.
My Advice to You
- Read Up. There is a fantastic FedRAMP PMO website that can serve as a rich source for information as you and your team read up on what you need to do to become authorized. Chances are, lots of people have asked the same questions that are rolling around in your head, so starting with the FedRAMP FAQs will help get you moving in the right direction. The more you educate yourself and your team, the easier it will be to ensure that everyone is on-board and prepared. Once you have read through that, you will want to have those who will be heavily involved in the process read the CSP Authorization Playbook. From there, you can follow links to answers for just about any question you can conceive. Again, education is your friend in this process.
- Talk to an expert. As mentioned earlier in this series, don’t skip the Readiness Assessment Report template. It will help you get a feel for where you are in your readiness, so you can begin making changes internally to be more prepared for what lies ahead. Once you have taken that assessment, you will want to engage a 3PAO to help you map out the investments, effort level, and next steps. Expert input at the outset should ensure you don’t make any missteps that could cost time or money later. They are likely to give you what’s called a gap assessment, which is just a clear definition of where you are in relation to where you need to be, and the prioritized steps needed before you will meet FedRAMP requirements. Additionally, they can serve as execution support for any documentation, policy creation, or other needs you can’t fulfill with existing staff.
- Learn about security by design now. Rather than waiting until you have already built your cloud application and having to take backward steps or adding on security as an afterthought, engage an experienced cybersecurity professional who knows how to help you build something that is secure from day one. They can guide your development team and help you think about risk mitigation techniques like segmentation as a way to protect what you are building. I have yet to see a situation where someone saved money by adding cybersecurity at the end of their building process; it’s nearly always more cost effective to just build something properly from day one.
If you’d like an insider’s support to help minimize the pains and maximize the benefits of the FedRAMP accreditation process, reach out to us anytime. We’re here for you with a full team of experts.