The transition of US government agencies to the cloud is an exciting opportunity for Cloud Service Providers (CSPs). Yet before CSPs can take advantage of that opportunity, they must be authorized via the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a US federal government compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

The US federal government cloud market is projected to be $60 billion in 2024 and will continue to grow. Key drivers of growth include the greater efficiency and scalability offered by the cloud, the need to store and manage the increasing amount of data kept by government agencies, and improving cybersecurity.
CSPs can succeed in the federal market by providing cloud services that meet the needs of government agencies. A CSP may already have many customers in a commercial non-government environment and be present in many systems across infrastructure. However, even if your company has robust, well-established cloud services that would be attractive to federal agencies, you will probably need to create customized versions of your services. This is because the needs of federal agencies include specific performance, security and compliance requirements, making most off-the-shelf cloud services unsuitable.

If your deployment requires you to build a second cloud system dedicated to a government community, you will want to take a careful approach and start by building small, understanding this will be for one agency customer first and then planning for growth with scalable cloud infrastructure as you add agency customers. Otherwise, this can be very costly upfront if you replicate the exact same scale of environment servicing hundreds or possibly thousands of customers at the beginning of building a government community cloud system. Return on investment for the costs invested is better if you use a scalable methodology during growth phases.

In addition to the costs of customizing your services for the federal government, a FedRAMP authorization is one of the most challenging attestations to achieve for any cloud service provider. So, is it worth it? If you have a compelling service to offer, and you complete your FedRAMP authorization efficiently, it is well worth the effort as it can be a significant source of revenue for a company.

What to expect in the authorization process

The below diagram gives a high-level view of the main steps in the FedRAMP authorization process:

Each step in the FedRAMP process contains a multitude of details, which can be challenging and time-consuming for a cloud provider unfamiliar with the process. You can smooth and expedite the authorization process by engaging with a FedRAMP advisory services firm to guide you through the many details needed to successfully complete each step of the process.

Once you have interest from a government customer, the preparation phase begins and your next steps are meeting with their Authorizing Official (AO), who oversees the authority to operate for that agency’s IT systems. The AO will be knowledgeable about the federal process and the steps you need to follow and will note any additional requirements based on risk that will need to be addressed for their agency. When you start working with this AO, they will ask if you have a draft System Security Plan (SSP) and package based on the current state of your system meeting the required controls for FedRAMP. This doesn’t have to be perfect the first time, as it is more of a snapshot in time to understand the gaps that need to be remediated to be ready to pass an audit and complete the rest of the steps for FedRAMP authorization. But this is expected to be clear, concise, consistent, and complete at a draft state. It is especially important to have this draft package completed quickly after an agency is ready to engage in this process because this is required before starting the FedRAMP Authorization phase. The sooner you build this draft package, the sooner you can start on the authorization phase.

The authorization phase involves the system security plan documentation refinement in tandem with uplifting security controls and preparing for audit, completing the FedRAMP audit, and then remediating any deficient items found in the audit to the satisfaction of the agency and the FedRAMP PMO.

Now that my cloud service is authorized, am I done with FedRAMP requirements?

The process is never done. However, the process is intended to ensure you are meeting certain important deliverables on a cadence and schedule. This is the continuous monitoring phase, in which you will complete certain activities and provide evidence for the agency and FedRAMP monthly, quarterly, yearly, and at other intervals. An example of this is completing monthly vulnerability scans and a plan of action and a milestones table of how you are remediating discovered vulnerabilities. This also ensures that you are ready for annual assessment every year after your initial authorization period by completing these activities throughout the year.

The process seems very difficult, but an experienced FedRAMP advisory services firm that has led FedRAMP authorizations successfully can guide your cloud service to a successful authorization without wasting unnecessary time and money. It is imperative to engage with such a firm to meet the one-year authorization time limit once you start on your FedRAMP authorization path, and also to get you ready to onboard government customers and see the return on your government cloud service investment.

Key takeaways for a successful FedRAMP authorization

• Make the business case that there is a big enough market for your cloud service to federal government agencies to justify the expense.
• Build your government cloud system small with the intent of growing as you onboard more government agency customers. This makes it easier to pass your initial authorization and allows a scalable business model with better return on investment.
• There is no time to waste once you have a government agency ready to partner with you. At that point, you should be building your draft system security plan and package within a couple of months to be ready to begin the authorization process.
• Build your system with continuous monitoring in mind. You will be doing this continually while you operate your cloud system, even after your FedRAMP authorization.
• Remember, this is one of the most difficult authorizations. Understand that revenue from government customers takes longer at the beginning but can surpass commercial sales in many markets quickly. If this were easy, everyone would be doing it. Recognize the effort and time it takes and the successful revenue at the end.
• Lastly, engage with an experienced FedRAMP advisory services firm that has led cloud service providers through a successful FedRAMP authorization. This will save time and money by expediting the process and your timeline to be authorized.

To learn more about the FedRAMP authorization process, we invite you to view our free one-hour webinar, Are You Ready to be a FedRAMP authorized cloud service provider?