FedRAMP – The Basics
Since you are reading this article I’m going to assume you are going through, or about to go through, a FedRAMP audit. If you’re looking to get a FedRAMP ATO (Authority to Operate) this is the article to start with. If you’re already in-process you can probably skip this, but there may be some reassuring and good information to have, so I’d recommend you still give it a read.
I’m going to try to sprinkle in important acronyms related to the process and eventually I’ll get around to making an index of them. So pay attention, acronyms will be in parenthesis. I’ll also throw some random notes at the end that may be important before you begin your assessment.
If you don’t know what FedRAMP is or you just think of it as a pain in the ass, here’s a good way to think about it. FedRAMP is your official due diligence package for Federal Government agencies. Agencies that have authorized your use are like letters of recommendation or referrals to other agencies. Agencies AND other companies seeking FedRAMP ATOs will seek out your product because you have already eased the process for them.
To start I’m going to review the different FedRAMP levels and where you’ll likely fall on that. You’ll find that for 90% of cases you’re going to need a Moderate. Then I go into the JAB (Joint Authorization Board) vs Agency Sponsored process. You’ll see what they each mean and why it’s best to go with the sponsored process. Finally I’ll take your through some info on 3PAO (3rd Party Assessment Org) and how the general audit process goes.
FedRAMP assessment levels
When you start the process you need to classify your service based on the Confidentiality, Integrity, and Availability expected and required. You may be tempted by Li-SaaS and Low level assessments due to the price point and ease of assessment, but that won’t fly. Your assessment level is mostly dependent on the data you hold for your customers.
If you’d like to really drill down into the details of assessment levels, I’d recommend reading the FIPS 199 publication. Otherwise, check out the levels below.
Li-SaaS or Low (probably not you)
If you only take in emails, usernames, and/or passwords you will likely qualify for an Li-SaaS or Low assessment. Anything else and don’t hold your breath.
These assessments are the easiest. You will perform more attestations on meeting security controls than the others. There are minimal security controls on this assessment, though still many.
I’ve seen the pricing on a Low assessment from $40k-$80k.*
Moderate
Most CSPs (Cloud Service Providers. You!) will qualify for Moderate. You have PII (Personally Identifying Information) and probably some data the agencies want to keep secure. If you have anything more than emails, usernames, or passwords, you are most likely here. If users are inputting info and it’s stored on your systems, you are probably here. That’s just the way it goes, don’t waste your time arguing.
You are going to do a large chunk of the security controls. I want to say at least 2/3 will be reviewed with your 3PAO. There aren’t a whole lot of attestations on the moderate, but there are some!
I’ve seen the pricing on the Moderate assessment from $60k-$120k.*
High
If you’re running critical software you’ll need a High ATO. I think Healthcare systems, ITAR data(weapon system data), law enforcement, emergency services, financial systems… I haven’t had to do a high, but they are out there.
A High assessment involves all the security controls being reviewed and tested. I’d imagine there are very few attestations for these controls during a High assessment.
I haven’t had to do a High assessment so I don’t know the pricing.
FedRAMP JAB vs Agency Sponsored
Before I can begin, I can tell you right away it is best to get sponsored if you can. The JAB process isn’t even a guaranteed ATO because you still need to have an agency use your service and grant you an ATO!
JAB
I haven’t done a full JAB, but I did go through a quasi-hybrid process with the GSA. We lost our sponsor and went through the process before we had a sponsor willing to sign. The JAB is done in front of 3 different agencies; for us it was the GSA and then 2 different department of defense agencies (it has been a while, I can’t remembre exactly). So instead of just having a sponsoring agency and the FedRAMP PMO you have some additional scrutiny.
Agency Sponsored
When you go through a sponsored assessment you have an agency already signed up wanting t use your service. They are taking on some risk by vouching for you to the FedRAMP PMO. Your 3PAO assesses your system and then you and your 3PAO discuss findings and other issues with your sponsoring agency. Your sponsor and the FedRAMP PMO then work with you and your 3PAO to fix any deficiencies and get your ATO.
FedRAMP 3PAO assessment
Before you begin, you need to understand that your 3PAO is your partner in this. They want to do their job and assess your system to ensure it’s secure and safe. Your assessor is not there to be your adversary. Passing this assessment is just as important to their business success as yours.
Picking your 3PAO
Set out to get 3 quotes. Always throw Coalfire in there. I think Coalfire is the most successful and up to date 3PAO on FedRAMP. I believe they currently have the most ATOs. They are generally priced highest, but they can be worth it if you the money.
The FedRAMP Assessment
I’m not going into great details here, that will be in my next FedRAMP article, but I’m going to give you a quick rundown.
The assessment will occur in stages. Your 3PAO will first send you documentation on all controls you need to cover. You will then create documentation explaining all about how you meet these controls. For Low/Li-SaaS I’ve seen 170pg+ packages. For Moderates I’ve seen 400pg+ packages.
Once you’ve completed the documentation and sent it in your 3PAO will review it. Your 3PAO will then want to sit with your people to find what’s missing from the documentation or to fix any of their misunderstandings. They’ll continue filling in your docs and try to push you to fix any problems they find. This is one of the chances you’ll get to fix things that are frowned upon. Once this “audit” is complete they’ll review all the documentation on their own. They may have questions or some clarifications they need while they review, they’ll contact you for those details.
Now your 3PAO is putting together yet another package, this one meant to test your controls and your documentation. They will send this to you and will simultaneously run a pentest themselves. The pentest and testing on their end is strictly through public endpoints. For testing most of your controls you will be required to screenshare or screenshot the mechanisms in place to meet the controls. Make sure to include explanations to screenshots and anybody viewing with you. The last part of going over your controls is running your own internal vulnerability scanner and pentesting tools. They’ll want clean reports for each of these before moving forward (vuln report they want clean or you better have good reasons for still having things pop up. The pentest is less important as false positives are more common).
FedRAMP – getting your ATO
Once your assessment is done you will meet with your 3PAO, the FedRAMP PMO, and your agency/the JAB. They will have your packets. Sometimes they will have reviewed it before you meet, sometimes you’re going over it with them during a meeting (remotely or in office).
This end almost feels like the assessment again but it will go quicker. The PMO and agency will have questions and now you AND your 3PAO will answer. You and your 3PAO will defend any perceived deficiencies or clarify any requests from the PMO or agency.
Now you wait a couple weeks for them to finish reviewing the packet. You may have to hound some people to get this done. There may be a couple useless meetings you have to attend. Just stay on top of your people and get that final signature!
Once it’s done it will be on the FedRAMP marketplace. You now have an ATO.
FedRAMP – now you know
Now you know the general details you’ll need to get your first FedRAMP ATO. Make sure to read through and understand FIPS-199 so you can classify your system assessment level (cough, moderate, cough). You can decide on a JAB assessment or better yet, just take your time and find a good agency fit for your product and ask for a sponsorship. Then you can find your 3PAO and run through the assessment. From start to finish, you’re looking at 6-12 months. Remember, your 3PAO is an ally of yours, help them help you. Good luck!
Random Notes
* the pricing is very fluid. I’ve seen $150k assessments turn into $1M assessments once the 3PAO knew our company was over $100MM ARR.
- I’d HIGHLY recommend using AWS or another provider with a FedRAMP ATO. I always have and AWS covers 20-30% of your controls automatically.
- You can probably cover 80%+ of your technical controls with AWS tools
- You can cover a large chunk of your other controls with COTS products
- It may be best for your organization to create a separate “FedRAMP” region or account
- You can definitely cover everything with open source solutions. I wouldn’t want to do that again though.
- If you can’t drum up $1M+ ARR it’s not worth doing FedRAMP unless your tech/infrastructure teams are operationally excellent
- With great teams I could see a FedRAMP ATO being worth it for $700K ARR or more.