The Federal Risk and Authorization Management Program (FedRAMP) cloud security framework is a heavy lift for any organization to achieve. It requires top-down management approval and significant financial commitment to support the additional security requirements, resources, and additional personnel in order to achieve a Provisional Authority to Operate (P-ATO). As a trusted advisor in the FedRAMP space, Cloud Service Providers (CSP) will often ask me the question, “I know this is something we need to do, but how do I justify the FedRAMP journey?”
My easiest response is always this: Develop a compelling business case for FedRAMP. This business case needs to justify the financial investment, the additional security requirements, the overall time commitment, and the personnel and resources required to achieve a successful P-ATO. FedRAMP can be a costly and complex journey for a CSP to endeavor.
Learn more: Understanding FedRAMP Certification Cost: A Breakdown of Expenses and Tips to Reduce Them
Below is a high-level synopsis of the key sections that should be included in any effective business case for FedRAMP:
Develop an Executive Summary
- Purpose of FedRAMP: A CSP needs to document the purpose of pursuing FedRAMP and clearly state the value to the organization.
- Impact of FedRAMP: Explain what FedRAMP is and how it will impact the organization from a corporate, products, services, current Cloud Service Offerings (CSO) perspective.
- Benefits of FedRAMP: Introduce the “why” into the business case. What are the benefits of pursuing the FedRAMP journey? Identify any contracts the CSP was unable to bid as it required a FedRAMP approved CSO. Highlight the competitive advantage gained from obtaining the enhanced security posture of FedRAMP.
FedRAMP Timeline and Milestones
- Develop a FedRAMP Roadmap: Document a high-level roadmap of each step in the FedRAMP certification process. This will include a timeline to develop the CSO, develop the FedRAMP authorization package, initial assessment until final approval.
New to FedRAMP? Start here: Achieving FedRAMP Compliance: A Beginner’s Guide to Authorization
- Document FedRAMP Dependencies: Detail a comprehensive list of dependencies, such as external system connections to the CSO, infrastructure, authorization package preparation, advisory support, Third Party Assessment Organization (3PAO) assessments.
FedRAMP Risks and Mitigation Strategies
- Timeline and Complexity: Acknowledge the complexity of the process to achieve FedRAMP. Explain that, depending on the starting gate for a CSO, it could take 8 months to over a year to complete given the level of authorization sought. This includes preparing the authorization package, addressing any known security gaps and undergoing the initial FedRAMP assessment by the 3PAO.
Learn more: Here’s How to Choose the Right FedRAMP 3PAO to Partner With
- Potential Reputation Risk: Ensure to highlight the potential for reputational risk for the organization if it fails to achieve or maintain FedRAMP certification for the CSO. An inability to pass the initial assessment or delays in meeting set deadlines could impact relationships with government agency clients and lead to lost business for the organization.
- Identify Resource and Staff Constraints: Detail the potential for strain on current resources. Consider if additional resources are needed, particularly for smaller organizations, as the FedRAMP authorization process requires significant time and attention from various stakeholders in order to achieve and maintain FedRAMP.
- Risk Mitigation: Suggest an approach to managing FedRAMP risks. Prioritizing the most critical aspects of the FedRAMP process, scaling internal efforts to a manageable outcome, or outsourcing some of the work to consultants could help manage risk to achieving FedRAMP.
CSO Market Opportunity
- Federal Government Demand: Highlight the increasing use of cloud service offerings within the federal government and identify the need for those solutions to be secure. Ensure to explain how FedRAMP certification is becoming a prerequisite for engaging with some U.S. federal agency contracts.
- Competitive Differentiator: Explain how the organization will differentiate from competitors that have not achieved FedRAMP authorization. This will showcase the organization as a trusted federal government secure solution provider.
- Revenue Growth Potential: Summarize the potential new revenue streams from U.S. agency contracts that will open as a result of contractual requirements for FedRAMP authorized solutions.
Compliance and Security Considerations
- Compliance Requirements: Emphasize that FedRAMP is not just a certification but demonstrates the organization’s ability to meet the most stringent of security requirements for cloud services used by the U.S. government.
- Ongoing Security and Assessment: Ensure to explain the FedRAMP annual assessment and detail the continuous monitoring requirements of FedRAMP. Underline this area as most organizations get into the most trouble with FedRAMP during the continuous monitoring and annual assessment phase.
Perform a Cost and Resource Assessment
- Identify Initial Costs: Document the costs associated with FedRAMP, including resource allocation, consulting fees, and the upfront costs of a 3PAO.
- Explain Ongoing Costs: Summarize the ongoing costs for maintaining FedRAMP authorization. This includes continuous monitoring activities, resource constraints, annual assessments and updates to the FedRAMP authorization package.
- Resource Requirements: Make an estimation of the resources required to achieve and maintain FedRAMP. Document the resources, time commitment, and expertise required to manage the CSO compliance program continuous monitoring activities and annual assessments.
Learn more: Understanding FedRAMP Certification Cost: A Breakdown of Expenses and Tips to Reduce Them
Potential Return on Investment (ROI)
- Additional Revenue Potential: Provide an estimation on the potential revenue that could be generated from federal contracts that require FedRAMP authorization. Be sure to include any projections based on the size of federal contracting market, any market trends and the organization’s potential share of the FedRAMP market.
- Marketability: Achieving a FedRAMP certification is great marketing tool in the eyes of both public and private sectors. It has the ability to open new sales avenues and identify potential partnership opportunities with businesses already in the FedRAMP space.
By addressing these topics thoroughly, a compelling business case that explains both the financial and strategic value for FedRAMP can be developed and communicated to upper management.
Ready to explore FedRAMP? Talk to one of our cybersecurity experts today.
About the Author
