June 23, 2023

Last Updated on January 15, 2024

It’s well known that attaining a Federal Risk and Authorization Management Program Authority to Operate (FedRAMP ATO) can be a long, costly, and demanding process. What time and cost factors should your org be thinking about for your FedRAMP ATO journey?

Do you have a potential agency sponsor?

Initiating a contract relationship with a US federal agency that will sponsor your FedRAMP ATO can take a year or more, and that’s just the starting point. So, if you already have a sponsor or likely sponsor, that shortens the overall timeline considerably.

Add to that roughly one year minimum for the third-party assessment and submission package review process. On top of that, your agency may require you to go through a readiness assessment, which culminates in a Readiness Assessment Report (RAR). That’s an additional testing regimen that takes approximately two months minimum and costs something like $50,000. Bigger, more complex environments take longer and cost more to get through the testing.

This is why a two-year timeframe for FedRAMP authorization is considered typical. Do

Do you need to rebuild your solution?

Another factor that can extend your FedRAMP timeframe and costs is your solution building and rearchitecting process. Finding all the right pieces to make your commercial offering government ready can easily take six months or longer.

You may also need to make staffing and/or process changes, especially if you have international teams. Creating a US-based data center and help desk is a common example.

What are ballpark FedRAMP costs?

Say your company is aiming for a FedRAMP Moderate ATO, with deployment of your service in a FedRAMP Authorized public cloud to account for physical security control requirements. What is a general cost range to achieve FedRAMP authorization?

“I set an expectation of somewhere between $500,000 and $1.5 million for your capital outlay for the whole process,” says Mike Craig, CEO at Vanaheim Security. “That includes both a readiness assessment and your full assessment.”

A company’s first assessment is going to be the most expensive, because the 3PAO will test every single control and they generally charge by scope of work. As part of continuous monitoring, only one-third of the controls are tested each year. Typical costs for a first-time FedRAMP Moderate assessment can be in the neighborhood of $200,000 to $250,000.

The upfront rearchitecting of a commercial product to make it FedRAMP compliant will also add to the first-time authorization costs. Additional costs for consulting services often run $100,000 to $200,000.

“The larger and more diversified your company is when you start, the more expensive it tends to be,” Mike advises. “Because the slices of people performing those roles gets narrower and narrower in larger companies, and it requires more touch points and more coordination.”

What’s next?

For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.

Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!