June 20, 2023

Reading Time: 22 minute(s)

Ep #120: A FedRAMP ATO – The Good, The Bad and the Ugly

June 20, 2023

To do wide-scale business within the US federal government, cloud service providers (CSPs) need a FedRAMP ATO. The prospect can be daunting as few CSPs have federal cyber compliance expertise. Misconceptions and misinformation can create additional roadblocks

In this episode, your host John Verry, CBIZ Pivot Point Security Managing Director , sits down with Mike Craig, CEO at Vanaheim Security, who gives clear guidance with business and security leaders on what it takes to get a FedRAMP ATO, including best practices and common mistakes.

In this episode, join us as we discuss

Key considerations to help decide if a FedRAMP ATO is worth pursuing
How long a FedRAMP ATO really takes, how much it really costs, and why
The three stages of the FedRAMP journey
Key participants in the FedRAMP “dance” and how they relate
Huge pros and cons of an agency sponsorship versus the JAB authorization path to a FedRAMP ATO

To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast

Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here

To stay updated with the newest podcast releases, follow us on LinkedIn here

See below for the complete transcription of this episode!

Intro Speaker (00:05):

Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.

John Verry (00:19):

Uh, hey there, and welcome to yet another episode of the virtual CISO podcast with you as always, John Ver, your host. And with me today, Mike Craig. Hey, Mike.

Mike Craig (00:29):

Hey, how’s it going?

John Verry (00:30):

It is going, uh, well, shaky. I’m, I’m in, I’m in, uh, an office, which is being deconstructed around me. We, we closed our office and move into another place, so, uh, hopefully it won’t be too noisy in the background here. So I always like to start simple. Uh, tell me a little bit about who you are and what is it that you do every day?

Mike Craig (00:51):

Sure. Um, so I, uh, partner with Pivot Point Security with my own company called Anaheim Anaheim Security. And what I do every day is I help commercial companies who are making the decision or going through the process of achieving FedRAMP authorization with the federal government, uh, to achieve that authorization in all of its intricacies and, uh, nuances all the way through the process,

John Verry (01:20):

Which is exactly why you’re here today. So I’m looking forward to chatting with you about that. Uh, before we get down to that, uh, I always ask, what’s your drink of choice?

Mike Craig (01:30):

Uh, so I am a street bourbon kind of guy.

John Verry (01:35):

Love it. Give gimme me, gimme. What’s your go-to?

Mike Craig (01:39):

Uh, so Jameson, uh, on the rocks is, uh, is the go-to for just the regular old Friday night. Um, occasionally we, we get, uh, in some sort of Kentucky bourbon. My family’s from that area. So we have, uh,

John Verry (01:53):

Have you done, have you done the Bourbon Trail if your family’s from the area?

Mike Craig (01:57):

Uh, I, I have, but it’s been a long time, uh, since I was living in that area. I was military, so I moved around all over the place and mm-hmm. <affirmative> haven’t actually been home, um, in quite some time.

John Verry (02:10):

Yeah. It’s one of the, you know, I’m a, a huge bourbon guy myself, and it’s actually one of the shocking things is I have not done the bourbon trail yet, so gotta get my butt there. Gotta get my butt there. Yeah. All right. So let’s talk about fedra. So, so getting a FedRAMP, ato, or authorization to operate, um, is essentially necessary if you wanna be a cloud services provider to a federal agency, or at least a significant one. Mm-hmm. <affirmative>, uh, there’s definitely a pot of gold at the end of the road, but the path to get there is definitively a long and a bit arduous one. So excited to talk about, uh, about how do we optimize that journey. Um, so let’s start with the basics. What is Fedra and who should consider it?

Mike Craig (02:55):

So, the FedRAMP program, uh, as a whole is, um, it was formed in 2017, um, because each individual agency going through the ato or authorization to operate process, um, was individually accrediting these service providers that were providing, uh, cloud services to multiple agencies. So, uh, three of the big, uh, names came together, that’s gsa, D O D and dhs, uh, came together to provide a sort of joint trust organization, uh, that can authorize these cloud services and then inherit the controls for each individual agency that has to go through this, uh, federal Information Systems Management Act, fisma, uh, process within their agencies. So when you’re providing a service on a federal contract, you can leverage these cloud services to help you meet security controls, for example, um, and or, uh, data hosting inside of, uh, uh, a data center, uh, where you can use those services, um, legally, uh, within your own ato, uh, as a partner, or if you’re the service provider, yourself, able to provide those services to multiple agencies with only one authorization.

John Verry (04:16):

Gotcha. So, just to be clear, what we’re saying is that if I’m a SaaS and I want to sell my, I want to gain a FedRAMP authorization to operate, to sell to one or more agencies, that if I’m using, let’s say Azure or if I’m using aws, that I’m able to, uh, inherit the controls that they’ve already implemented, which is, you know, roughly what, 19 20% or something of that nature

Mike Craig (04:42):

For the, the physical data center hosting mm-hmm. <affirmative>. Yeah. Yep. Yep. Okay,

John Verry (04:47):

Cool. Um, so I know that when we chat about FedRAMP, I know you like to break it up into sort of, I’ll loosely comb three buckets, uh, pathfinding architecture and assessment prep. And I know you have fancier titles than that, but I simplified things. I’ll let you come up with the fancier titles here. So let’s, uh, let’s kind of walk through that. So what do you mean by pathfinding and what does that phase typically encompass?

Mike Craig (05:11):

Sure. So when I’m working with a client, and we’re just starting off in that journey, there are a couple different things that you need to even get started in the process. Down the FedRAMP road, you need to have a sponsor agency, which means you have to be selling directly to the government already before you get this authorization. Um, and they have to be willing to sponsor you into the, uh, collective hole. So you have to find a sponsor, and you have to have that relationship built up. The other part is that it needs to make business sense. Um, while you could be just, uh, you know, going after this one particular agency, and that’s really kind of the main niche for your SaaS service. Uh, you really wanna look at your, um, your market strategy as a whole within the federal government serving agencies, uh, and exactly how many you’re looking to, uh, to sell to.

(06:03):

And you think you have a market for it, because there are different types of accreditations. So choosing the right accreditation path for your business, um, it makes the most sense. And then there’s the cost and capital outlays, as you mentioned before, this is a very long process, can take, uh, a year or more from beginning to end. And so making sure that, uh, you have that executive buy-in, uh, and the capital, uh, laid out, ready to go through this process, because it’s gonna take a long tail. Um, there’s a, there’s a long tail before you start seeing that revenue return. So we start off that process, uh, deciding the best path forward.

John Verry (06:45):

Okay. So, so pathfinding is ostensibly ensuring that we have a well business rationalized plan to go forward on. Right. And this does indeed make sense.

Mike Craig (06:57):

Yep, yep. And, and the steps, uh, to begin the process, finding that sponsorship engagement, um, and, and those components.

John Verry (07:06):

Right. Now, you mentioned that there are multiple, um, I forget the word you used, but basically multiple levels, if you will, right. That you might choose. Um, talk a little bit about that. Right. We’ve got low, moderate high, and we’ve got, what is it? L ISAs?

Mike Craig (07:22):

Uh, L ISAs is an option. Uh, it’s, it’s definitely the least common one. Um, but, uh, l ISS is a very, very light, uh, authorization for, uh, SaaS providers that are gonna be integrated with others inside of a government solution and not have access to any sensitive data, uh, that the government considers sensitive. So it is an option, um, but not a very commonly above that you have, uh, low, and by far the most common is moderate. Um, moderate is, uh, where you are able to hold, um, government data and, um, sensitive data at that first authorization level at FedRAMP High is an even higher level of authorization, um, and more, um, more sensitive data. And that’s gonna depend on the agency, um, as to which, uh, level they’re going to ask for in their contracts. It’s really their risk decision.

John Verry (08:25):

Gotcha. So, so in terms of when we’re working through that pathfinding, um, specifically, and that’s where I guess the value prop is of knowing not only who are they talking to right now, but who they might be talking to. Uh, cause like I’ve had talked to people that are, that are looking at a low authorization. And my general recommendation if someone’s looking low, is bite the bullet, spend a little bit more, go moderate. Cuz that’s sort of the sweet spot of the market. Right.

Mike Craig (08:53):

Right, right. And, um, and, and like you were saying, uh, in those different authorization levels too, I mean, if you have aspirations of selling to D O D and holding, like sensitive d o D data, um, you, you, you’re gonna have to, uh, go into Fedra High at some point. And so does it make the most sense to try and, uh, meet the control requirements of Fedra High at the beginning, uh, while shooting for sponsorship for a FedRAMP moderate, and then making that jump later after you’ve made those architecture investments? And, uh, and it, it’s all a, a capital outlay decision, right. And how long that’ll take, uh, and how many changes you would need to make. So all of that stuff is what we talk about in that pathfinding phase to make sure that your, your, uh, engagement strategy for your sponsor makes sense that your, uh, your market plan and, uh, and aspirations, uh, are commensurate with the level that you’re shooting for. And then that pathway to get to that end goal, um, it may make sense to make multiple steps or a single leap all the way up to high. And so that’s, uh, where we lay all of those different options out and cost benefit of each one.

John Verry (10:15):

Gotcha. All right. So, so we, that pathfinding phase is over and we typically move into, uh, you know, what you refer to commonly as architecture and assessment prep. Talk a little bit about what happens in that phase.

Mike Craig (10:29):

So depending on where you’re coming from as a company. Right. Um, so my clients that are coming in from, uh, a purely commercial sector with no federal experience at all, usually have a, uh, a, a commercial SaaS, um, available option. But there are architecture requirements within the fedra controls that, uh, you can try to say, I use the, the air quotes here, federalize your, uh, commercial application. But more commonly what ends up happening is, uh, building a second smaller federal enclave just to meet those control requirements. Uh, sometimes if, if you’re sponsoring agency can add in some additional requirements as well. And so you may have, um, say, offshore teams that are providing your tech support, uh, where they may have to be, uh, your federal team may have to be located, uh, within the us and there are a bunch of other requirements that sort of come with it.

(11:30):

So depending on where you’re coming from, uh, you may have, uh, small or large architectural process and, uh, HR changes that would need to come with achieving that FedRAMP authorization. And so that enterprise architecture approach of your people process technology, uh, all the way through end-to-end for operating your SaaS for federal clients, we look at what, what would actually need to change? How would you get there? How do you need to architect it in order to meet these requirements? And so we can start you down that path while you’re concurrently working your sponsor engagement <affirmative>.

John Verry (12:12):

Yeah. You know, the, the challenge of trying to run, let’s say an ISO 27,001 certified system in a FedRAMP ATO system in the same bucket is that you have to build to the high watermark mm-hmm. <affirmative>, you know, so, so, you know, there’s a, the effectiveness and efficiency of operation, I mean, you could do that, but you’re going to be spending a lot more to support an ISO client or a commercial client that really doesn’t care about attestation, uh, than would be necessary.

Mike Craig (12:41):

Right. And that, that becomes, uh, sort of a, your, your market segmentation analysis that we do in that first phase, right. Of, uh, just what does the profit profitability look like on your global enterprise, and does this make sense to make a whole separate system or not.

John Verry (13:01):

Gotcha. And what else? Anything else get covered in that assessment prep? I mean, where are we, is that where we’re beginning to, like is an example? Um, you know, I’d say arguably the single most important document in a, uh, federal ATO is the system security plan. Um, you know, where, where, you know, how much of the system security plan are we looking at there in that particular phase?

Mike Craig (13:23):

Uh, so I’m talking about three separate phases. You have your path finding where you’re, uh, doing your, your business, uh, evaluation. Mm-hmm. <affirmative>, then your architecture, uh, in decision making around your enterprise architecture of technical and process. Uh, and then the assessment prep comes.

John Verry (13:40):

Okay. So you consider that, you consider that? Yeah. So where the rubber’s starting to hit the road is all in that assessment prep phase,

Mike Craig (13:46):

Right? Right. Uh, because you’re gonna write this massive document, the system security plan, like you just mentioned, uh, the average is like five to 600 pages. Uh, it’s very templatized. Um, but there is a lot of detail that goes into this document. If you already have those processes and architecture built, and you know exactly what you’re doing, uh, built to the controls, then the documentation goes much faster. And, um, it’s, it’s, uh, you, there’s not a lot of back and forth, not a lot of changes speeds up the process tremendously. So in that assessment prep, you have your documentation, which is the system security plan, and approximately 25 other attachments and documents that go with that entire package for the ato that authorization to operate, uh, submission that we’re going to give to the sponsor. Um, but at the, the end of this whole process, uh, well, um, before the authorization, uh, you’re going to be assessed by a third party assessment organization, the three pao.

(14:50):

They’re gonna come into your environment, they’re gonna perform, uh, penetration tests. They’re going to look through your documentation, and then they’re going to start testing, um, according to various, uh, explicit, uh, requirements around, uh, to, to ensure that they have documentation and proof that you are meeting those controls in your environment, uh, both process and technology. So, uh, the, the, that assessment preparation phase is really to prepare you for that moment. It’s this, it’s a large, expensive, uh, uh, cost. And, uh, uh, you want to do well on it because you spent a significant amount of time and resources to get up to this point. Uh, that, that assessment prep has, has its own, uh, sort of function too, where, uh, the team who may or may not be familiar with the Fed process with, uh, these controls or how to speak to them, what the assessors are looking for, uh, there’s just a lot of ambiguity that sort of goes into it when you’re learning this the first time. And so that assessment prep process goes into the organizational learning, uh, I call it building that muscle memory around, um, understanding what evidence they’re looking for and how they’re going to interview you, how that process is gonna go, and help preparing all of your teams and speakers, identifying who that’s going to be, uh, and sort of organizing this large interview process that comes with these assessments.

John Verry (16:20):

So you touched on it a little bit, uh, with the idea that you’ve got this three pao that you’re working back and forth with. Can you talk about, I, I look at FedRAMP as being sort of a choreographed dance, you know, between C ISO or, you know, whether it’s the JAB or it’s an, it’s an agency, ato, the three pa, and you, and there’s a lot of back and forth. And can you talk a little bit about that choreography just to kind of set, uh, expectation for folks?

Mike Craig (16:47):

Sure. So the, the process as a whole, you’re going to decide that this, uh, going toward a FEDRA authorization makes business sense for you. You’re going to find a sponsor, and there’s a whole engagement process that comes with that. But after you find the sponsor, you’re going to very quickly want to find a third party assessment organization, A three pao. Now, the, uh, organization that does your advising cannot also be the one doing the testing that’s written into the rules. So you have to find a different one. Uh, if you’re partnering with someone, uh, or a firm as your advisor, find that three p a o, uh, because they’re going to be able to help answer some of the more ambiguous questions, and they can go together with your sponsoring agency, and you can have a three-way conversation to sort of figure out some of these ambiguous, uh, controls, how the sponsor would prefer to handle it, because they’re the ones who are ultimately gonna sign off on your authorization package. And, uh, you can get that clarification very early in the process, and I highly recommend doing that. Uh, as you go through that assessment preparation. So the solution building documentation, assessment, preparation, that dance choreography, uh, for the big show of the assessment itself, uh, that’s when the three PAO is actually gonna come in and perform that function where they are beholden to the agency sponsor. Right. And, uh, they, they work for them at that point and are collecting this data to prove that you are doing what you’re, say you’re doing in your submission package.

John Verry (18:25):

Yeah. Um, and how much does that, can you give folks a little bit idea how much that might differ? And what are the pros and cons of, uh, you know, a JAB centric approach versus an agency ATO approach?

Mike Craig (18:40):

Sure. So, uh, another player in this, regardless of whether you’re going an agency or a JAB authorization, is the FedRAMP Program management office. Uh, they’re going to be the central belly button, if you will, that your application is going to go through. And, uh, they are also going to be working with your agency sponsor behind the scenes or the jab. Now, the JAB stands for the Joint Authorization Board. That is, uh, those three member, uh, founding member agencies that I talked about, gsa, D O D D H S, uh, they have, uh, contracted teams out who are reviewers who do nothing but this and manage JAB authorizations. The, the pros and cons of each one. Uh, agency sponsorship is far and away the most common. And, uh, you have, uh, that foot in the door to a government agency that you are probably already selling your services to, uh, or that, uh, has agreed to sponsor you in this process, uh, because they need your services.

(19:46):

You already have that relationship. It’s the, the simplest way to get in. Um, the JAB authorization is, uh, taken from a collective pool of applicants in a given year. And, uh, they, they only take a very select number of, uh, candidates in a given year based on their, uh, perceived ability to get through those applications and take on, uh, new systems inside of jabs management. It’s much longer, it’s much harder. Uh, the controls are more exacting those, uh, gray areas and interpretation that I was mentioning earlier. They have a much stricter stance than most agencies. But at the same time, uh, as an agency sponsor, uh, if you go that route, it’s, uh, simpler, faster. But if you ever lose that client and you are selling to multiple, you expand your services, and you are now selling to multiple government clients, if you lose that sponsor agency as a client, then you lose your FedRAMP authorization with it, and you have to go through the process all over again.

(20:59):

If you have contractual obligations for you to be FedRAMP authorized, there will be a period where you would not be without, uh, covering that in, in some other way through, uh, a secondary system or something else. There are options, but they’re all difficult. Now, conversely, on the, on the side of the jab, uh, you have this extremely long tail, uh, to get in. I, I, uh, didn’t mention this in my intro, but, uh, I have been a, a three P ao, uh, assessor, but I’ve also had p and l, uh, leadership responsibility on a multi-cloud fedra platform that walked the whole process through from FedRAMP, moderate at the JAB authorization all the way up to FedRAMP high and d o d impact levels. Um, uh, it was a four is where we got to, uh, with an application for five. So I’ve been through, uh, both where your listeners are.

(21:53):

I’ve been an assessor, and, uh, I’ve been on the advising side, uh, kind of gone through every function of this, uh, regulators as well. Uh, I, I worked with them when I worked at DH s’s, uh, uh, agency-wide assessment, uh, organization. So I’ve been around, uh, done this, know most of the people that JAB sponsorship for me on my platform took 18 months from application to actually, uh, accepting us for, uh, our application to then start going through multiple assessment processes. End to end. It took two and a half years to get that jam authorization, but the magic number was six, uh, six separate government agencies that wanted, uh, our services. So, uh, once we sort of hit that multi-agency demand, they took us on. And then, uh, it, it took a very long time, but when it did happen, uh, as so long as we were able to keep six atos that were leveraging our authorization, then we were able to maintain our authorization without any individual sponsor or client. So that’s the trade-off. Um, much longer, much more expensive, more difficult. But, uh, as a large multi-agency, uh, service provider, we weren’t beholden to any individual client as our sponsor. If we lost any individual one, we didn’t lose our whole authorization.

John Verry (23:40):

Um, so we talked earlier about how critical that path phase is, right? Getting this thing off, um, on the right foot, right. Minimize cost, reducing complexity, shortening time to target. Ideally, um, you’ve been doing this a bit. What are some, I’ll call it tips or tricks or lessons learned from previous engagements?

Mike Craig (24:03):

Sure. Um, so what, what happens a lot, uh, is, you know, the, uh, senior leadership team decides like, we’re going to, uh, we’re going to start selling into the federal market. And so, uh, your action officers, your, your PMs, your team, uh, sort of get this, uh, uh, task from on high to go get a FedRAMP authorization without really a lot of planning that that goes into it. And so it, it, uh, understanding that, that, uh, executive buy-in of what it takes to get here and having that, uh, alignment organizationally, uh, all the way down from the beginning is a critical step to stopping this back and forth of realizing how much money this costs, we back off, uh, continue going, and it’s creates this sort of start and stop relationship with your sponsor. And it, it creates a, a, a lot of messes that I’ve seen, right?

(25:06):

Uh, so having that organizational alignment from the beginning, uh, you know, uh, whether you do it with through an advisory or not, uh, is, uh, is a critical step forward, uh, once you start into actually picking the solution itself. Um, another piece is that, uh, uh, FedRAMP, uh, will authorize services inside of the major cloud providers. Not all of them, but many of them. Uh, you can find them on their, uh, individual websites, Azure, Amazon, uh, Google Cloud. And those cloud native services allow you to speed up your, uh, federal platform, build quite a bit if you’re starting from scratch. If you’re trying to federalize an existing program, then, uh, you wanna make sure that your cloud native services that you’re utilizing are FedRAMP authorized. So, again, those are, uh, you’ll find in the FedRAMP marketplace has the, uh, Amazon and Azure, you know, federal government, cloud region, uh, authorizations.

(26:16):

But if you go to the Azure website, Azure for government website, and you go to the, uh, Amazon Web Services, uh, government website, uh, you can find the native services that they offer that are FEDRA authorized, uh, utilizing those in your build speeds things up quite a bit. Uh, and the other piece that, uh, that the fedra PMO really is harping on this year in particular, is, um, uh, FIPs. So it’s the federal information processing standard. It’s the encryption algorithms, uh, and standards that you use for data and transit and at rest, uh, there are specific FIPs authorizations. A lot of vendors will tell you that they are FIPs compliant. That doesn’t mean that they’re FIPs authorized. There’s a number that comes, uh, on the website if you go look it up, it, uh, and it provides the FIPs authorization number labeling, uh, those services inside of your data flow diagrams and everything else in, in your submission package is now required. So understanding that that is going to be a requirement, uh, or an kind of an unspoken unwritten requirement at the end of this whole process, very early on when you’re going through your build, uh, also saved an enormous amount of time, uh, vendors that you’re using have to have a FIPs authorization number in their crypto modules that they’re using.

John Verry (27:50):

Yeah. And that can get really tricky. Like, cuz I’ve seen like check, you know, like you can, you can see versions of Linux where a lower version and an upper version both are a LI authorized Right. But one in the middle isn’t <laugh>. Yeah. Um, which is just kind of odd, but, you know, I guess it’s because they have to submit it for testing.

Mike Craig (28:11):

Yep. Yeah. There’s a, there’s a whole testing process. Um, I’ve actually been through it, uh, with a, with a client one time. Um, it’s, it’s arduous, um, just as much as the fedra processes itself to get that FIPs authorization number, right?

John Verry (28:26):

Yeah. We had a client had to roll back, had to roll back the version of Linux that they were using in order to be compliant. Yep. Which is, which is weird, right? It caused other problems. <laugh>.

Mike Craig (28:37):

Yeah. The, the throughput of, uh, the organization that performs that testing is just as limited as FedRAMP its itself. And, uh, so the, uh, the modules that they’re using are not necessarily the, the latest or the strongest that are out there on the market. Um, it’s just what they were able to review in the throughput that they have. So it creates some limitations and, and kind of another reason that, uh, a lot of companies end up making a separate federal environment, um, because it, the high watermark may not even be

John Verry (29:12):

Actually

Mike Craig (29:12):

The latest greatest Right. <laugh>.

John Verry (29:14):

Yeah. It might, it might be low tide. Um, so you, you touched on, um, schedule timeline before, right? You know, you, you know, the idea that you, uh, your, your certification beginning to end took two years. You know, typically we hear numbers like one to two years. Would you agree that’s generally a good timeline for people to think about

Mike Craig (29:36):

Generally? So, yeah. Um, okay. So you ha you have that sort of, uh, sponsor engagement process, um, and inside of federal contracting, if you, your organization has experience with it, you know, it takes quite a while. Um, so you have that kind of an engagement process and your initial foot in the door contract into the federal environment, uh, in marketplace in the, in, in the first place. Um, and, and whether you have to go through that or you’re already there, right? And then, uh, you have, uh, roughly one year, um, just for the authorization process itself, uh, that, that’s the application. Um, if your agency is gonna require you to go through a, call it a pre-assessment, it’s a readiness assessment, um, with a readiness, recess readiness assessment report, the raw, um, the ra, uh, if, if you have one of those, um, not every agency requires it, but many do in the authorization process.

(30:38):

So that’s two testing regiments that you have to go through. Each one takes roughly two months at a minimum. And depending on how complex and complicated your environment is, you may have longer testing periods. Um, and then you have the actual package review time, uh, which if you’re submitting to the JAB or, uh, through to the PMO, can also sometimes take one to two months by itself, add all that together. You have, uh, one year is pretty quick. Uh, two years in between there is sort of more of an average timeframe. Um, but if you have a longer lead time in your architecture and that solution building process that we were talking about, cause you already have a lot of robust automation in your commercial offering that you wanna replicate in federal environment, finding all of the right pieces, the make your infrastructure compliant, uh, through that advising phase, that can sometimes take a long time by itself.

(31:42):

Uh, I’m working with a client now who’s on month 11 of that process, um, because they have a large international presence and we’re having to, you know, hire, uh, teams build into a, like a US based data center. And then, uh, we’re having to go through, uh, taking their, uh, their, they, they have this extremely fast, uh, C I C D pipeline, uh, two, three times a day. And we’re, we’re having to figure out, you know, how do we go through the FedRAMP compliant processes to push that kind of deployment that they’re used to, um, in a compliant way. So we found this, uh, very large, you know, architecture to make it through. Um, but it’s taking a long time with, uh, a lot of distributed global teams, uh, to, to find the process that, uh, where that, that delineation of roles and responsibilities is gonna start and stop mm-hmm. <affirmative>. So that can take very long just in and of itself.

John Verry (32:42):

Um, so one of the things you touched on that, that ra right, uh, you know, whether it’s required or not can change pricing quite a bit, right? It’s cuz a raar is, you know, 50,000 ish, I guess would be a fair number to float. Um, yep. If somebody, if somebody just generically said to you, Hey, we’re thinking about going fed rent moderate, because that’s the most common one we’re gonna deploy in, you know, in a w s or Azure. So we know that a lot of the physical security controls are being taken care of. Uh, would you care to guess, you know, what would be just a ballpark range of estimates you would tell people to set, set an expectation for?

Mike Craig (33:18):

Um, I set an expectation of somewhere in between 500001.5 million in your capital outlay across the whole process. Now that includes, uh, reserves, it includes, uh, both a ra uh, the readiness assessment and your full assessment. Now, one of the things to note is that the first assessment that you go through is the most expensive, right? Um, because you have to go through and test every single control after that, you only test one third of the controls every year. So, uh, the three PAOs generally charged by that scope of work. So your first one is, uh, your most expensive. So you’re gonna have to, um, eat all of those costs along the way. And, um, there is almost always at least some amount of architecture, um, work required and PMing work required in order to make your offering compliant. Even if you are already coming with federal experience selling to federal customers, um, on, on an individualized basis, uh, there’s still some architecture changes required. So, uh, all in all 500 to, to 1.5 million. Yeah. In a, in a total end end cost.

John Verry (34:35):

Yep. Yeah. The 1.5 is kind of more at the extreme end. I mean, it, it, you know, that, that fi but the half a million number for sure. I mean, you know, because Right. I mean, just the, you know, at a moderate level, a typical three p o assessment is, you know, two and a quarter, two 50, something like that.

Mike Craig (34:52):

Mm-hmm. <affirmative>.

John Verry (34:52):

Correct. So, I mean, that is correct with the RS another 50, then you’ve got all the build out, you’ve got internal cost. If you’re working with a consulting firm that can cost a, you know, a hundred, 150, $200,000. So the numbers do add up fast. So there is a pot of gold at the end of the rainbow, but it’s gonna cost a lot of money and time to get there.

Mike Craig (35:10):

Right. The the larger and more diversified your company is, uh, when you start, um, the, the more expensive it tends to be, uh, because your, uh, the slices of people performing those roles gets, uh, narrower and narrower in larger companies and it requires

John Verry (35:27):

More, more touch points, right?

Mike Craig (35:28):

Right. More touch points, more time, uh, more coordination. So it’s, uh, that’s where the 1.5 million comes from, is really depends on how big are when we start.

John Verry (35:38):

Gotcha. Uh, we beat this up pretty good. We miss anything?

Mike Craig (35:44):

Not that I can think of.

John Verry (35:45):

Nope. I got a gold star today. All right, thank you. Yeah. Um, so give me a fictional character, a real world person you think would make an amazing or horrible ciso and why?

Mike Craig (35:58):

Oh man.

John Verry (35:59):

Uhoh, um, you were doing so good. You didn’t prep for this, you didn’t see this question at the end of the agenda. I,

Mike Craig (36:05):

I didn’t

John Verry (36:06):

<laugh>. We’re gonna see, we’re gonna see if Mike speak thinks fast on his feet, folks. So we’re gonna see that.

Mike Craig (36:14):

Y you know, I think Dark Wing Duck would make a pretty great who? Ciso Dark Wing duck cartoon character from the nineties.

John Verry (36:25):

Wow. I don’t know that one.

Mike Craig (36:26):

Let’s, let’s get dangerous that guy.

John Verry (36:28):

No. Wow. I, I I don’t, I I don’t know that one. Okay, so tell me why. So that’s,

Mike Craig (36:34):

So that’s a Disney from like, uh, the, the nineties, um mm-hmm. <affirmative> roughly. Uh, he, uh, he, he’s a, an investigator. He doesn’t have any particularly special powers. Uh, think of him as like a reincarnation of the shadow nose from the, uh, old like radio show from the thirties. Remember that. Okay. So <laugh>

John Verry (36:54):

Alright. And if I did, I wouldn’t admit to it. <laugh>,

Mike Craig (36:59):

I’m, I’m familiar with, uh, pop culture way outside of my time. It’s, uh, it’s

John Verry (37:03):

Really, yeah, yeah. You certainly

Mike Craig (37:04):

Don’t look, it’s like, but I

John Verry (37:04):

Haven’t to do something from the 1930s, that’s for sure. <laugh> you think about 1930s, you’d have to be like 80 something years old to know the, that

Mike Craig (37:13):

I listened to it on cassette tape. Really? Uh, in the, in the, the eighties and nineties when I was growing up. Yep. Wow.

John Verry (37:21):

You should have gone eight track <laugh>.

Mike Craig (37:24):

I, I just missed, I just missed the eight tracks. That’s, that’s, that’s how old I am. Yeah. Uh, anyway, so, uh, you know, we’re talking about the, the nineties, uh, sort of explosion of cartoon shows after Heman. Um, but uh, before the, uh, Nickelodeon and Cartoon Network, so Saturday morning cartoons, dark wing duck, let’s get Dangerous. That was his thing. He’s an investigator by trade. Uh, but he, uh, he doesn’t have any particularly special powers and, um, he, uh, he, he really, uh, went at his, uh, his opponents in a very, uh, smart way, uh, with a, uh, it was, it was a, uh, it was a good use of his resources. He didn’t have the Batman built, he didn’t have all that stuff. He just kind of used his mind in a limited set of tools, uh, to accomplish great things. Save the World every episode.

John Verry (38:18):

Sounds good. Sounds a little MacGyvers to me

Mike Craig (38:21):

A little bit.

John Verry (38:22):

All right. So, uh, if folks wanted to get in touch with you, what’s the easiest way to do that?

Mike Craig (38:27):

Uh, so [email protected].

John Verry (38:32):

Awesome. It’s been fun, sir. Thank you. Appreciate you bringing the knowledge.

Mike Craig (38:37):

Thanks for having me on. It was a great talk.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Ep #120: A FedRAMP ATO – The Good, The Bad and the Ugly

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What are the 5 Key DevOps Research & Assessment (DORA) Metrics and Why Should I Care?

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How can we help you?

Services

Compliance

Insights

Pivot Point Security