Picture this: a cloud service provider eyes the United States federal government and wonders about expanding their business in that direction. However, when they begin research on how to offer their services, they realize that there is a compliance obligation they must fulfill before they can even enter that marketplace.
They learn that unlike the previous compliance commitments they’ve already gone through, to provide cloud service business to the U.S. federal government means they must complete the Federal Risk and Authorization Management Program (FedRAMP) first. And to do that, they must become FedRAMP authorized, but they’ve little idea how the process works.
Yes, with its vast spectrum of different agencies that serve the American public, the federal government makes for a great potential tap for business. But if you’re a cloud service provider, you’ve got to make it through FedRAMP in order to receive Authority to Operate (ATO) in the federal marketplace.
It’s a complex process from end-to-end, but we’re here to explain how it all works.
As a FedRAMP Third Party Assessment Organization (3PAO), the Schellman team doesn’t actually participate until later in this process. We do not provide consulting or preparatory services—just the assessments—but we’ve had enough conversations with clients who have all come at this in different ways that we have a thorough understanding of all your options.
There are two ways to receive ATO, and after reading this article, you’ll feel more comfortable in choosing a way forward because of the clear pros and cons we'll present to each approach. You'll have a better sense of which direction suits you best and be that much closer to providing cloud services to the government and becoming FedRAMP authorized.
The 2 Approaches to Becoming FedRAMP Authorized
1. The Joint Authorization Board (JAB) Process
We’ll start here, because there are some caveats to taking this route, the biggest of which is how selective it is.
Made up of three organizations—the General Services Administration (GSA), the Department of Defense (DOD) and the Department of Homeland Security (DHS), the JAB serves as the primary governing body of FedRAMP. However, this joint venture only provides around 12 cloud products a year with the opportunity to work with JAB to obtain a Provisional Authority to Operate (P-ATO). You can imagine, there are more than that vying for FedRAMP authorization, so this represents the road less traveled.
For those who do wish to travel this way, here are some things to consider:
- Broad vs. niche demand: The biggest reason to become authorized through the JAB is if you can establish that your product has a lot of demand in the government space. If you can demonstrate that there are numerous agencies that could make use of your services, the JAB is more inclined to grant you access over other candidates. Broad appeal means you’re more likely to qualify for a JAB P-ATO.
- FedRAMP Connect: How does the JAB settle on those approximately 12 CSPs they grant provisional authorizations to each year? Through the FedRAMP Connect process, during which your offering will be evaluated against the JAB Prioritization Criteria—again, if your product has broader appeal, the higher on the list you’ll likely get. So, you’ll need to review the Criteria before completing and submitting the required documentation to see if you qualify to proceed.
- Required readiness assessment: If you opt for the JAB path to authorization, you will also be required to complete a readiness assessment. You will work with a 3PAO who will document what amounts to a snapshot of your security posture. That’ll tell the JAB you’re FedRAMP Ready and are prepared to be truly assessed against all FedRAMP requirements.
Once you’re both qualified and FedRAMP Ready, your 3PAO will complete a Security Assessment Report (SAR) identifying any risks your product poses, and you’ll be responsible for developing a Plan of Action and Milestones (POA&M) to track and mitigate what’s found by your assessor. After that, the JAB can finally get to work, doing a review for themselves before deciding to issue you that P-ATO that will deem your product to be in compliance with FedRAMP requirements.
(That “P” in P-ATO is important. Even if you make it through their process, the JAB cannot actually accept the risks associated with the cloud service as it’s up to the eventual agency that uses you to make that decision. The JAB’s initial evaluation provides very solid ground for that, however.)
- The JAB is the most widely recognized governing review body within the federal cloud community. Demonstrating compliance with FedRAMP requirements through them goes a long way with potential customers.
- No need to find an agency sponsor—the JAB has a dedicated team for these reviews, freeing you from having to find an individual agency willing to commit resources to your cause.
(More on that later.)
- There’s less of a chance of being prioritized and being able to proceed through the whole process.
- The JAB’s standards for security are more rigorous than if you went a different way. There is very little tolerance for risk in every area—including acceptance of identified risks within the SAR. Expect to do everything by the book and to the highest of standards through the JAB.
- Everything rests on the readiness assessment. The JAB does not waste time on products that do not meet at least these requirements, and so if you have identified gaps, they will be difficult to overcome.
2. The Agency Route
In our experience and existing client base, this is the more common process that organizations choose to achieve FedRAMP authorization. Why?
Where the JAB limits their authorization to around 12 products a year, a federal agency—and there are many of those—can sponsor hundreds of cloud products. It’s a little like the difference between finding a hole in the dam (the JAB route) and removing half of the entire dam structure altogether (using an agency).
This is probably sounding better and better, so let’s hit on the important things regarding agency sponsorship:
- Finding an agency is entirely dependent on your sales pitch. You’ll need to find a government department that is willing to work with you and commit resources to getting your product authorized because they themselves want to use it.
- Agencies can sponsor more than one product if they’d like to, depending on their resources and budget. Whereas the JAB provides that provisional authorization that gives the green light to the government where your risk is concerned, the agency who sponsors you will assume actual responsibility for your risk posture and you’ll get Authority to Operate from them.
- You do not have to formally obtain FedRAMP Ready status through an agency, meaning a readiness assessment is not required. You certainly can still engage a 3PAO to do it anyway, of course, but if you have a sponsor, you can opt to just optimize your product to address federal security requirements and prepare necessary deliverables required for authorization between the two of you.
Once you have an agency sponsor, you’ll work with them to get your service/product ready before proceeding with a full assessment. Any risk results from that will be discussed and mediated between you and your agency, who will then issue you an Authority to Operate (ATO) letter once they feel comfortable with everything.
After that, the FedRAMP Program Management Office (PMO) will complete their review of the authorization package before confirming Authorized status for your product on the FedRAMP marketplace.
- There’s more opportunity to succeed. Because there’s no established limit to how many products or services an agency can sponsor, that means more of a chance for you to become Authorized.
- You have more control. We’ve said that the JAB is very selective about who they pick and even if you believe there is demand for your product, that doesn’t mean you’ll be prioritized—you’re still at the mercy of the JAB. With an agency, you retain more influence on your own path.
- You’ll have slightly more flexibility. Agencies have different standards for what kinds of risk they’ll accept when they authorize you, and oftentimes, if you find the right partner, you can find more “leeway” than you would with the JAB.
- It can take time and resources to actually strike gold and find a sponsor. You’re going to need a good sales pitch and a product that can serve the mission of your desired agency so that they’re incentivized to provide you resources during this process.
- At the end of the assessment, you’ll need to have reviewers from your agency committed to reviewing the SAR, as well as the FedRAMP PMO, putting you at the mercy of their competing priorities which could result in unexpected delays.
Back Up: Become FedRAMP Ready Anyway
Even though you have more of a shot with an agency, it can be difficult to find someone to partner with, as we’ve said.
However, if that’s the case, and you also don’t qualify for JAB prioritization, you’re not completely out of luck. On your own, you can still proceed with a readiness assessment. Why do that?
- It’ll help you find a sponsor. Because a readiness assessment is still a review against some requirements (including federal mandates and other potential high-risk issues), completing one will indicate to agencies out there that you have done the work on your own already to become compliant with the necessary regulations. That makes you a more attractive candidate for sponsorship and proves you are committed to the FedRAMP process.
- In itself, the readiness assessment is pretty thorough. In completing it, you’ll have the advantage of already having confirmed many of the required controls and mitigating the associated risks before you proceed into your full assessment.
So, if you aren't getting any bites from agencies during those sales calls, completing a readiness assessment will demonstrate your commitment to this process. Afterward, you’ll be listed as Ready on the Marketplace, which will stand out to agencies who might then give you a second look. It’s still not a guarantee that you’ll be able to move through to authorization, but it could help.
Which Approach to Choose?
As you begin to shape your own tactics forward, we recommend you parse through the FedRAMP Marketplace site, which we mentioned briefly earlier. As it’s a list of who is Ready, who is in the process of becoming authorized, and which firms are credentialed to provide FedRAMP assessments, there’s a lot of good insight to be gleaned from there.
If you’re eyeing an agency sponsorship, you’ll be able to tell which ones are sponsoring what kinds of products, and how many. If you’re looking at the JAB route, you’ll need an assessor more quickly because of the required readiness assessment, and the Marketplace states clearly which firms have the most experience.
Schellman’s on that list with the second most assessments completed among 3PAOs, and though we can’t help you with any of the preparatory procedures, we are happy to speak with you regarding any questions you may have about the federal assessment process and how it can work in conjunction with your other compliance initiatives.
Of course, if you'd prefer to continue your own research for now, we've got you covered there as well. For more information on FedRAMP, including more information on the authorization process, check out our other content on the subject:
- 5 Common Pitfalls when Pursuing FedRAMP Authorization (blog)
- Navigating FedRAMP’s Security Requirements for Containers (blog)
- FedRAMP Controls Categories: Low, Moderate, or High? (video)
About the Authors:
Matt Hungate is a Manager with Schellman based in Charlottesville, VA. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST SP 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has over 5 years of experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA. Matt is now focused primarily on FedRAMP assessments for organizations across various industries.
Corey Stall is a Manager with Schellman based in Massachusetts. Corey has 12 years experience in the Information Technology and Information Security fields specializing in Federal government and Department of Defense compliance programs, including FedRAMP and DOD Impact Level 5. Corey has a background in systems engineering, physical security system design, and cloud security.
About the AuthorMore Content by Schellman Compliance