The Phases to the FedRAMP Process

You're a cloud service provider and you want to do work for the federal government. In order to do that though, you need to be FedRAMP authorized and you've been told by the government agency that you're trying to sell to that, you need to be FedRAMP authorized. In this short video, we're going to walk you through what the process is, what the journey is to get to the point where you have that authorization, you've been approved, and you can go and sell work to your federal agency customers.

I'm Doug Barbin, managing principal and chief growth officer at Schellman. At Schellman, we've had the privilege of working in the FedRAMP program since its inception almost 10 years ago as one of the early FedRAMP 3rd party assessment organizations, or, as they call them, 3PAOS.

To become FedRamp authorized requires an organization to set up a program, to set up a set of systems that are ultimately going to get assessed at a level that, that frankly, is the most comprehensive assessment that Schellman does.

Assessment Plan

So we start by looking at your design. We look at your documentation, your plans, your policies. We look at the environment and the goal of what we call stage one is to come up with an assessment plan to look at your unique environment for FedRAMP and to come up with a plan for how we're going to perform that assessment.

The Assessment

Now we move into the actual assessment. The actual assessment is a combination of three things:

  1. It's a control review and control assessment where we're looking at anywhere from 300 to 400 plus controls. We're not just going to look at your policies, we're going to look at your password configurations. We're going to look at your logging and your monitoring capabilities
  2. And then on the technical side, we're going to look at your scans. We're going to look at your vulnerability scans to see that your systems have been patched and secured in a manner that would limit the impact of a potential attacker.
  3. And then we're going to take the next step, which is penetration testing, which is a very robust test of your application, your infrastructure.

Security Assessment Report (SAR)

So all of that information from the penetration test to the scan to the control testing all gets amalgamated into what eventually becomes a security assessment report. And that's going to be a detailed set of our findings, results, anything that you potentially corrected during the assessment, that is one thing that's unique to FedRAMP is it does allow it does give you a reasonable allowance to be able to fix issues that come up during the assessment. And those are logged and reported on the report as well.

The other thing that it has at the end of the report is a net set of findings or residual risks. FedRAMP is one of those assessments where you're not looking to get 100%. As a matter of fact, I can't think of hardly any client that's had zero findings on their FedRAMP SAR or security assessment report. And that's OK. The key is you don't want to have any high risk findings and you want those moderate findings to be somewhere at a manageable level when you've got a path to remediate them over the course of the next weeks or months and so forth as well.

Listing in the FedRAMP marketplace

So that's the process where it ultimately brings us to a point where we've issued this report. That report's going to get shared with your government agency sponsor and it's going to get shared with the FedRAMP PMO. And most importantly, we're going to be there with you along the way for the meetings to sit, to do the briefings with these agencies, to do the briefings with the FedRAMP PMO, that ultimately, once you've cleared those particular hurdles, once the assessments been completed and all of that information has been provided, that's what ultimately gets you to the approval process and the authorization and being listed in that FedRAMP marketplace as a FedRAMP authorized provider. And that's what's key from your perspective, getting to the point where you've got the authorization from the agency and from FedRAMP, that is your permit to do business with the federal government as a cloud computing provider.

I know what we just covered was a significant amount of information. And frankly, the FedRAMP process can take anywhere from 5 to 6 months sometimes, and that's even if you're ready. Reach out to us today so that we can have a more in-depth conversation with you about what this is going to look like for you. 

About the Author

Douglas Barbin

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

More Content by Douglas Barbin
Previous Video
The Cost of a Privacy Program Assessment
The Cost of a Privacy Program Assessment

Next Video
How to Set Your Penetration Test Scope
How to Set Your Penetration Test Scope