Pivot Point Security
PPS ISO 27001 Logo
Access The Latest Episodes from The Virtual CISO Podcast

FedRAMP Cost

How much does it cost to become FedRAMP Authorized?

FedRAMP Cost Factors

  • Scope: How many and how complex are the cloud services your company provides?
  • Approach: Agency or JAB? A JAB Authorization is generally more challenging to get through.
  • Risk: Does the data you are processing require Low, Moderate, or High security categorization for your FedRAMP authorization?
  • Current Information Security Maturity: How big is the “gap” between how you currently operate and the level of documentation you have to support that, and where you need to be to close that gap?
  • Resources: Do you have resources on-staff with the time and expertise to take you through the Authorization Process? Or will you need to hire a consulting firm to so that?

FedRAMP Cost Considerations

  • Preparation Cost: How much does it cost to get ready to be “certified” by the 3PAO?
    • Consultant Costs (if needed):
      • 80% likelihood to be $60K +/- $25K for Low Security Categorization
      • 80% likelihood to be $90K +/- $25K for Moderate Security Categorization
      • TBD for High Security Categorization (too early to estimate)
    • Capital Expenditures (if needed):
      • 80% likelihood to be < $40K for Low Security Categorization
      • 80% likelihood to be < $60K for Moderate Security Categorization
      • TBD for High Security Categorization (too early to estimate)
    • Certification Cost: How much does it cost to have the 3PAO perform the required testing?
      • 80% of Low Security categorizations would fall into a $TBD range (its uncommon to pursue low – so we have not yet seen enough 3PAO pricing to estimate)
      • 80% of Moderate Agency Security categorizations would fall into a $130K +/- $30K range
      • 80% of Moderate JAB Security categorizations would fall into a $200K +/- $50K range
    • Ongoing Operation & Continuous Monitoring Program Compliance: How much does it cost to maintain your Authorization?
      • TBD (requirements are still evolving at this time)

    As most of the early companies that are pursuing tend to be larger companies these numbers are likely skewed a bit in that direction.  However, the cost to implement a FedRAMP environment will not differ notably between a 50 person and a 5,000 person CSP as the process, controls, and required documentation is the same.

    fedramp-consultingfedramp-expert A 10-minute call with a consultant could save you hours of research.

Download FedRAMP Simplified Checklist

Review the necessary steps for FedRAMP “certification.”

fedramp-checklistDownload]

Contact a FedRAMP Expert

Speak with a FedRAMP expert to see if FedRAMP “certification” is right for you.

Contact