Video: How does Constellation GovCloud work?

In this video, Sarah Hensley, Merlin’s Vice President of Cloud Solutions, explains how our Constellation GovCloud platform is structured to help cloud service providers (CSPs) more rapidly meet up to 80% of FedRAMP controls.

FedRAMP ATO – Why you should consider a partnership

Between President Biden’s cybersecurity Executive Order and the daily headlines proving our IT systems are constantly under attack, record numbers of cloud service providers face the reality that the time to ramp up cybersecurity efforts and embrace compliance standards is now. For cloud service providers serving U.S. federal agencies, that means obtaining a FedRAMP Authorization to Operate (ATO).

The path to FedRAMP authorization is daunting, requiring knowledge, ability, and commitment to adherence to at least 325 separate security controls for a FedRAMP moderate authorization – on top of your existing software development operations. Those controls span technical, operational, and management safeguards and countermeasures. In addition, a FedRAMP ATO requires a government sponsor, which can be difficult to obtain – especially for emerging cloud solutions and software-as-a-service (SaaS) companies that don’t yet have a foot in the federal door. Bottom line: it’s a big lift for any organization and one that likely calls for the support of a trusted partner who can bear some of the burden.

FedRAMP – 12 Areas of Impact on Your Organization

As mentioned in previous blog posts, undertaking a FedRAMP ATO effort is a huge investment. How huge? See the following list to better understand the impacts of a FedRAMP effort on your SaaS organization. Understanding these impacts can help you navigate your approach and determine what partnerships would be most beneficial to your FedRAMP journey.

  1. Policies and Procedures Covering All In-Scope NIST Control Families

At the foundation of a FedRAMP compliant offering is a complete set of policies and procedures, covering all 17 in-scope NIST 800-53 v4 controls families. The number of included families will get bigger when FedRAMP officially adopts NIST 800-53 v5. This is hundreds of pages of compliance policies and procedures that must be written and adhered to.

  1. System Security Plan and Additional Documentation

Every system must have a System Security Plan (SSP), which averages 800-1,000 pages, and details how the policies and procedures are implemented in support of the SaaS offering to maintain compliance. In addition, the SSP includes 15 unique attachments. Even when leveraging templates, authoring a quality SSP requires a solid understanding of the FedRAMP requirements to get the content right.

  1. Compliant Infrastructure and Platform Build-out

FedRAMP systems cannot be built on just any infrastructure and platform. Rather, the infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), as well as the people operating those offerings, must adhere to strict FedRAMP security guidelines. This leaves SaaS providers the option of choosing a FedRAMP-compliant IaaS and PaaS onto which their SaaS can be hosted or investing significant resources into building and operating their own.

  1. Mature Operational Processes

Third-Party Assessment Organizations (3PAOs) are looking for management and operational maturity as well as technical compliance. Roughly 63 percent of all FedRAMP controls are management and operational controls, meaning your software development lifecycle (SDLC), configuration management (CM), incident response (IR), awareness and training, personnel management, physical environment protection, risk management, and many other areas are on the hook to meet some minimum maturity requirements. This has impacts on human resources (HR), facility security officers (FSO), information technology (IT), and even legal departments. Suffice it to say, FedRAMP is not just about technical controls.

  1. Security Compliance with 325+ Controls

The heart of compliance lies in its baseline controls. Four out of five cloud service offerings looking to obtain an ATO require a FedRAMP Moderate level, which has 325 baseline controls. Even leveraging a FedRAMP authorized hosting service like AWS GovCloud, where the IaaS controls can be inherited, the SaaS provider is still left fully responsible for 282 controls.

  1. Acquisition of Skilled Staff

Maintaining compliance requires special skills and roles to be filled such as Information Systems Security Officer (ISSO) and Information Systems Security Manager (ISSM). People in these roles must stay up-to-date on the latest security standards and pending regulatory changes, establish appropriate policies and procedures, manage Plan of Action and Milestones (POA&M) activities, address cybersecurity risk management, and oversee all the daily, weekly, monthly, quarterly, and yearly continuous monitoring (ConMon) controls. It is unlikely that most organizations have people with these skills in-house.

  1. Expanded Tasks for Existing Staff

As mentioned in the Mature Operational Processes item above, many departments are impacted by FedRAMP controls, including but not limited to HR, FSO, IT, risk, and legal. People in these existing roles need to be prepared to adjust their operations to accommodate the FedRAMP compliance requirements.

  1. Ongoing Government Collaboration and Reporting

FedRAMP requires close collaboration with the sponsoring government agency, including the sharing of recurring ConMon reports, POA&M updates, incident notifications, and reviews of proposed changes to the SaaS solution. SaaS changes that are determined to be significant will require interim 3PAO assessments as well.

  1. Security and Continuous Monitoring Systems

In addition to standing up compliant IaaS, PaaS and SaaS layers of a cloud offering, SaaS providers also must build the systems that will be used for ConMon activities such as scanning, anti-virus protection, privileged access control, multifactor authentication, and incident response capabilities to name a few. Building such a stack from scratch will require multiple tools, licenses, and integrations.

  1. ConMon Operations

Once a system has been granted a FedRAMP ATO, the work is just beginning. There are daily, weekly, monthly, quarterly, and yearly ConMon activities that must occur, with dedicated team members following compliant processes and procedures.

  1. Expanded Controls Requirements

SaaS providers obtaining a FedRAMP ATO for a particular federal agency may be surprised when they realize that other agencies, such as the DoD agencies with their unique Impact Level (IL) baselines, have additional controls requirements that aren’t satisfied by the existing ATO. This can cause the SaaS providers significant amounts of extra work if the original offering wasn’t built with such expansion in mind.

  1. Costs of Consultants and 3PAO Assessors

In addition to the indirect costs associated with operational/staffing adjustments and technical investments required to bring a solution up to FedRAMP baseline standards, there are some direct costs as well. SaaS providers are required to contract a 3PAO for assessments, including readiness assessments, full assessments, significant change assessments, and yearly re-assessments. Many SaaS providers also choose to hire a separate 3PAO or agency for consulting to help navigate the complicated waters of the FedRAMP process.

The Right Partner Makes All the Difference

Partners for compliance efforts come in many flavors, each providing different value propositions. Finding the right partner – the one that will ease the burden across the largest number of variables – will be key to success for many companies. And while no partner can eliminate the entire burden, a partner like Constellation GovCloud can help significantly reduce the organizational impact and technical investments required to achieve and maintain a FedRAMP ATO.

About Constellation GovCloud

Constellation GovCloud (CGC), a Merlin Cyber offering, is a pre-built, FedRAMP Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments. Learn more.

Could a 3PAO-sanctioned certification option help streamline the FedRAMP authorization process?

Acquiring a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data and are used by U.S. federal agencies. And as many cloud service providers (CSPs) have learned, it is a long and arduous process, largely dependent on a required relationship with a federal agency or the Joint Authorization Board (JAB). Without sponsorship by one of the two, a CSP cannot obtain FedRAMP ATO or be listed in the official FedRAMP Marketplace.

FedRAMP is an authorization, not a certification per se, but is still reflective of a CSP meeting very well-defined NIST 800-53 baseline controls requirements. Because the requirements are well-defined (so much so that Third Party Assessment Organizations (3PAOs) are already trusted and leveraged to assess a CSP’s adherence to the baseline controls), it seems that adherence could be fully validated and continuously monitored by a 3PAO with only indirect/QA-level oversight and approval by government entities. This could alleviate the current situation, which involves hundreds of CSPs either:

  1. Competing for sponsorship by a limited number of government agencies who can sponsor an initial FedRAMP ATO, or
  2. Somehow obtaining sponsorship from the JAB, whose resources limit them to taking on only 12 FedRAMP efforts each year.

Current Process Architecture

The current process places a significant amount of work on the JAB and/or each sponsoring agency:

diagram showing the current sponsorship paths to FedRAMP for CSOs

Shifting duties: Could a 3PAO represent the JAB and validate compliance for any CSP willing to do the work?

Because FedRAMP has such well-defined baseline controls, a 3PAO could take on all of the analysis and “stamp of approval” duties of the JAB or an agency. They could use JAB’s current standards, requiring full adherence to all controls. This would allow any CSP to go to a 3PAO and have a full assessment completed, even without an agency or JAB sponsorship, and be granted an official FedRAMP-compliant stamp (i.e., a FedRAMP “certification,” which would really be just a different flavor of a P-ATO). Minimally, this could then allow compliant CSPs to be listed in a marketplace (either the current marketplace with a new status as shown in the image below or a new marketplace for certified-compliant solutions). This would bridge the gap between government agencies and the hundreds of CSOs that are not readily available for use because there simply isn’t the bandwidth and resources to move them all through the current FedRAMP process. Allowing a 3PAO to be an authorizing arm of the JAB rather than its trusted informant, addresses many resource problems.

Re-imagined process architecture

While this 3PAO-led format is only a conceptual model at this time—with more work needed regarding details (e.g., whether there would still be a need for a FedRAMP Ready status)—shifting the work and adjusting processes has many benefits.

diagram showing proposed new process that allows 3PAOs to certify CSOs for FedRAMP

This type of re-envisioned FedRAMP approach could solve several problems:

  • It lowers the federal market barrier to entry, allowing any CSP that is willing and able to achieve a recognized FedRAMP-compliant “certification”
  • It reduces the burden on already-stretched government staff and allows the JAB and FedRAMP PMO to invest more in thought leadership, guidance, and oversight than hands-on CSO assessment work
  • It increases capacity for FedRAMP, allowing commercial 3PAO entities to absorb most of the work and process more CSOs concurrently
  • It potentially improves the mean standard of compliance, as all CSOs would need to meet all controls as they would for a JAB authorization
  • It provides scalability afforded by the commercial services landscape

The “FedRAMP-compliant certification” would be similar to the JAB P-ATO in that it would be a general status indicating compliance with the FedRAMP baseline controls. The main difference is that a 3PAO would be taking on the additional work currently handled by the JAB or agency, namely: reviewing and approving massive System Security Plans (SSPs), System Assessment Plans (SAPs), System Assessment Reports (SARs), Plan of Action and Milestones (POA&M), reviewing iterative continuous monitoring (ConMon) artifacts, and validating that any significant changes don’t introduce unacceptable risk.

Agencies would still need to grant an ATO based on FedRAMP compliance – but it would be much simpler, at least for the first agency to use the “certified” CSO

The actual ATO would still need to be granted by each agency wanting to use the CSO. That process could hopefully be simpler and faster with the 3PAO playing more of a trusted role in validating compliance. The ATO process would involve more of a cursory check of the 3PAO’s recommendation rather than an in-depth review of the ATO package.

Agencies would also still be in the loop as an informed party on all ConMon activities and significant change activities. The difference for the agency, just like with the JAB, is that their role would become more of a QA/oversight role rather than the main player – thereby reducing the burden on agency resources. Agencies could even provide 3PAOs with their specific requirements/agency-specific controls and have the 3PAOs handle the ongoing monitoring and validation of compliance to those controls.

None of this would preclude an agency from being very involved in their own acceptance of risk, and agencies would always have full authority to stop using a CSO should they perceive too much risk. This model simply gives the agency (just like the JAB) a trusted representative to handle a lion’s share of the work.

An expanded marketplace of compliant CSOs could offer not only FedRAMP authorized CSOs but FedRAMP certified/compliant CSOs

Allowing any CSP that is able and willing to meet FedRAMP controls requirements to do so and get recognized for the achievement seems like a step in a good direction. It would hopefully encourage smaller CSPs with emerging solutions, who may have difficulty finding a federal sponsor, to become compliant—which is the main objective in the larger battle to better protect all our nation’s cyber infrastructure. Such a marketplace would then hopefully give federal agencies a larger catalog of already compliant solutions to choose from. There are likely many cloud solutions that would be beneficial to government agencies but aren’t available for use because of the FedRAMP authorization process barrier to entry. 

But what about FedRAMP Ready status? Isn’t that similar to what’s being proposed?

It might be argued that the FedRAMP program already has a type of “certification” or pre-authorization option. CSPs can choose to go through the Readiness Assessment process without a sponsor and achieve a FedRAMP Ready listing in the FedRAMP Marketplace. A CSP can demonstrate that they are FedRAMP Ready by working with a 3PAO in a mini-assessment (sans a full penetration test) that involves validation of the CSO boundary, vulnerability scanning, a review of policies and procedures, and validation of compliance with a subset of controls (e.g., the critical controls), to name a few. It isn’t, however, as thorough as the full assessment, nor is it a foolproof assurance that a CSO will achieve an ATO. FedRAMP Ready status mostly indicates to the JAB or an agency that a CSP is committed and has met most of the key requirements to achieve an ATO. However, achieving FedRAMP Ready still leaves CSPs with the challenge of convincing a federal agency to accept the extra work of being their initial sponsor. The risk of getting through the assessment may be reduced, but the workload on the agency is not. As a result, the FedRAMP Ready status does little to alleviate the sponsorship bottleneck. 

The JAB would still govern the program and retain revocation power over any “certification”

The suggestion to push most of the solution vetting and “certification” process to a 3PAO isn’t about taking power away from the JAB. Rather, it allows the JAB to operate one step higher in an oversight role, removing them from many of the time-consuming tasks that go with ATO sponsorship. The JAB wouldn’t need to invest the time and energy in shepherding 12 CSPs per year through the process. Instead, they could move up one step in the hierarchy and oversee the 3PAOs in their processing of 12 of the highest demand/highest impact CSOs.

One way or another, expanding the number of FedRAMP compliant cloud solutions calls for out-of-the-box thinking

While the brainstorm-level ideas presented in this blog post are far from thoroughly vetted, they are an example of out-of-the-box thinking that may be required to address the limitations of the current FedRAMP system. The Constellation GovCloud (CGC) team is committed to thought leadership and supporting the federal government and contributing to the improved security posture of cloud solutions.


About Constellation GovCloud

CGC, a Merlin offering, is a pre-built, FedRAMP Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational, and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments. Learn more.

Avenues to FedRAMP Authorization: Agency vs. JAB

As cloud service providers (CSPs) quickly learn when looking to provide solutions for federal government agencies, achieving a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data. Are government agencies your customers? Does your CSO meet the government’s critical mission needs? Will it improve the security, efficiency, and/or the effectiveness of government operations? If you answer yes to any of these, you are very likely standing on the threshold of a journey into FedRAMP.

Where do You Begin?

The first step in obtaining a FedRAMP ATO is identifying the right path to FedRAMP for your organization. Unlike many other types of compliance certifications, FedRAMP Authorization is actually the granting of an “Authority to Operate” in government environments rather than a generic certification. A FedRAMP ATO represents an acceptance of risk associated with the cloud solution on the part of a government agency – and therefore requires a government sponsor. For sponsorship, there are two paths to consider – agency-sponsored Authorization to Operate (ATO) or Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO).

Agency-Sponsored Authorization

Agency sponsorship means that at least one agency is willing to shepherd your cloud offering through the FedRAMP process, presumably because they want to use your solution. Agency sponsorship is the most common path to FedRAMP Authorization, representing 70 percent of all FedRAMP ATOs. For the purposes of the FedRAMP conversation, the term agency includes any government department, agency, sub-agency, or otherwise-named government organizational entity that purchases cloud solutions.

If your solution meets important needs of a specific government agency or a handful of agencies, and/or there are agencies who have expressed a desire to use your cloud solution or are already using an on-prem version of that solution, an agency-sponsored FedRAMP Authorization is a great option.

diagram showing the hundreds of government agencies that can sponsor FedRAMP authorization

Agencies that agree to sponsor a solution for a FedRAMP Authorization are agreeing to commit certain resources and take on the work and associated with sponsorship. Agencies need to provide an Authorizing Official (AO) and an Information Systems Security Officer or Manager (ISSO or ISSM) who can review significant amounts of documentation throughout the process, review monthly continuous monitoring reports, track Plan of Action and Milestones (POA&M) progress, and review annual re-assessment reports as well as system significant change requests and associated audit reports. Since many smaller agencies and sub-agencies don’t have team members with these skills or scheduling bandwidth, they may leverage resources of their parent agencies or departments.

Agency Authorization Process

In both agency and JAB sponsorship, there are a few key steps and milestones that move an offering from preparation through authorization and into continuous monitoring (ConMon). In both cases, the process is overseen by the FedRAMP PMO, adding consistency to the experience. And while agency-sponsorship and JAB processes are similar, there are a few key differences for agency authorization.

  • First, unless a specific agency requires it, a formal Readiness Assessment and Readiness Assessment Report (RAR) are not required, saving time, effort and money associated with the cost of the Third-Party Assessment Organization (3PAO) required to complete the assessment.
  • Second, an agency may be willing to grant an ATO and accept certain risks associated with less-than-textbook controls implementation approaches (for non-critical controls) that make sense for their specific situation that wouldn’t be considered acceptable as part of a JAB authorization.
  • Third, many agencies add additional agency-specific controls requirements that go above and beyond the FedRAMP-defined baseline.

diagram showing sequence of events when a government agency sponsors FedRAMP authorization

It should be noted that while Agency ATOs can be a little less cumbersome than JAB P-ATOs, that isn’t guaranteed. Agencies may choose to require a formal 3PAO Readiness Assessment in addition to requiring their own additional controls. Further, many smaller agencies don’t have the experience or in-house expertise to provide the AO or ISSO/ISSM services they will need, requiring them to leverage their parent agency for support and ATO oversight – which can slow down or complicate the process.

JAB Provisional Authorization

The JAB is FedRAMP’s primary governing body and includes Chief Information Officers (CIOs) of three federal organizations: Department of Defense (DoD), General Services Administration (GSA), and the Department of Homeland Security (DHS). Just like with agencies, the JAB leverages the FedRAMP PMO (run by the GSA) and oversees movement of cloud offerings through the process.

diagram showing the three agencies that run the JAB

A JAB authorization is actually a Provisional Authorization to Operate (P-ATO) simply because the JAB cannot accept risk on behalf of any agency. Agencies can then re-use the generally-available P-ATO package to grant their own ATO. Remember, a FedRAMP ATO is granted by an agency and represents risk acceptance associated with the solution. This means the JAB Authorization Process may have a slightly higher degree of scrutiny and adherence to the letter of the law for FedRAMP-defined baseline controls as they aren’t in the business of making exceptions or accommodating any specific agency needs. So, while an agency can grant an ATO with some reasonable leeway around certain non-critical controls, the JAB will not do the same.

JAB Provisional Authorization Process

Like the agency authorization process, the JAB process involves some key steps and milestones that move an offering from preparation through authorization and into ConMon. Unlike the agency process however, where any one of a large number of agencies can agree to sponsor, the JAB only has resources to process 12 CSPs each year. For the hundreds of CSPs looking to get their solutions FedRAMPed, only a select few will be chosen for JAB Authorization. Some key attributes of the JAB process:

  • FedRAMP Connect – Due to the JAB’s limited resources and thorough, no agency-specific exceptions approach to authorization, a CSP wanting a JAB P-ATO must apply for consideration through FedRAMP Connect – which involves a standardized, criteria-based analysis of each solution that guides prioritization based on demand and desirability.
    • Demand – CSPs must complete a Business Case showing government-wide need for the CSO. A demand scoring Rubric adds objectivity to the selection process.
    • Desirability – CSO must have features or offer characteristics that will meet pressing government needs such as addressing regulatory requirements or filling identified gaps in existing government software stacks.
  • Readiness Assessment – JAB authorization requires a formal Readiness Assessment as evidenced by a Readiness Assessment Report (RAR) completed by a 3PAO prior to full assessment. If a CSP doesn’t have a RAR, they will need one within 60 days of being prioritized/selected for JAB P-ATO.

diagram showing sequence of events for a JAB P-ATO

FedRAMP Authorization: Not a One-and-Done Effort

For both agency ATOs and JAB P-ATOs, authorization is actually the beginning of a long-term commitment to a continuous, attestable approach to delivering low-risk cloud solutions. Whether an agency or the JAB, whoever sponsors a CSO through the process is also agreeing to ongoing continuous monitoring, change management/significant change assessments, and annual re-assessment reviews.

Whether FedRAMP authorization is achieved through an agency or JAB, the benefits of the existing authorized (and re-usable) FedRAMP package remain the same. Subsequent agencies that wish to grant their own ATO are able to leverage that package, significantly reducing the amount of time and effort required to deploy into their operations.


Constellation GovCloud (CGC), a Merlin Cyber offering, is a pre-built, FedRAMP authorized Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP Authorization to Operate (ATO) within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly less financial and resource commitments. Learn more.

FedRAMP for Government Use of Cloud Solutions: Is Your SaaS Organization Ready to Make the Commitment?

According to a 2020 survey of government IT decision-makers (including 200 federal employees), 91 percent of federal respondents report having “all, most, or some systems and solutions in the cloud.”

The use of cloud solutions will undoubtedly grow as government agencies continue to retire their legacy applications and look to the rapidly growing catalog of cloud solutions to modernize their IT operations. Whether driven by the Office of Management and Budget’s (OMB) current “Cloud Smart” policy, the increasing availability of secure, cloud-based applications like Zoom for Government, or the availability, flexible pricing, resilience, and agility generally afforded by cloud services, cloud-based “as-a-service” solutions play an increasingly essential role in government operations.

FedRAMP Authorization – Required for any Cloud Service used by Federal Agencies

Before a software-as-a-service (SaaS) solution can be used by a federal agency, it must first achieve FedRAMP Authorization. For a system that has a moderate impact level, meaning it handles Controlled Unclassified Information (CUI), or government data that is not publicly available, that involves 325 security baseline controls spanning 17 NIST SP 800-53 (Rev. 4) control families. That number is expected to increase in late-2021 as FedRAMP evolves to meet the latest NIST controls, aligning baselines with SP 800-53 Rev. 5.

FedRAMP Focuses on Operational and Management Maturity

Any way you look at it, 325 security controls is a lot. And if you think that all 325 can be handled by technology implementations and configurations, keep reading. The fact is, FedRAMP controls are as much or more about the management and operational maturity surrounding a SaaS offering as the technology itself. That’s not to say that things like FIPS validated encryption, access control, and user authentication technologies don’t matter – they do! However, nearly two-thirds of the FedRAMP Moderate controls deal directly with Management and Operations.

FedRAMP Controls by Type

pie chart showing the breakdown of FedRAMP controls between management, technical, and operational controls

Getting your House in Order for FedRAMP

Before jumping head-first into a FedRAMP authorization effort, you must understand what that commitment looks like for your technical, operational, and management teams. Being prepared both technically and operationally will make the authorization process go much smoother (and faster) and pave the way to securing a government agency sponsor. Agency sponsorship is required for the majority of FedRAMP authorization efforts – the exception being the handful of SaaS providers who secure a provisional authorization slot with the Joint Authorization Board – which is a topic for another blog post.

  1. Consider Technical Readiness

    It is best to do some research (or engage with a knowledgeable advisor) as a first step to identify showstopping technical issues that would preclude your SaaS solution from obtaining a FedRAMP authorization. Understanding requirements around your offering’s technical boundary, potential reliance on non-compliant libraries, or connections to external systems are just a few areas that must be scrutinized and possibly adjusted to meet FedRAMP’s technical control requirements.

  1. Consider Operational Readiness

    Building and maintaining a FedRAMP compliant SaaS offering has implications for software operations teams (architects, developers, testers, configuration managers, change control board, etc.) and deployment schedules, as well as human resources, corporate IT, Facility Security Officers (FSOs), project management, documentation management, facilities management, and even legal counsel. Members of these teams will likely be tagged to satisfy critical roles and be required to take on FedRAMP-specific responsibilities.

    Maintaining FedRAMP compliance is also reliant on having people assigned to roles with skillsets that existing members of a software development team or the broader organization may not possess, such as an Information Systems Security Manager (ISSM) and an Information Systems Security Officer (ISSO). These roles require subject matter expertise in security controls and compliance program requirements, as well as an attestable commitment to staying up-to-date on compliance and regulatory changes. For companies taking full ownership over their FedRAMP system, this means an investment in hiring, training, and supervision.

    In addition to staffing impacts, operational readiness also means having mature employee and security-management processes and procedures and a framework for managing those processes and procedures that can be readily adapted to incorporate the unique FedRAMP operational requirements. With hundreds of pages of documented policies, procedures, and plans required for FedRAMP, implementation oversight can be overwhelming.

  1. Consider Management Readiness

    Finally, organizations that aspire to obtain FedRAMP Authorization need to have strong in-house product and program management skills. With many moving parts including multiple purpose-defined teams and related issue identification and resolution processes, strong management skills are imperative. Ongoing close and often prescribed collaboration with the sponsor Agency and the FedRAMP PMO are fundamental to the compliance and continuous monitoring process. FedRAMP systems don’t run and maintain compliance on their own, so it’s important to invest in the right product and program management personnel.

In another blog post, I’ll go into the different approaches to getting FedRAMPed and how to choose the right one for your organization. For now, I’ll just mention Constellation GovCloud, a Merlin Cyber managed service offering that provides a pre-built platform-as-a-service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO. CGC’s goal is to absorb a bulk of the underlying technical, operational, and management burden, limiting the impact to partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments.

Webcast: How to Target the Federal Market Through FedRAMP

About this Webcast

The U.S. Government allocated more than $18 billion for cybersecurity spending in FY 2021. The Federal Risk and Authorization Management Program (FedRAMP) is one of the most effective vehicles for small technology and services companies to sell to the federal government. FedRAMP was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

In this webinar, Seth Spergel, Vice President, Emerging Technology at Merlin Ventures, will review the FedRAMP program and provide insights and tips for Israeli startups interested in utilizing the program.