Is FedRAMP Worth It? Overcoming Common Obstacles, Part 3
By: Baan Alsinawi, TalaTek founder, and Managing Director, Strategy & Risk, CISO Global
Companies developing cloud applications face a lot of decisions when looking for new markets and ROI. Those interested in the government space are staring at a huge one: whether to go through the rigorous FedRAMP authorization process so they can offer their solution via the FedRAMP Marketplace (see Blogs 1 and 2 of this series for advantages of becoming FedRAMP authorized and ways to prepare for FedRAMP authorization1).
I chose to pursue this route with TiGRIS, our SaaS, so I know the challenges companies deal with. We are also a FedRAMP-authorized third-party assessment organization (3PAO), and we advise companies going through the process. The biggest challenge our clients face in obtaining FedRAMP certification? They want to be able to focus on their business, and FedRAMP is a big added responsibility that they typically are not staffed or equipped to handle—from developing the cloud application, to implementing the necessary security requirements, to managing continuous monitoring on an ongoing basis.
Why and When We Sought FedRAMP Accreditation/Certification for TiGRIS
As a risk management and compliance company, we have always considered FedRAMP as a strategic goal to 1) allow us to market our services to federal agencies and 2) demonstrate to other state and commercial clients our commitment to this highest industry standard for securely managing cloud applications.
We actually went through the process twice. First, we had a FedRAMP-accredited SaaS solution called ECMS; it was certified in 2015. When we embarked on our roadmap to move to the AWS cloud to leverage the many services there, we approached our sponsoring government agency to help sponsor our new SaaS, TiGRIS; it was authorized in 2019. We designed TiGRIS with FedRAMP requirements in mind.
Two important keys to our success:
- We understand the benefits of FedRAMP and believe in the importance of obtaining it.
- We have been willing to invest in building an internal team able to manage the rigorous FedRAMP requirements before, during, and after accreditation.
When we talk to clients considering certification for their cloud application, we find they have this in common: They don’t understand the level of effort it will take to do it right, the time it takes to do it right, and how important it is to have the skilled resources to make it happen. These can be summarized as follows.
Lack of Corporate Vision
- Not researching the process ahead of time or consulting with experts to get a realistic idea of what’s required.
- Lacking strategic vision at the highest level to support a lengthy and resource-heavy effort that will take many months to demonstrate ROI.
- Not anticipating or managing the costs of meeting FedRAMP requirements.
- Not having developers who understand secure development principles and know how to build a secure cloud architecture into the application.
- Lacking a team that understands FedRAMP requirements and can implement processes, procedures, and operational controls aligned with FedRAMP requirements.
Not Understanding the Post-Authorization Process
- Not being prepared for continuous monitoring of the SaaS application once it is FedRAMP accredited.
- Inability to manage the market needs and to ensure federal agency sponsorship to the FedRAMP Marketplace.
How to Overcome These Obstacles
- Take advantage of resources on the FedRAMP PMO website to educate yourself on the process. The FedRAMP FAQs are a good place to start. The CSP Authorization Playbook goes over the process in detail, with links to other FedRAMP information. Yes, it is a lot. But it will lay out the road ahead and help you determine if pursuing FedRAMP fits your strategic goals.
- Use the Readiness Assessment Report template to perform a self-assessment to see if you have the technical capabilities in place. This will also help you determine if you have the staffing and corporate support to continue.
- Talk to a 3PAO advisor to get a clear idea of the effort and costs involved. Undergoing a gap assessment can help you determine how ready you are and what you lack. And a 3PAO advisor can also help you prepare the documentation and navigate the steps involved.
The Importance of Building Your Cloud Application to Meet FedRAMP Requirements
Security by design is not a catch phrase. It’s our business plan. Our developers implemented secure cloud architecture principles when designing TiGRIS to meet FedRAMP requirements. They built in critical controls for encryption, FIPS compliance, incident response, and configuration management, to name a few.
The FedRAMP website provides the requirements in detail. Anyone planning to develop an application in the cloud should study these requirements and implement them. This will enable you to build a more secure cloud solution, even if you ultimately decide not to pursue FedRAMP authorization.
Final Words of Advice
As we have stressed in all these blogs, the FedRAMP process is designed to be tough. But once you have the corporate commitment to pursue it: Buckle up! You’re in for a ride!
1 FedRAMP—Federal Risk and Authorization Management Program—is a U.S. government-wide initiative that standardizes the security assessment, authorization, and continuous monitoring processes for cloud products and services that federal agencies use. FedRAMP’s main goal is to ensure the security and privacy of government data in the cloud by establishing a set of common security requirements and controls that cloud service providers must meet.