Last Updated on October 3, 2023
If your org is thinking of striking out after a Federal Risk and Authorization Management Program Authority to Operate, aka a FedRAMP ATO, you need to establish a robust business case before plunging ahead.
Mike Craig, CEO at Vanaheim Security, explains how he advises new clients on the cusp of their FedRAMP journeys.
Sponsorship and business case
“There are a couple things you need to even get started down the FedRAMP road,” says Mike.
“First, you need to have a sponsor agency, which means you must be selling directly to the US government already before you get this authorization. And that agency must be willing to sponsor you into the collective whole.”
As you’re lining up a sponsor, the next question is whether the FedRAMP process makes overall good business sense. Are you good with having a single government agency as a mainstay of your SaaS business, which doesn’t require a FedRAMP ATO? Or do you want a multi-agency revenue profile, which does?
You need to carefully establish your government market strategy and exactly which and how many agencies you’re looking to sell to.
Having decided to pursue a FedRAMP ATO, you need to choose which authorization level to aim for. The FedRAMP program currently authorizes cloud service providers (CSPs) at one of three impact levels:
- Low Impact, which applies only to SaaS applications where the loss of confidentiality, integrity, and/or availability of data would have only limited negative impacts on agency operations, assets, or people. The special LI-SaaS Baseline is for low-impact SaaS applications that do not store personal identifiable information (PII) beyond basic login credentials.
- Moderate Impact, the most common choice by far (about 80% of FedRAMP ATOs). This is for offerings where a loss of confidentiality, integrity, and/or availability would have major adverse impacts.
- High Impact, such as required in defense, financial, healthcare, law enforcement and emergency services systems, and others where the expected impact of an incident would be severe or catastrophic. High Impact cloud environments process the government’s most sensitive unclassified data.
The higher the authorization level, the more time (easily a year), effort, and money it takes to get there. Having executive buy-in and capital settled upfront is essential. Per FedRAMP guidance, a Low Impact authorization is not appropriate for CSPs that want to pursue a JAB P-ATO rather than direct agency sponsorship.
About the LI-SaaS Baseline
While the LI-SaaS Baseline might seem like a tempting target for multi-agency selling, Mike notes that it’s the least common FedRAMP authorization type awarded.
“LI-SaaS is a very, very light authorization for SaaS providers that are going to be integrated with others inside a government solution and not have access to any data that the government considers sensitive,” Mike relates.
Deciding whether and how to pursue FedRAMP authorization involves not only your current prospects but also future aspirations. Who are you talking to today and who might you be talking to in a year or two?
For example, if you’re thinking a Low authorization might be OK for now, but you’ll need Moderate later, would it make sense to make the extra effort to pursue Moderate now? Likewise, if you have aspirations to ultimately sell to the US Department of Defense (DoD), should you factor High control requirements into your architectural decisions and investments now, even though you’re shooting for a FedRAMP Moderate sponsorship initially?
Often, it’s a balancing act of capital outlays now versus time and effort later. This is why it’s so important to lay out all your options and guesstimate the cost/benefit profile for each.
For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.
It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!