FedRAMP 202: The Five most Critical Questions to ask Before you get Started.

Before reading: This article assumes you are already familiar with basic FedRAMP process described at FedRAMP.gov. This article also assumes a small to medium business audience, although large enterprises will also benefit. All opinions are as-is with no guarantees.

FedRAMP (Federal Risk Authorization Management Program) is one of the most rigorous cloud authorizations you can earn in the industry today. Those organized enough to achieve the required standards of compliance and continuous monitoring earn access to provide cloud computing for the lucrative federal market. They also inherit an advantage on deals with state and local governments, security contractors, and international business, thanks to the proven respect the program has earned.

Unfortunately, it is not easy to earn this prestigious authorization. In fact, there are only 102 authorized systems as of this posting. Cost estimates for a mid-size company can reach 4 million dollars, and more if a company is not prepared and organized ahead of time to align resources for success. The most common mistake in FedRAMP is underestimating the effort that each of the four steps (Documenting, Assessing, Authorizing, Monitoring) will take. For example, most organizations are surprised that the on-going monitoring costs, if implemented poorly, can reach 20%-50% of the original implementation costs on an annual basis.

There is no magic bullet to a FedRAMP implementation, but there are ways to prepare so that at every step, the high risk and reward can be managed and aligned with the company. I have talked with a number of companies and personally led the FedRAMP implementation for a mid-size company, and want to share with you the 5 questions every company should ask before kicking off their own FedRAMP implementation.

Question 1: What is the Boundary of your System?

The number one most important question you need to ask yourself throughout the entire process is: what is the boundary of your system. Until you can clearly define what will be in the authorized FedRAMP boundary, and what will not be in the authorized FedRAMP boundary, you should not start any other work.

Think like the military on this one, viz. Where can anything get into my system? Start with your software/web interfaces, usually the first go-to in a SaaS-classified system. Then start going down the layers. 

• Software/web: What needs to be included for my product to run? Where are all the access points? 
• Databases: What information is being stored where, what is its sensitivity
• Infrastructure: What servers do I need to run my software, dbs, etc.
• Internal Services: What monitoring systems will have access to the FedRAMP environment? What about configuration management systems? Billing, accounting, CRM/SalesForce, development, auxiliary, etc.? You will need to know the systems, roles, and permissions for all of these. 
• External Services: Am I using cloud services, or sitting on top of another company’s cloud platform? What is their risk posture (do they do business with the federal government, have a FedRAMP authorization, etc.?) What information do they store? The minute you bring other systems under your boundary, things get complicated fast.
• Physical Data Centers and Connections: What Data Centers are in your boundary and what within those data centers is going to be within the boundary? What access, both physical and remote, do people have to resources in that data center? How do remote personnel access the system, and how do you control those access points? If you are using a Public Cloud offering, what is their security posture?

If you don’t have a clear boundary, you will end up trying to apply the FedRAMP controls to everything you own. This is usually financially out of the question and physically impossible.

As one of your first steps, grab the inventory workbook template and fill out the assets you wish to include in the system boundary. Identify the types of information in the system (you should already be doing this), their sensitivity levels, and where they reside in the system, at rest and in transit. Use this document throughout the phases of FedRAMP as a baseline for discussions with your consultants and later audit points with your assessors and the FedRAMP Agency/PMO. 

Question 2: What are your gaps?

Once you have your system boundary, you need to know the ‘gaps’ you have in the system. An elementary mistake some companies make is to jump into the minutiae work before they have a real concept of system operations. If you don’t already have a documented CONOPS (Concept of Operations) to guide you, download the Readiness Assessment Report (RAR) template (even if you are not going through the FedRAMP Ready/JAB process) and use it to guide your high-level gap analysis approach, then work your way down to the individual requirements. The RAR is extremely useful for this stage because it organizes the most important information in a less technical way than NIST 800-53 Rev 4. Remember, the Joint Authorization board (JAB) created the RAR to get a starting idea of the readiness of the system. There is nothing stopping you from getting the exact same benefit.

              Once you have your gaps, record them in a matrix to that shows their status. I used a document that resembled a hybrid requirements traceability matrix/work breakdown structure. 

Once you have answered these first two questions, you have the most critical components to build a successful project plan. The next three questions have to do with your organization’s execution ability.

Question 3: What is your knowledge of the entire FedRAMP process?

FedRAMP is a rapidly changing process. While not complicated (miracle for the government), it is nuanced. You need to understand each step of the process, along with the challenges and interactions with 3rd parties (partners, assessors, agencies, etc.) Furthermore, there are different paths to FedRAMP Authorization and you will need to understand which path will help you achieve your goal the most effectively.

Analyze each step of the process and the decisions that need to be made during each step. Create a tentative plan, even if there are large unknowns. The first question you should always ask when planning a step is, “What does my sponsoring agency and the FedRAMP PMO want from this step?” Do not treat Documentation as a documentation step; this is your time to implement the required changes to fulfill the controls as well, and you will be doing this at the same time that you document the system. These decisions will not just be scheduling decisions; you need to take into account your target market, and your strategy for federal contracting.

Question 4: What is your buy-in level from executives and from departments that are most affected?

FedRAMP must be executed at an organization-wide level to be successful. That means you are working across departments and teams that are not used to collaborating with each other. A siloed approach virtually guarantees massive waste and a nightmare assessment phase. To compound the matter, companies almost always initiate FedRAMP in a rushed manner; executives are urgent about the potential gains without understanding the time and cost required. Before jumping into FedRAMP, you need a C-level sponsor and they need to understand the risks to time and cost, because they will need to champion these at various stages in the project.

If no one at the C-level is willing to take ownership, ask yourself how you will get anything else you need for the project when the going gets tough. You likely don’t have the buy-in you need.

Question 5: What is your capacity for continuous monitoring?

This is a nasty ‘gotcha’ that you should plan for from the start. Many people are surprised that Continuous Monitoring for the first year can cost 20%-50% of total implementation project costs. This is usually because they skipped question 2 (did you realize just how many controls require regularly reported monitoring?!) or question 3 (The FedRAMP authorization is a continuous authorization, not a point in time authorization. This is the 4th major step in the process). By the end of the project your team will likely be exhausted from creating hundreds of pages of documentation, implementing changes to a newly designed FedRAMP environment, and meeting the simultaneous demands of auditors, agencies, and the FedRAMP PMO. Before they begin, make sure that they understand the continuous monitoring component, and build provisions in your plan to implement continuous monitoring processes as part of the acceptance criteria.

FedRAMP can be daunting to those beginning their first implementation. The good news is that there are over 100 success stories and by asking the right questions, you can lead your company to become one of them too. The bad news is that these questions are just the beginning. If you want to know how to take your fledgling project to a successful conclusion, stay tuned for more.