March 8, 2021

Last Updated on January 13, 2024

FedRAMP (short for Federal Risk and Authorization Management Program), which assesses and validates cloud services for use by federal agencies, has seen a huge jump in interest in the past year. But gaining a FedRAMP Authority to Operate (ATO) is a rigorous process that doesn’t happen overnight.

How long is it likely to take your company to get a FedRAMP ATO, start to finish?

Stephen Halbrook, Partner and government compliance lead at Schellman & Co., shared his considerable insight on this and many other FedRAMP topics on a recent episode of The Virtual CISO Podcast.

“I would say 6 to 12 months from start to finish,” Steve estimates. “They’re going to work on the advisory consulting piece for a couple of months. Then assessment for a few months. And then they have to account for the unknown that happens at the end, which is the agency review process or the PMO [Program Management Office] review of the results from the assessment. And that can be iterative. There can be some pretty big findings that come out during the assessment and they may require a couple of weeks or a couple of months to work into a release plan, or to get implemented without breaking other things, just given the complexity of the FedRAMP process.”

“So the advisory and the assessment pieces you can pinpoint pretty well,” clarifies Steve. “But the unknown is really when you get to the reviews at the end of the assessment. And then, of course, ultimately that authorization.”

“I think that timeline is good if somebody already has a reasonably mature environment; they’re already ISO 27001 certified or have a SOC 2 attestation or something of that nature,” interjects host and FedRAMP veteran John Verry, Pivot Point Security’s CISO and Managing Partner. “But if somebody doesn’t have a mature control environment… Because one of the challenges you run into is every time you ask somebody, ‘How do you do this?’ and they say, ‘We don’t or we’re not sure…’”

“So that onset of getting the initial tranche of the SSP [System Security Plan] done can kind of drag on,” John relates. “Because if you’ve got to consult on every one of those 325 controls, versus for three-quarters of those controls, they say, ‘Oh, yes, here’s how we do it.’”

In short, most CSPs can expect their FedRAMP ATO process to take a minimum of 6 months, up to well over 12 months, depending on the gap between their current security controls and the robust security posture that FedRAMP mandates.

If a FedRAMP ATO application process is on your planning horizon, don’t miss this podcast with Stephen Halbrook.

To listen to the complete episode, click here. If you don’t use Apple Podcasts, you’ll find all our podcast episodes here.


New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.