On Championships and Compliance: Contemplating Fantasy Football and FedRAMP

Recently, one of my clients sent me the following Slack message: “Chargers hired Jim Harbaugh!” It was just after 8 pm and seeing the message made me smile (and not just because I feel like Justin Herbert finally has a chance).  

You may be wondering why a client is messaging me about football news. More importantly though, why does it make me smile considering it’s after normal business hours? Well, I have been supporting this client and their FedRAMP journey since 2021 and we’ve bonded over football. Once the season starts, we start our meetings/calls with a quick chat about the games of that week. 

Another reason I look forward to football season are my fantasy football leagues. For the past few years, I’ve participated in two main leagues. I affectionately refer to them as my money league and my grocery league – with the money league named as such because of the larger buy in amount. This year, I was able to convince some colleagues to participate in 38North’s first fantasy football league (no buy in). 

As I was playing in my money league (my most competitive league), I noticed some parallels to the FedRAMP process. Now, I’m not going to get too deep into explaining all the fantasy lingo. There are a ton of other websites for that.  

What I am going to do, however, is tell you the observations I made. 

Looking to achieve FedRAMP authorization? Speak to a 38North security expert today.

Researching the Requirements 

Fantasy football leagues vary greatly. As you’re deciding which leagues to join, important aspects to look at are the league settings. Although there are certain skill positions you have to fill, the number and types of roster positions differ from league to league. At the very least it’s quarterback, running back, wide receiver, and tight end (like Travis Kelce, whom you might have heard of because he’s Taylor Swift’s boyfriend).  Other typical positions include flex spots, a kicker, and a defense. Rounding out the roster are the bench spots for your backups/handcuffs.  

These all depend on how the league was set up by the commissioner and can make or break your season depending on how you draft. To give you a simple idea of the differences: My money league is a superflex league with 17 active roster positions (QB, RB, RB, WR, WR, TE, W/R/T, W/R/T, Q/W/R/T, K, DST, 6 Bench spots, and 2 injury reserve spots).  

Alternatively, we kept the 38North fantasy league a bit simpler with a 1 QB league with 14 active roster positions (QB, WR, WR, RB, RB, TE, W/R/T, K, DST, 5 bench spots, and 2 injury reserve spots). Knowing what you’re signing up for is important in planning out your strategy and approach. Since I’m used to picking up players with “potential” in my money league draft, this strategy hurt me in the work league when there wasn’t necessarily a reason to stash certain players, especially when there were productive players sitting on the waiver wire. 

When you’re making the decision to go down the FedRAMP path, there are similar considerations. For example, are you going for FedRAMP low, moderate, or high? You don’t have as much leeway with choosing the baseline since it’s depending on the system’s FIPS 199 categorization and types of information that is stored/processed/transmitted. However, it’s important to research before you jump in because you may end up having to buy tools to meet the requirements you don’t already have in place. That could be some type of multifactor authentication solution, a security incident and event management tool, antivirus host protection, vulnerability scanner, etc. Along with determining the baseline is finding a sponsor – whether you go the Agency route or the Joint Authorization Board (JAB) route. Depending on the Agency you choose for sponsorship, there may be additional requirements or documentation that is needed. An example is the Department of Veterans Affairs which requires an additional set of controls for systems that contain personally identifiable information (PII). Getting these details squared out in the beginning help set you up for success.   

Learn more: What You Need to Know About FedRAMP and Its FIPS Nuances

Managing Your Budget and Building Your Team 

Personally, I prefer auction drafts because you control your own destiny and have a shot at all the players. Another reason why I love them is because there is more strategizing in terms of managing your budget and figuring out how much you’re willing to spend on the players you want. My money league auction draft had a budget of $200. If you were to split that evenly across the 16 active spots, there is an average of $12 to spend per player. Much like the real world, coveted items come with a hefty price tag. Top quarterbacks can go between $40-$60, especially in superflex leagues since most players draft a second quarterback for the superflex spot.  

Well, if you’re cloud service provider (CSP) going through the FedRAMP process, there are certain tools you’ll need to purchase to comply with the FedRAMP requirements, if they aren’t in place already. Rarely do CSPs have an unlimited budget (but if you do, I’d love to speak to you), so there’s a bit of management that needs to happen when selecting your tools. How much are you willing to spend on each tool in order to get the specific result you want? Whereas I’m looking for a solid quarterback, you may need a security information and event management solution (SIEM). Similarly, while I’m pondering which wide receivers to draft, you may need various boundary protection items such as firewalls or intrusion detection system (IDS). These things cost money, and despite money trees being a real plant, it does not grow on trees. Therefore, being able to manage a budget to meet your needs is not only a life skill, but also a FedRAMP control. 

When drafting, it’s helpful to do some research when deciding which players to draft. How have they performed in the past? Do they get injured a lot? What kind of offense does the team have? As a CSP, you also need to do your due diligence when deciding which products or services to acquire. This is where your vendor management program comes into play as you evaluate factors such as whether the product is FedRAMP-authorized, what the system requirements are, does the vendor adhere to any frameworks, etc. Don’t be like a colleague and seek out a “Baker Mayfield” of SIEM solutions. Do your research and procure one that will provide the support your system needs rather than relying purely on name recognition. 

After considering budget and system requirements, you now have to think about how all your players (or tools/services) work together. Have you meet the requirements by filling all the designated roster spots? Do you have contingencies, such as viable bench players if a main player is out or injured? 

Looking to build your FedRAMP authorization team? Speak to a 38North security expert today.

Monitoring Your Lineup 

The 38N draft lasted 2+ hours and that’s only the first hurdle. Every week, you must set your team; as in, make sure injured players are benched and replaced with healthy ones. Ensure your starting players have favorable matchups. Make smart waiver wire pickups. Why? So your lineup gets the most points possible because that’s how you win your match. There is nothing worse than seeing a donut (a big fat 0), or even worse, negative points in your starting lineup. 

Can you just set it and forget it? Sure, technically. But that doesn’t win you any championships, does it?  

This is similar to achieving your FedRAMP Authority to Operate (ATO). That’s only step one. You have to continuously keep proving that you are still meeting all the security requirements. As the system owner, you have to keep monitoring your controls, doing your scans, and doing your reviews.  

Bye Weeks and Contingency Planning 

All teams get a bye week which is determined before the start of the season. If you drafted smartly, you have replacements sitting in your bench spots that are ready to cover the weeks your main players are on bye. This goes back to the due diligence and strategizing. There is nothing worse than drafting multiple running backs that have the same bye week which leads to no points for that position that week or relying on second/third string players that won’t get much playing time unless there is an injury.   

Consider these bye weeks as scheduled downtime for maintenance if you’ve been tracking them, or a sudden disruption/outage if you aren’t planning ahead. When these things occur, you need to have backups and alternate sites that can be activated to get things back on track and keep the system running as smoothly as possible.   

Whereas I’m sliding Jordan Addison into the WR1 spot when Tyreek Hill is on Bye in Week 10, you may be failing over to AWS US-West-1 when AWS US-East-1 goes down. 


Think of football injuries like security incidents (at least that’s what I like to do). You need to respond and remediate quickly the same way you need to pick up a new player from the waiver wire or sub in a different player from your bench, depending on how you want to respond to it.  

One of the cool things about fantasy football are the apps that alert you when there are “incidents.” Fantasy Life, for example, will alert you as soon as it’s known that a specific player is injured or out. These notifications pop up quicker than the playing platforms alert you so you can quickly adjust your lineup. How fast you’re able to react is key, especially when it comes to scooping backup players from free agency. If you don’t react fast enough, an opponent can steal them in an attempt to weaken your team and potentially leaving you with a 0 for that spot.   

Similar to this, when you think about it in terms of FedRAMP, you’ll need a monitoring system that sends alerts about incidents so you can respond to them immediately. Think of Fantasy Life as your SIEM which is correlating logs and event activity from other monitoring tools such as the antivirus solution, IDS, firewalls, etc., and alerting you to indications of malicious activity. The quicker you get notified, the faster you’re able to respond and trigger your incident handling process.   

Learn more: Decoding FedRAMP Baselines: Get to Know Low, Moderate, and High Impact Levels for Compliance

Making Adjustments 

Making lineup changes does not always have to be reactive due to injuries or bye weeks. It’s important to evaluate your lineup and make adjustments if players are not performing well. A great example of this is Stefan Diggs. He helped me win multiple matchups in the start of the season with the way he dominated the field. However, starting Week 10 there was a noticeable drop in his usage and the number of points he scored which I attribute to a change in the “threat environment” i.e. the Buffalo Bills named a new offensive coordinator. Had I been proactive, I would have tried to trade him away or move him to a bench spot, but I didn’t. That ended up costing me a few games towards the end. 

Part of maintaining your system is validating the ongoing effectiveness of your technical solutions and fine tuning as needed to address changes in the threat environment. This could be related to updating the level of auditing by system components or adjusting the level of system monitoring by updating rules and alerts in the SIEM. It’s important to periodically evaluate your system and make adjustments as needed to ensure that your tools/services are working efficiently and effectively. 

Dynasty Leagues 

Although I stick to redraft leagues so any bad decisions are erased the following year, I know of others that participate in dynasty leagues where your mistakes or successes can affect your team for years to come, like any football franchise. Your draft moves hold much more weight as those players remain on your team for years barring any trades.  

There’s a common misconception when it comes to CSPs achieving FedRAMP. Any good advisory service (like 38North) will tell you that FedRAMP authorization is an ongoing process. When you achieve ATO, you’re told that you can use the system for a certain number of years. Some CSPs will take that to mean that they’ve achieved something and it’s time to move on to the next thing. That is the furthest thing from the truth because a FedRAMP ATO is something you’re going to have to maintain for the foreseeable future, along with your dynasty league team.  


When I was advertising our work league, one colleague told me “I would do fantasy football, but I don’t like all the effort lol.” And that’s fair! It takes a lot of effort to manage your team each week, especially in competitive leagues. As mentioned earlier, you can try to set it and forget it, but bye weeks and injuries make that tough.  

Similarly, it takes a lot of effort to run the continuous monitoring capability. Can you do your own continuous monitoring in-house? Of course you can. There’s nothing stopping your team from learning about FedRAMP requirements and making sure you’re always meeting them. Is it the best use of your resources? Maybe not. Similar to budgeting for players and tools, you also have to think about all the resources you’ll have to spend, monetary or otherwise. It could be wiser to have a team (*cough* 38North *cough*) with several years of experience do the continuous monitoring for you. 

Whether you’re looking to achieve FedRAMP authorization, need continuous monitoring support, or just want to talk football, 38North is your team. Get in touch with our security experts today.