FedRAMP ATO – Why you should consider a partnership

Between President Biden’s cybersecurity Executive Order and the daily headlines proving our IT systems are constantly under attack, record numbers of cloud service providers face the reality that the time to ramp up cybersecurity efforts and embrace compliance standards is now. For cloud service providers serving U.S. federal agencies, that means obtaining a FedRAMP Authorization to Operate (ATO).

The path to FedRAMP authorization is daunting, requiring knowledge, ability, and commitment to adherence to at least 325 separate security controls for a FedRAMP moderate authorization – on top of your existing software development operations. Those controls span technical, operational, and management safeguards and countermeasures. In addition, a FedRAMP ATO requires a government sponsor, which can be difficult to obtain – especially for emerging cloud solutions and software-as-a-service (SaaS) companies that don’t yet have a foot in the federal door. Bottom line: it’s a big lift for any organization and one that likely calls for the support of a trusted partner who can bear some of the burden.

FedRAMP – 12 Areas of Impact on Your Organization

As mentioned in previous blog posts, undertaking a FedRAMP ATO effort is a huge investment. How huge? See the following list to better understand the impacts of a FedRAMP effort on your SaaS organization. Understanding these impacts can help you navigate your approach and determine what partnerships would be most beneficial to your FedRAMP journey.

  1. Policies and Procedures Covering All In-Scope NIST Control Families

At the foundation of a FedRAMP compliant offering is a complete set of policies and procedures, covering all 17 in-scope NIST 800-53 v4 controls families. The number of included families will get bigger when FedRAMP officially adopts NIST 800-53 v5. This is hundreds of pages of compliance policies and procedures that must be written and adhered to.

  1. System Security Plan and Additional Documentation

Every system must have a System Security Plan (SSP), which averages 800-1,000 pages, and details how the policies and procedures are implemented in support of the SaaS offering to maintain compliance. In addition, the SSP includes 15 unique attachments. Even when leveraging templates, authoring a quality SSP requires a solid understanding of the FedRAMP requirements to get the content right.

  1. Compliant Infrastructure and Platform Build-out

FedRAMP systems cannot be built on just any infrastructure and platform. Rather, the infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), as well as the people operating those offerings, must adhere to strict FedRAMP security guidelines. This leaves SaaS providers the option of choosing a FedRAMP-compliant IaaS and PaaS onto which their SaaS can be hosted or investing significant resources into building and operating their own.

  1. Mature Operational Processes

Third-Party Assessment Organizations (3PAOs) are looking for management and operational maturity as well as technical compliance. Roughly 63 percent of all FedRAMP controls are management and operational controls, meaning your software development lifecycle (SDLC), configuration management (CM), incident response (IR), awareness and training, personnel management, physical environment protection, risk management, and many other areas are on the hook to meet some minimum maturity requirements. This has impacts on human resources (HR), facility security officers (FSO), information technology (IT), and even legal departments. Suffice it to say, FedRAMP is not just about technical controls.

  1. Security Compliance with 325+ Controls

The heart of compliance lies in its baseline controls. Four out of five cloud service offerings looking to obtain an ATO require a FedRAMP Moderate level, which has 325 baseline controls. Even leveraging a FedRAMP authorized hosting service like AWS GovCloud, where the IaaS controls can be inherited, the SaaS provider is still left fully responsible for 282 controls.

  1. Acquisition of Skilled Staff

Maintaining compliance requires special skills and roles to be filled such as Information Systems Security Officer (ISSO) and Information Systems Security Manager (ISSM). People in these roles must stay up-to-date on the latest security standards and pending regulatory changes, establish appropriate policies and procedures, manage Plan of Action and Milestones (POA&M) activities, address cybersecurity risk management, and oversee all the daily, weekly, monthly, quarterly, and yearly continuous monitoring (ConMon) controls. It is unlikely that most organizations have people with these skills in-house.

  1. Expanded Tasks for Existing Staff

As mentioned in the Mature Operational Processes item above, many departments are impacted by FedRAMP controls, including but not limited to HR, FSO, IT, risk, and legal. People in these existing roles need to be prepared to adjust their operations to accommodate the FedRAMP compliance requirements.

  1. Ongoing Government Collaboration and Reporting

FedRAMP requires close collaboration with the sponsoring government agency, including the sharing of recurring ConMon reports, POA&M updates, incident notifications, and reviews of proposed changes to the SaaS solution. SaaS changes that are determined to be significant will require interim 3PAO assessments as well.

  1. Security and Continuous Monitoring Systems

In addition to standing up compliant IaaS, PaaS and SaaS layers of a cloud offering, SaaS providers also must build the systems that will be used for ConMon activities such as scanning, anti-virus protection, privileged access control, multifactor authentication, and incident response capabilities to name a few. Building such a stack from scratch will require multiple tools, licenses, and integrations.

  1. ConMon Operations

Once a system has been granted a FedRAMP ATO, the work is just beginning. There are daily, weekly, monthly, quarterly, and yearly ConMon activities that must occur, with dedicated team members following compliant processes and procedures.

  1. Expanded Controls Requirements

SaaS providers obtaining a FedRAMP ATO for a particular federal agency may be surprised when they realize that other agencies, such as the DoD agencies with their unique Impact Level (IL) baselines, have additional controls requirements that aren’t satisfied by the existing ATO. This can cause the SaaS providers significant amounts of extra work if the original offering wasn’t built with such expansion in mind.

  1. Costs of Consultants and 3PAO Assessors

In addition to the indirect costs associated with operational/staffing adjustments and technical investments required to bring a solution up to FedRAMP baseline standards, there are some direct costs as well. SaaS providers are required to contract a 3PAO for assessments, including readiness assessments, full assessments, significant change assessments, and yearly re-assessments. Many SaaS providers also choose to hire a separate 3PAO or agency for consulting to help navigate the complicated waters of the FedRAMP process.

The Right Partner Makes All the Difference

Partners for compliance efforts come in many flavors, each providing different value propositions. Finding the right partner – the one that will ease the burden across the largest number of variables – will be key to success for many companies. And while no partner can eliminate the entire burden, a partner like Constellation GovCloud can help significantly reduce the organizational impact and technical investments required to achieve and maintain a FedRAMP ATO.

About Constellation GovCloud

Constellation GovCloud (CGC), a Merlin Cyber offering, is a pre-built, FedRAMP Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments. Learn more.

Could a 3PAO-sanctioned certification option help streamline the FedRAMP authorization process?

Acquiring a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data and are used by U.S. federal agencies. And as many cloud service providers (CSPs) have learned, it is a long and arduous process, largely dependent on a required relationship with a federal agency or the Joint Authorization Board (JAB). Without sponsorship by one of the two, a CSP cannot obtain FedRAMP ATO or be listed in the official FedRAMP Marketplace.

FedRAMP is an authorization, not a certification per se, but is still reflective of a CSP meeting very well-defined NIST 800-53 baseline controls requirements. Because the requirements are well-defined (so much so that Third Party Assessment Organizations (3PAOs) are already trusted and leveraged to assess a CSP’s adherence to the baseline controls), it seems that adherence could be fully validated and continuously monitored by a 3PAO with only indirect/QA-level oversight and approval by government entities. This could alleviate the current situation, which involves hundreds of CSPs either:

  1. Competing for sponsorship by a limited number of government agencies who can sponsor an initial FedRAMP ATO, or
  2. Somehow obtaining sponsorship from the JAB, whose resources limit them to taking on only 12 FedRAMP efforts each year.

Current Process Architecture

The current process places a significant amount of work on the JAB and/or each sponsoring agency:

diagram showing the current sponsorship paths to FedRAMP for CSOs

Shifting duties: Could a 3PAO represent the JAB and validate compliance for any CSP willing to do the work?

Because FedRAMP has such well-defined baseline controls, a 3PAO could take on all of the analysis and “stamp of approval” duties of the JAB or an agency. They could use JAB’s current standards, requiring full adherence to all controls. This would allow any CSP to go to a 3PAO and have a full assessment completed, even without an agency or JAB sponsorship, and be granted an official FedRAMP-compliant stamp (i.e., a FedRAMP “certification,” which would really be just a different flavor of a P-ATO). Minimally, this could then allow compliant CSPs to be listed in a marketplace (either the current marketplace with a new status as shown in the image below or a new marketplace for certified-compliant solutions). This would bridge the gap between government agencies and the hundreds of CSOs that are not readily available for use because there simply isn’t the bandwidth and resources to move them all through the current FedRAMP process. Allowing a 3PAO to be an authorizing arm of the JAB rather than its trusted informant, addresses many resource problems.

Re-imagined process architecture

While this 3PAO-led format is only a conceptual model at this time—with more work needed regarding details (e.g., whether there would still be a need for a FedRAMP Ready status)—shifting the work and adjusting processes has many benefits.

diagram showing proposed new process that allows 3PAOs to certify CSOs for FedRAMP

This type of re-envisioned FedRAMP approach could solve several problems:

  • It lowers the federal market barrier to entry, allowing any CSP that is willing and able to achieve a recognized FedRAMP-compliant “certification”
  • It reduces the burden on already-stretched government staff and allows the JAB and FedRAMP PMO to invest more in thought leadership, guidance, and oversight than hands-on CSO assessment work
  • It increases capacity for FedRAMP, allowing commercial 3PAO entities to absorb most of the work and process more CSOs concurrently
  • It potentially improves the mean standard of compliance, as all CSOs would need to meet all controls as they would for a JAB authorization
  • It provides scalability afforded by the commercial services landscape

The “FedRAMP-compliant certification” would be similar to the JAB P-ATO in that it would be a general status indicating compliance with the FedRAMP baseline controls. The main difference is that a 3PAO would be taking on the additional work currently handled by the JAB or agency, namely: reviewing and approving massive System Security Plans (SSPs), System Assessment Plans (SAPs), System Assessment Reports (SARs), Plan of Action and Milestones (POA&M), reviewing iterative continuous monitoring (ConMon) artifacts, and validating that any significant changes don’t introduce unacceptable risk.

Agencies would still need to grant an ATO based on FedRAMP compliance – but it would be much simpler, at least for the first agency to use the “certified” CSO

The actual ATO would still need to be granted by each agency wanting to use the CSO. That process could hopefully be simpler and faster with the 3PAO playing more of a trusted role in validating compliance. The ATO process would involve more of a cursory check of the 3PAO’s recommendation rather than an in-depth review of the ATO package.

Agencies would also still be in the loop as an informed party on all ConMon activities and significant change activities. The difference for the agency, just like with the JAB, is that their role would become more of a QA/oversight role rather than the main player – thereby reducing the burden on agency resources. Agencies could even provide 3PAOs with their specific requirements/agency-specific controls and have the 3PAOs handle the ongoing monitoring and validation of compliance to those controls.

None of this would preclude an agency from being very involved in their own acceptance of risk, and agencies would always have full authority to stop using a CSO should they perceive too much risk. This model simply gives the agency (just like the JAB) a trusted representative to handle a lion’s share of the work.

An expanded marketplace of compliant CSOs could offer not only FedRAMP authorized CSOs but FedRAMP certified/compliant CSOs

Allowing any CSP that is able and willing to meet FedRAMP controls requirements to do so and get recognized for the achievement seems like a step in a good direction. It would hopefully encourage smaller CSPs with emerging solutions, who may have difficulty finding a federal sponsor, to become compliant—which is the main objective in the larger battle to better protect all our nation’s cyber infrastructure. Such a marketplace would then hopefully give federal agencies a larger catalog of already compliant solutions to choose from. There are likely many cloud solutions that would be beneficial to government agencies but aren’t available for use because of the FedRAMP authorization process barrier to entry. 

But what about FedRAMP Ready status? Isn’t that similar to what’s being proposed?

It might be argued that the FedRAMP program already has a type of “certification” or pre-authorization option. CSPs can choose to go through the Readiness Assessment process without a sponsor and achieve a FedRAMP Ready listing in the FedRAMP Marketplace. A CSP can demonstrate that they are FedRAMP Ready by working with a 3PAO in a mini-assessment (sans a full penetration test) that involves validation of the CSO boundary, vulnerability scanning, a review of policies and procedures, and validation of compliance with a subset of controls (e.g., the critical controls), to name a few. It isn’t, however, as thorough as the full assessment, nor is it a foolproof assurance that a CSO will achieve an ATO. FedRAMP Ready status mostly indicates to the JAB or an agency that a CSP is committed and has met most of the key requirements to achieve an ATO. However, achieving FedRAMP Ready still leaves CSPs with the challenge of convincing a federal agency to accept the extra work of being their initial sponsor. The risk of getting through the assessment may be reduced, but the workload on the agency is not. As a result, the FedRAMP Ready status does little to alleviate the sponsorship bottleneck. 

The JAB would still govern the program and retain revocation power over any “certification”

The suggestion to push most of the solution vetting and “certification” process to a 3PAO isn’t about taking power away from the JAB. Rather, it allows the JAB to operate one step higher in an oversight role, removing them from many of the time-consuming tasks that go with ATO sponsorship. The JAB wouldn’t need to invest the time and energy in shepherding 12 CSPs per year through the process. Instead, they could move up one step in the hierarchy and oversee the 3PAOs in their processing of 12 of the highest demand/highest impact CSOs.

One way or another, expanding the number of FedRAMP compliant cloud solutions calls for out-of-the-box thinking

While the brainstorm-level ideas presented in this blog post are far from thoroughly vetted, they are an example of out-of-the-box thinking that may be required to address the limitations of the current FedRAMP system. The Constellation GovCloud (CGC) team is committed to thought leadership and supporting the federal government and contributing to the improved security posture of cloud solutions.


About Constellation GovCloud

CGC, a Merlin offering, is a pre-built, FedRAMP Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP ATO within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational, and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly fewer financial and resource commitments. Learn more.

Webcast: How to Target the Federal Market Through FedRAMP

About this Webcast

The U.S. Government allocated more than $18 billion for cybersecurity spending in FY 2021. The Federal Risk and Authorization Management Program (FedRAMP) is one of the most effective vehicles for small technology and services companies to sell to the federal government. FedRAMP was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

In this webinar, Seth Spergel, Vice President, Emerging Technology at Merlin Ventures, will review the FedRAMP program and provide insights and tips for Israeli startups interested in utilizing the program.