3 Difficulties Faced, 5 Reasons to Hope, and 3 Next Steps
Discover one contractor’s story in navigating a FedRAMP and Security Level 4 DISA certification
As well prepared as our team came into the FedRAMP certification process, we could never have been prepared for the difficulty of navigating the road that is FedRAMP+/DISA certification.
Before making it appear that we are complaint, allow us to clarify that FedRAMP itself has admitted that the process is still too time-consuming and costly for most small businesses. In fact, the FedRAMP expert we hired to initially guide us through this process told us, “You are crazy to try: you might not be able to sustain it financially as a small business and should consider whether this opportunity is worth the risk. By the time you get through the whole process (esp. with the DoD involved), you might not be a business anymore.” At the same time, FedRAMP is an unusual Government organization in how committed it is to improving this—since 2011, there have been many changes for the better.
As hard as it is to believe, the advice our consultant shared from the beginning is true two years later – the process required us to invest a significant amount of money, with no recourse if:
- certification is not achieved due to noncompliance with requirements that were neither well-understood nor published
- if our customer just couldn’t wait long enough for the promised product/service to be delivered due to the length of the authorization process
Therefore, we’re sharing 3 of our experiences to illustrate both how difficult the process is, especially if the DoD is involved, and to demonstrate the support and patience an Agency needs to give its CSP in order to achieve its modernization goals.
3 Reasons the FedRAMP+ Process is Difficult
1. Conflicting requirements
We initially developed our System Security Plan (SSP) with the Agency sponsorship route in mind. Though we submitted our SSP to our Agency customer in record time, from that point the way forward became hard to see, full of hazards, and even changed direction (more than once).
It soon became clear that DISA wouldn’t review our application until we were already listed on FedRAMP; at the same time, our customer did not feel confident in sponsoring our application unless they knew that DISA was going to be on board. This left us in a Catch-22. The only way around this quandary was to pursue a FedRAMP ATO on our own through the JAB and pause the Agency sponsorship route. Once we had a JAB ATO, we hoped to resume the process with our customer to work with DISA and achieve FedRAMP+. This unforeseen delay due to unpublished and changing requirements was costly and effort intensive.
2. Lack of clear guidelines
First, we were instructed to fast track our FedRAMP ATO by attaining an agency sponsorship. As we approached the finish line of this process, the requirements switched and we were told to get FedRAMP- certified through the JAB (meaning, on our own rather than via Agency sponsorship). Cooperatively, we revised our SSP to be applicable in general situations or for general requirements (rather than the specific requirements our Agency needed for the use of our product in our original SSP). Once complete, we tried to submit our application directly to FedRAMP. Unfortunately, due to factors outside of our control, it took nearly half a year to discover that in order to pursue a FedRAMP ATO on our own, we needed to show we had at least 6 separate customers already using the product. It didn’t matter that our product was critical to several Agencies and relied on daily by hundreds of thousands of users—because we didn’t have 6 unique customers buying it, we could no longer pursue our FedRAMP certification via the JAB. Eventually, our DoD mission owner PMO confided in the FedRAMP JAB that this requirement needs rethinking.
3. Lack of communication between FedRAMP and DISA
To begin the FedRAMP application process, we initially used the thorough guidelines provided on fedramp.gov while engaging our 3PAO. Eventually, this led to conversations with our Agency to try to understand DISA’s requirements, as these, unlike FedRAMP’s requirements, were not clearly and publicly outlined. After these initial conversations, it soon became clear that DISA and FedRAMP did not have a proven plan for how to certify products and services with an Impact Level 4 (IL4) security categorization. The important thing for Agencies to know, therefore, is that anytime a product has an IL4 or higher security categorization, or the product needs authorization to work within the DoD, it has so far been destined to run into this gray area of misunderstanding and miscommunication.*
When our application ran into this gray area, it led to the many pitfalls we found ourselves in, including costs increases, delays, and significant risks to the contract.
*Recent signs show this is changing for the better!
5 Reasons We're Hopeful
As we talked about in our previous article on our FedRAMP journey, taking the lead for our customer in the process has been critical for every success along the way. It is because we continue to make progress and to see improvements in the communication between stakeholders (including FedRAMP, DISA, CSPs, and others) that we’re hopeful for the future accessibility of FedRAMP. Here are 5 specific reasons for our outlook:
Through the experience we’ve gained, we’ve grown in confidence, not only in how the process works (and that it works), but in our ability to overcome obstacles (both the few expected and the many unexpected). For this reason, we know that other Agencies, when working with the right CSP, can be confident their desired product/service will achieve certification.
Due to our team’s tireless effort and communication with all parties involved, we’ve earned credibility and confidence from our 3PAO, our customer, and from FedRAMP that we are serious in our effort and capable of success. This confidence helps move the entire process forward because every party knows that this is a mission worth putting effort into.
3. Kaizen (continual improvement)
As we’ve shared in a previous article, FedRAMP itself is motivated to continually improve how well it meets its goal of a modernized Government, while providing a secure, efficient way for small business partners to provide the necessary products and services for modernization.
In July of 2019, a Congressional subcommittee on Government operations met to discuss FedRAMP and whether it is achieving its stated goals: where it’s doing well and where it’s fallen behind. This attention and oversight were helpful for our own application, moving communications forward and to giving us a much-needed confidence boost.
5. The FedRAMP Marketplace
Though not the same as a FedRAMP ATO, achieving the “FedRAMP ready” designation was the perfect stepping stone for us to prove, both to our customer and to DISA, that our team was fully capable of offering a secure product on the Cloud. This “small” win on our journey to a full ATO is a huge milestone for our company, and yet we believe that if the FedRAMP+ process had been better planned, an ATO after 1.5 years would have been possible for us to achieve as well. We hope by sharing this story it will become faster and easier for other projects (with the same Impact Level) to achieve an ATO.
3 Next Steps
2. If you’re an Agency needing small business set-asides, reach out to us. As a small business, Synergetics is blazing a trail, bearing scars for proof, for our FedRAMP+ (IL4), SaaS application. Though many others have achieved this level of certification, it is rare for a small business to able to achieve it. Along with outstanding CPARs over the last 12 years, our company is leading the way in helping Government Agencies excel at achieving their missions.
3. If you’re a CSP/contractor, if you need some advice or encouragement on your FedRAMP journey, or more interestingly, if you want to sell your cloud-based product or service to the Government, reach out to us – we may be able to partner and help you fast-track the process.