FedRAMP Cost
How much does it cost to become FedRAMP Authorized?
FedRAMP Cost Factors
- Scope: How many and how complex are the cloud services your company provides?
- Approach: Agency or JAB? A JAB Authorization is generally more challenging to get through.
- Risk: Does the data you are processing require Low, Moderate, or High security categorization for your FedRAMP authorization?
- Current Information Security Maturity: How big is the “gap” between how you currently operate and the level of documentation you have to support that, and where you need to be to close that gap?
- Resources: Do you have resources on-staff with the time and expertise to take you through the Authorization Process? Or will you need to hire a consulting firm to so that?
FedRAMP Cost Considerations
- Preparation Cost: How much does it cost to get ready to be “certified” by the 3PAO?
- Consultant Costs (if needed):
- 80% likelihood to be $60K +/- $25K for Low Security Categorization
- 80% likelihood to be $90K +/- $25K for Moderate Security Categorization
- TBD for High Security Categorization (too early to estimate)
- Capital Expenditures (if needed):
- 80% likelihood to be < $40K for Low Security Categorization
- 80% likelihood to be < $60K for Moderate Security Categorization
- TBD for High Security Categorization (too early to estimate)
- Certification Cost: How much does it cost to have the 3PAO perform the required testing?
- 80% of Low Security categorizations would fall into a $TBD range (its uncommon to pursue low – so we have not yet seen enough 3PAO pricing to estimate)
- 80% of Moderate Agency Security categorizations would fall into a $130K +/- $30K range
- 80% of Moderate JAB Security categorizations would fall into a $200K +/- $50K range
- Ongoing Operation & Continuous Monitoring Program Compliance: How much does it cost to maintain your Authorization?
- TBD (requirements are still evolving at this time)
As most of the early companies that are pursuing tend to be larger companies these numbers are likely skewed a bit in that direction. However, the cost to implement a FedRAMP environment will not differ notably between a 50 person and a 5,000 person CSP as the process, controls, and required documentation is the same.
A 10-minute call with a consultant could save you hours of research.
- Consultant Costs (if needed):