5 Takeaways at the Early Stages of FedRAMP
Part of our Series on our FedRAMP journey
One contractor’s story in navigating a FedRAMP and Security Level 4 DISA certification
Why tell our journey of going through FedRAMP?
We’re sharing our story to encourage you regardless of how you’re involved in technology and modernization:
- You’re an Agency who needs help from industry partners (both Government and commercial) to understand and achieve FedRAMP cloud readiness
- You’re an Agency who is sponsoring a Cloud Service Provider (CSP) as a mission owner
- You’re a CSP seeking FedRAMP certification for your product
This series of articles will hopefully tell an interesting story and shed some light into the process.
One caveat: since the project we’re talking about in this series is for the DoD and requires Impact Level 4 (IL4), our certification process has been complex and difficult. We can’t seek certification solely from the FedRAMP Joint Authorization Board (JAB); we have to get approval from DISA to achieve FedRAMP+ certification.
If the product you currently use (as an Agency) or develop and manage (as a CSP) will be migrating to the cloud has an IL3 or lower, your journey to ATO should be faster, cheaper, less risky, and far easier than ours. However, take note that DoD missions are seldom lower than IL4 due to DISA’s overarching requirement of a Central Access Point (CAP) for all connections to enclave systems and data.
Hopefully, our story will encourage you that no matter how difficult your certification process is, it can be done successfully—even if your Agency is new to the FedRAMP process or if your team or budget is small.
First, some background about our company and this project.
Synergetics is a small-business IT contractor that has been working with the Government since 1995.
If you’d like to know more about us, here’s a video of our team and how proud we are of their accomplishments:
For many years, we’ve worked with Agencies to develop and maintain mission-critical database systems and software. In this series of articles on FedRAMP, we’re going to focus on one specific contract: software we developed to index, search, and manage millions of parts from disparate data sources into unified experiences that the Government and armed forces relies on.
For many years, this software was managed by the customer and like all legacy software, was hosted on the Agency’s own infrastructure.
As modernization began to grow in importance, we noticed this trend and started telling the customer, “Get ready, because the cloud is coming.”
The New Modernization Project
As the wave of modernization began to influence every Agency’s plans, so too our customer realized it was time to look at ways it could upgrade its legacy software, as well as ways to deliver the new software securely in the cloud.
Eventually the opportunity arrived, and we were able to offer our customer a proposal with a new version of the software via licensed Software as a Service (SaaS) entirely on the cloud.
For more than five years, we kept our eyes open for trends in Government IT modernization, but before we won this contract, we had to do a lot of research on our own. Even after we won, the customer did not have adequate time or resources to help us learn about the largely undocumented FedRAMP+ certification process. Similarly, DISA could not answer questions consistently because their own cloud deontology was fragile and fluidly changing. While FedRAMP was happy to help, the only (now outdated) information they had regarding DISA’s process was what was already publicly available on their site.
All this meant was that during the proposal preparation and early into the contract, we had assumed some huge risks as a small business dealing with massive organizations, not knowing exactly what would be needed to get the Authority to Operate (ATO), nor how much time and investment it would require.
5 Vital Takeaways at the Early Stages of Certification
The good news is that even though we stepped into a scenario that we only knew “in theory,” made our customer nervous, cost us six figures to invest in up front, and was fraught with delays that proved100% out of our control, we succeeded in obtaining our FedRAMP “ready” certification and are listed on the FedRAMP Marketplace.
By hiring an expert with FedRAMP experience and by talking to a few 3PAOs (more on this in the next article), we were able to get some much-needed knowledge and expertise to keep the process moving forward.
More importantly, and what we hope to share in this first article, is that there were 5 vital things we did that helped us avoid failure in obtaining our FedRAMP-Ready designation:
1. We had a long-term, strong relationship with the customer.
Takeaway: Trust and frequent communication between contractor and Agency is vital for success. This was the first piece of advice that we received, that proved true, from one very seasoned 3PAO that helped us understand the undocumented, “real” process.
2. We had been communicating with our customer about the coming trend in modernization and what the implications were.
Takeaway: Set expectations so that everyone involved is not surprised by what happens in the process, the time it takes, the costs, and any other risk factors.
3. The new version of the product we built and would manage in the cloud was critical to solving the customer’s problems.
Takeaway: Make sure that the agency sponsor clearly communicates that the product being modernized is extremely high priority. Any technology that is lower than critical priority will not have enough support behind it to ensure success in the certification process. Additionally, FedRAMP will consider the number of current paying customers, and NOT necessarily the number of users behind a large customer.
4. We ultimately had buy-in from the customer, who demonstrated skin in the game by helping to sponsor the certification process.
Takeaway: As an Agency, you must want the solution enough to be willing to sponsor your CSP’s application. You may even be required to dedicate an ISSM resource for several months to support your willingness. (As a CSP on the other hand, you need a customer who truly needs your solution, believes in your ability to succeed in the FedRAMP authorization process, is convinced this will bring value in the long run, and will dedicate appropriate ISSM resources during the ATO process).
5. We put forth the effort and the financial risk to be, as far as it is possible, experts in the process and to lead the way for our Agency customer.
Takeaway: Leading the way in FedRAMP certification is both a better way to achieve certification and to serve your customer.
Finally, the day that we won the contract, and nearly every day until our FedRAMP Ready designation, we were on the phone with the customer, our 3PAO, FedRAMP, and/or DISA, trying to be a step ahead of what was required. Despite our best efforts and intentions, however, sometimes this is not possible – more about this in the next article.