According to Terry Halvorsen, the chief information officer for the DoD, "The granting of these provisional authorizations is an important step in our strategy to drive cost down by moving more of our mission data to the cloud” (Serbu, 2015).
Make no bones about it, if your company is cloud based and wants to sell into the federal government, dealing with FIPS, FISMA and FedRAMP will be impossible to avoid. If you’re reading about this for the first time, the good news is that you’re not alone. I recently attended the RSA Cyber Security conference in San Francisco and I was surprised how little the companies out there knew about these requirements. They expressed a lot of interest in the government sector as a vertical, but a lot of education is still required.
The government certainly believes these regulations will be a major upgrade in their security efficiencies along with a significant cost savings initiative.
Below I’ve listed the different ways your company can go about becoming compliant with FedRAMP and the approximate approval process time.
The most popular question that comes up in all of my discussions of FedRAMP is - How much does it cost? I wish I could provide a more definitive answer, but the truth is each company will have a customized engagement depending on several factors. What I can tell you is that the general range we’ve been hearing for the 3PAO process is $200-$250k.
Winvale will be conducting an upcoming webinar later this summer dedicated to FedRAMP and we’llhave a guest 3PAO, Stephen King of COACT, to provide everyone an insider’s perspective into the process.
If you want more information or would like to speak directly with me, I can be reached at msolomon@winvale.com or 202-534-1755.