The Federal Risk and Authorization Management Program (FedRAMP) framework is difficult for any Cloud Service Provider (CSP) to navigate successfully. There are financial, resourcing, engineering, and continuous monitoring challenges to overcome in order to obtain a Provisional Authority to Operate (P-ATO).
However, the most critical, and often overlooked area to achieving ATO is identifying a FedRAMP sponsor for the Cloud Service Offering (CSO). A CSP can configure the CSO to meet FedRAMP requirements, develop the authorization package and even have the CSO assessed by a Third-Party Assessment Organization (3PAO), but without a U.S. government agency or department to serve as the sponsor for the FedRAMP authorization process, CSPs are unable to sell the CSO to Federal government contracts that require FedRAMP-compliant cloud solutions.
How do we identify a sponsor? This is the question we often field from CSP’s at the beginning of their FedRAMP journey. Although there is not a Sponsor Depot store to serve CSPs’ sponsorship needs, this guide will help navigate this key component to achieving FedRAMP authorization:
Demystifying the FedRAMP Sponsor
Who are FedRAMP Sponsors? FedRAMP Sponsors are a federal U.S. government agency that either intends to consume your CSO or has a direct interest in ensuring the CSO meets the FedRAMP security requirements for federal cloud services use in the future.
What does the Sponsor Do? A federal agency sponsor has many responsibilities during the CSP FedRAMP journey. Here are a few key areas that a sponsor is involved in. A sponsor:
- Is an advocate for the CSP during the FedRAMP process.
- Is the lead agency in the authorization process for the CSO.
- As the lead agency, engages directly with FedRAMP to track progress on the journey.
- Provides commitment to the CSP and validates FedRAMP compliance through system configuration reviews, evaluates security compliance, and reviews the CSO authorization package.
What a FedRAMP sponsor is not, however, is responsible for providing funding for the CSP on their FedRAMP journey.
Learn more: Understanding FedRAMP Certification Cost: A Breakdown of Expenses and Tips to Reduce Them
Preparing for the FedRAMP Sponsorship Journey
What Does a CSP Need to do First? Prior to reaching out to a potential sponsor, a CSP should have the following items completed. The CSP should:
1. Develop a presentation that serves as an overview of CSO’s technical capabilities. The presentation must include:
- Demonstration to show why the CSO would be a benefit from being a potential sponsor and how the service will meet the agency mission.
- Details about CSO security features and how these features meet FedRAMP requirements.
- A finalized network boundary diagram using the FedRAMP authorization boundary diagram guidance. Depending on the complexity of the information system, CSPs may consider using the FedRAMP ‘Job Aid Packet’ diagram template for developing and presenting their diagram(s).
2. Be prepared to have in depth discussions on FedRAMP security controls and how they have been implemented. By securing a FedRAMP advisory firm to perform a gap assessment, CSPs will be able to provide an independently validated breakdown of how they meet FedRAMP requirements and describe the overall security compliance posture of the CSO and the CSP. CSPs only get one chance to make a good first impression with a potential sponsor, so do due diligence is key in ensuring that the CSO is received well.
How to Find a FedRAMP Sponsor
Contact the FedRAMP Program Management Office (PMO)
- It is always a good move to contact the FedRAMP PMO prior to exhausting other relationships and resources.
- Reach out to [email protected] and schedule an initial meeting. Preparation for that meeting is key.
- Develop a presentation that explains the CSP and the CSO. Focus on how the CSO will help government agencies meet the overall government mission of cloud security. The PMO may be able to offer guidance on which agencies are looking for which solutions and help connect the CSP to the right agency point of contact.
Learn more: Achieving FedRAMP Compliance: The Beginner’s Guide to Authorization
Leverage Existing Federal Agency Relationships
- If a CSP is under contract or has a good working relationship with a federal agency, that CSP can leverage the relationship to gain support for their FedRAMP initial authorization. Simply set up a meeting to discuss them formally sponsoring the CSP’s CSO.
- Research how the current CSO is being used. Determine if there are any contractors currently using the cloud service and whether they have ties to a federal agency contract. If they are inclined, the contractor could help set up an introduction to their agency contacts.
Target Potential Agency Sponsors
Which Agencies do you Target? Identifying potential agencies to serve as a sponsor can seem overwhelming. So, how does a CSP approach targeting agencies? They should:
- Focus their attention on federal agencies that have mission requirements that align best with the CSO capabilities. If the CSO helps provide additional cybersecurity benefits for an agency, maybe approaching a Department of Defense (DoD), Department of Homeland Security (DHS), or Federal Bureau of Investigation (FBI) makes the best sense.
- If the CSO is better suited to a niche capability related to the Federal Aviation Administration (FAA) then maybe target that agency.
- Many potential sponsoring agencies are looking to adopt new cloud solutions to meet federal government security requirements. Identify the agencies that have sponsored the most FedRAMP packages by doing an analysis of the FedRAMP marketplace and determine whether the CSO meets their mission.
Building Relationships That Matter
- Federal Conference Networking: There are several federal government conferences that take place throughout the year. Depending on the CSO, attending the RSA Conference, GovTech events, Gartner Security & Risk Management Summit, or Qualys Security Conferences are great examples of places where a CSP will have an opportunity to network with Agency CIO’s, Agency CISO’s, or procurement officers.
- Attending tailored government events will also provide a CSP access to the right federal decision-makers and meet potential sponsors.
Hopefully this guide can be a useful tool in helping you identify and secure a FedRAMP sponsor for your CSO FedRAMP journey.
About the Author
