By ORock Technologies and ImmixGroup
Software vendors and federal systems integrators continually wrestle with authorization for their cloud services through the Federal Risk and Authorization Management Program (FedRAMP). It’s fair to ask whether your company really needs FedRAMP authorization at all?
The short answer is yes: Applications have to be FedRAMP compliant before they can be sold to federal government agencies as software as a service (SaaS). FedRAMP authorized applications also are advertised on the FedRAMP Marketplace, which is where government agencies go to determine the types of solutions available to meet their requirements.
The real question is how to handle the cost and complexity of the technical, compliance and documentation challenges of FedRAMP authorization. Should it be handled in-house or should some or all of the process be outsourced?
Is DIY Authorization for me?
To determine whether you can handle FedRAMP authorization on your own, you must first understand the responsibilities involved.
This process requires a team with specific expertise applicable to FedRAMP authorization. Once you’ve selected or built a compliant hosting environment, you’ll require security compliance personnel such as certified information systems security professionals (CISSPs) who can write to FedRAMP controls (NIST 800-53), conduct continuous monitoring and manage annual reassessments. They’ll need to prepare and maintain a system security plan (SSP) consistent with FedRAMP requirements – hundreds of pages for each application in the process.
Additionally, you’ll need application engineers to configure your application to FedRAMP controls (NIST 800-53), and a seasoned project manager to guide the process through to authorization and manage all ongoing continuous monitoring requirements. You’ll need to select a third-party assessment organization (3PAO) to assess the application, SSP and all documentation. And re-authorization has to be completed with FedRAMP annually, so you’ll need experts who can recognize potential issues and changes in the requirements.
Even with in-house resources, it may still be worthwhile to bring in outside experts and hosting capabilities get to market more quickly. Of course, this can ratchet up both cost and complexity. Another alternative might be a services vendor who can bring these diverse resources under one roof.
Resource issues?
How much will authorization cost your company? It can easily run into the millions, but the real answer depends on how complicated your application is and the resources you have on hand. Here are a few things to consider:
Hosting: Before placing your app in a FedRAMP authorized cloud, know how many security controls it will inherit from the hosting environment itself. To host the software yourself, you’ll have to document and go through all of the controls for your own environment. That can take more time than hosting in a third party cloud that already has the appropriate authorizations.
Managed Services: Most public cloud service providers will leave you with the responsibility of managing the application – from continuous monitoring to patching updates to application security. Look for a service provider that offers a more comprehensive approach and can manage the application on your behalf.
FedRAMP authorization is a necessary but complicated process that can consume a significant amount of a company’s human and financial resources.
Given the complexity of the process, it may make the most sense to continue to focus on your core business instead of doing it yourself. immixGroup offers a turnkey program called OnRAMP that enables you to outsource the authorization process and reduce your time to market while controlling your costs. ORock’s and immixGroup’s OnRAMP program offers an alternative approach to going through the FedRAMP process on your own. To learn more about the OnRAMP program, click here.
This blog is adapted from an article written by immixGroup analyst Lloyd McCoy and published in Washington Technology’s online magazine. The full article can be found here.
