Discover one CSP’s story in navigating a FedRAMP and Security Level 4 DISA certification
The last update on our FedRAMP story was shortly after we achieved our FedRAMP Ready designation. Since then, we have started moving toward the most difficult stage of all – the review.
Let us share with you how we got here.
We initially began this FedRAMP journey with the agency sponsorship route in mind--with one umbrella agency (and many Government customers) who depended on and wanted our solution delivered in the Cloud, we believed (and were told by the FedRAMP team) this would be the best and fastest way to achieve an Authority to Operate (ATO). We created our first SSP with this in view; nevertheless, we soon had to pivot upon learning that the agency sponsorship route was not an option for us.
Side note, but important for the industry to consider: interestingly, based on our conversations throughout this journey, it’s beginning to sound like many (most?) agencies are hesitant about the risk and cost involved in the agency sponsorship route, and as such it might be time for FedRAMP re-evaluate this method of authorization. If the only realistic route for most CSPs to achieve FedRAMP authorization, particularly authorization of IL4 or more, is through the JAB – it will necessitate change to ensure the process can become more efficient (cost and time-wise), and achievable for small business.
Now for the last 6 months we have been working to get accepted into FedRAMP Connect – FedRAMP’s process for reviewing & prioritizing CSPs (and their Cloud Service Offerings) to undergo review by the JAB. FedRAMP clearly states on its website that in order to be evaluated by FedRAMP Connect, a CSP must submit a “Business Case,” giving the FedRAMP PMO a standardized way to compare different Cloud Service Offerings (CSOs).
Let’s briefly summarize the criteria that contribute to prioritization by the FedRAMP PMO for a CSP’s Cloud Service Offering (CSO):
The first thing they explained was the purpose of the call – to identify any roadblocks in our security before recommending and moving us to the JAB review round.
⇒ Note: this process is a new step and ensures the FedRAMP team (and CSPs) have a higher success rate when undergoing the JAB review.
The team shared with us that the JAB review process is lengthy and rigorous (more difficult than an agency sponsored authorization), they’ve seen many CSPs fail their first time through (even becoming so discouraged as to give up on certification altogether) and for this reason, the call helps them screen CSPs that aren’t quite ready for prioritization.
In other words, the worst thing that can happen for both a CSP and FedRAMP is for the CSP to be selected for prioritization only to not be ready for it, wasting time for all parties involved in the process: their own, FedRAMP’s, the JAB’s, and the other CSPs who now have to wait for the next round.
Thankfully, on our call we understood that while the PMO had some questions about our business case, the questions were minor and easily answered. We were told that the final FedRAMP Connect review would be coming soon, and that our chances for JAB review prioritization were good (nothing promised, of course!).
Here were some of the questions the PMO team had—we share them here because as the PMO explained to, they are areas that CSPs commonly get asked or stuck on during the JAB review process:
In our next article, we will report back the results from the next round of FedRAMP Connect prioritization, and regardless of our status, share with you the next steps we will take on our FedRAMP journey.
Thanks for taking this journey with us!