There has been a lot of talk the last couple of years regarding when the FedRAMP certification program for cloud computing products would officially go into effect for the federal government. A couple of weeks ago we finally started seeing signs of progress with The Department of Defense (DoD) announcing security approvals for 23 cloud providers. Additionally, the GSA has implemented a new SIN 132-40 for Cloud IT Services under the IT 70 schedule.
Dealing with FedRAMP
According to Terry Halvorsen, the chief information officer for the DoD, "The granting of these provisional authorizations is an important step in our strategy to drive cost down by moving more of our mission data to the cloud” (Serbu, 2015).
Make no bones about it, if your company is cloud based and wants to sell into the federal government, dealing with FIPS, FISMA and FedRAMP will be impossible to avoid. If you’re reading about this for the first time, the good news is that you’re not alone. I recently attended the RSA Cyber Security conference in San Francisco and I was surprised how little the companies out there knew about these requirements. They expressed a lot of interest in the government sector as a vertical, but a lot of education is still required.
The government certainly believes these regulations will be a major upgrade in their security efficiencies along with a significant cost savings initiative.
Benefits (FedRAMP, 2015)
- Increase re-use of existing security assessments across agencies
- Save significant cost, time, and resources – “do once, use many times”
- Improve real-time security visibility
- Provide a uniform approach to risk-based management
- Enhance transparency between government and Cloud Service Providers (CSPs)
- Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process
Know Your Options
Below I’ve listed the different ways your company can go about becoming compliant with FedRAMP and the approximate approval process time.
- Self-submission: 15 months
- Third Party Assessment Organizations (3PAOs): 9-12 months
- Agency Sponsor: 4-6 months
- Partnering with companies authorized to operate cloud services for all or some federal agencies
How Much Does It Cost?
The most popular question that comes up in all of my discussions of FedRAMP is - How much does it cost? I wish I could provide a more definitive answer, but the truth is each company will have a customized engagement depending on several factors. What I can tell you is that the general range we’ve been hearing for the 3PAO process is $200-$250k.
FedRAMP by the Numbers
- 32 - Commercial companies that are FedRAMP certified to perform cloud based business with the federal government
- 38 – Accredited 3PAO’s to perform independent testing to verify your company is meeting the standards set by the federal government
- 17 – Provisional authorized vendors to operate cloud services to the DHS, DOD and GSA
- 15 – Authorized vendors who have worked directly with a customer agency
Be on the Lookout
Winvale will be conducting an upcoming webinar later this summer dedicated to FedRAMP and we’llhave a guest 3PAO, Stephen King of COACT, to provide everyone an insider’s perspective into the process.
If you want more information or would like to speak directly with me, I can be reached at msolomon@winvale.com or 202-534-1755.
