How much does it cost to become FedRAMP Authorized?

FedRAMP Cost Factors

Scope: How many and how complex are the cloud services your company provides?
Approach: Agency or JAB? A JAB Authorization is generally more challenging to get through.
Risk: Does the data you are processing require Low, Moderate, or High security categorization for your FedRAMP authorization?
Current Information Security Maturity: How big is the “gap” between how you currently operate and the level of documentation you have to support that, and where you need to be to close that gap?
Resources: Do you have resources on-staff with the time and expertise to take you through the Authorization Process? Or will you need to hire a consulting firm to so that?

The main reason to consider FedRAMP certification is the significant business opportunity that it represents. The OMB policy driving FedRAMP is a “Cloud First” policy, which requires agencies to use cloud alternatives when available. OMB is tracking compliance with the agencies as part of a multi-year multi-billion dollar cost-cutting effort.

If you provide Cloud Services and you want to sell these cloud services to the U.S. federal government, you will need to become FedRAMP Authorized to Operate.

What are the Benefits of FedRAMP?

From the governments perspective; the major benefit of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud provider­s.

From a Cloud Service Provider’s perspective, the major benefits of FedRAMP is that it makes you a “preapproved” vendor, so it simplifies the procurement process. You also only need to report on your security to one entity rather than every client, saving you time and money.

FedRAMP Cost Considerations

Preparation Cost: How much does it cost to get ready to be “certified” by the 3PAO?

Consultant Costs (if needed):
80% likelihood to be $60K +/- $25K for Low Security Categorization
80% likelihood to be $90K +/- $25K for Moderate Security Categorization
TBD for High Security Categorization (too early to estimate)

Capital Expenditures (if needed):
80% likelihood to be < $40K for Low Security Categorization
80% likelihood to be < $60K for Moderate Security Categorization
TBD for High Security Categorization (too early to estimate)

Certification Cost: How much does it cost to have the 3PAO perform the required testing?
80% of Low Security categorizations would fall into a $TBD range (its uncommon to pursue low – so we have not yet seen enough 3PAO pricing to estimate)
80% of Moderate Agency Security categorizations would fall into a $130K +/- $30K range
80% of Moderate JAB Security categorizations would fall into a $200K +/- $50K range

Ongoing Operation & Continuous Monitoring Program Compliance: How much does it cost to maintain your Authorization?

TBD (requirements are still evolving at this time)

As most of the early companies that are pursuing tend to be larger companies these numbers are likely skewed a bit in that direction. However, the cost to implement a FedRAMP environment will not differ notably between a 50 person and a 5,000 person CSP as the process, controls, and required documentation is the same.