Last Updated on June 29, 2021
FedRAMP, the Federal Risk and Authorization Management Program, assesses and approves the security of cloud services so that federal agencies can use them. Attaining a FedRAMP Authority to Operate (ATO) can open some lucrative doors for cloud service providers (CSPs). But this exacting process takes considerable focus, effort and resources even if you already have a robust cybersecurity posture.
How much is it likely to cost for your company to achieve and maintain a FedRAMP ATO?
Stephen Halbrook, Partner and government compliance lead at Schellman & Co., shared his extensive experience on costs and a range of other key FedRAMP topics on a recent episode of The Virtual CISO Podcast.
Host John Verry, Pivot Point Security CISO and Managing Partner, offers: “We hear numbers like US$400,000 to US$600,000 to get to FedRAMP Moderate. Fair number? Too high or too low?”
“It varies, right?” Steve shrugs. “I don’t think it’s too high or too low if you’re factoring in advisory and consulting, technology changes that they’re going to have to make, the personnel cost; and then, of course, the assessment.”
“What gets me is somebody will come out and say, ‘FedRAMP is cost prohibitive. It’s over a $1 million to get through the FedRAMP process.’ Or it’s $2 million,” gripes Steve. “These big numbers… and they’re not providing context, right? What makes up that cost?”
“From my perspective, if you’re going to use rough ballparks—let’s say $100,000 to $150,000 in consulting, the RAR [Readiness Assessment Report] would be $50,000-ish, the C3PA [assessor] would be $20,000 to $25,000; something like that,” John considers. “And correct me if I’m wrong, but most organizations are going to stand up a dedicated Gov environment/FedRAMP environment. They’re not going to try to run their ISO environment and then FedRAMP that, and then keep running both within one environment. So you’ve got the dedicated cost to setup that stuff. Maybe you need some hard costs on a new SEIM solution, new vulnerability configuration management scanning stuff, multifactor authentication… Those are the kinds of things that would change that $450,000 to $550,000 or something like that, correct?”
“Agreed and great point,” concurs Steve. “What we most often see is a provider has a very successful commercial offering that they want to sell to the government. So, they stand up a federal dedicated instance of that offering and get that FedRAMP authorized versus their entire commercial platform.”
“Is that actually a requirement?” wonders John. “Are there any requirements within FedRAMP that you have to have that level of segregation? Or does it just make sense to do it?”
“It’s not a requirement for FedRAMP; it just makes sense to do it,” clarifies Steve. “Where it becomes more relevant is if you’re going to start selling into the DoD and start talking about impact levels 4, 5 and up. That’s where a provider will run into an issue if they’re trying to run their commercial platform through the DoD process. They’re going to need something separate and dedicated.”
What about the follow-on cost of maintaining a FedRAMP Moderate ATO?
“From an assessment perspective, we usually say it’s roughly 75% to 80% of the year one cost for the assessment,” Steve indicates. “That annual assessment is really a repeat of the initial assessment. It’s just that there are fewer controls that we’re testing.”
If your company is ready to take a run at a FedRAMP ATO, you’ll find many highly valuable insights in this podcast episode featuring Stephen Halbrook.