What is FedRAMP?
Companies that don’t work with the federal government may not have heard of FedRAMP. FedRAMP stands for Federal Risk and Authorization Management Program. It is a security framework that specifies requirements for assessment, authorization, and continuous monitoring for cloud products and services to be utilized within the federal government. Companies whose products achieve FedRAMP authorization appear in the FedRAMP marketplace, where they can be discovered by and sold to interested federal agencies. It is a potentially lucrative prospect, as unique services with FedRAMP authorization can be sold at a premium. The industry for FedRAMP authorization is estimated to grow from $5.3 billion in FY 2019 to $9.1 billion in FY 2024.
How hard is it to achieve FedRAMP, and why would I want to?
It is not easy to obtain FedRAMP authorization. It requires:
- understanding and compliance with hundreds of security controls from NIST 800-53, a voluminous catalog of security and privacy controls
- submission and approval of thousands of pages of policy and process documentation
- use of specific security mechanisms, such as FIPS-enabled endpoints, and generally prohibits the use of non-FedRAMP authorized services within a system architecture
- annual third-party auditing for compliance and monthly delivery of evidence to support ongoing compliance in a process called Continuous Monitoring.
All of these are at the expense of the product or service provider. Some estimates state that achieving FedRAMP authorization can take more than 18 months at a cost of $1.5M-2M1 to the product or service provider. That said, the same experts estimate that the return on investment of obtaining a FedRAMP authorization is more than 300%!
How does organizational design impact FedRAMP compliance?
Achieving and maintaining FedRAMP is much more than cybersecurity technology and documentation. Supporting the requirements of FedRAMP and Continuous Monitoring is expensive and time-consuming, and most companies focus on the documentation and technical requirements. Cataloging these is straightforward, albeit time-consuming, as is planning and implementation. But if they get that far, many companies continue to struggle with the expensive and inefficient processes required to maintain compliance.
To clear this hurdle, it is important to understand how the organization must change to enable ongoing FedRAMP compliance and implement this design purposefully from the outset. Trying to jump through compliance hoops and manage all the necessary reviews, approvals, and documentation for even a simple change can be inundating. Trying to apply the process with endless meetings creates burnout and kills deadlines. Limiting authority and decision-making to individuals lacking an understanding of the risks or changes they are accepting creates bottlenecks, adds no value, and only slows the value chain further.
The bottom line is that until you streamline your organization and your processes, your team will suffer from negative experiences as they spend all of their time “working the system,” resulting in painfully slow change throughput and delayed time to market.
A key point worth repeating is that this organizational design must be applied first. Trying to do so after the fact will be extremely painful and likely impact all FedRAMP document requirements. Instead of working the system, design a system that works!
The four steps to organizing your team to support FedRAMP compliance
With a team of three developers, Pariveda helped our nonprofit client achieve FedRAMP Moderate for their cloud-hosted SaaS product. This achievement opened new horizons and revenue streams for our client to expand their mission. These were the keys to success that you can also apply to your organization:
Establish roles and organize around the necessary activities
Important considerations for the necessary roles are the Separation of Duties and the review and approval of security impacts and system changes. Our team accomplished this with three developers and a small team of security reviews and change control approvers, including the CISO. These roles are action-oriented and eliminate unnecessary approvals.
Create a minimal cadence of simple, efficient meetings with standing agendas
The standing agendas ensure the required reviews and change control requirements are met. Posting meeting minutes essentially creates audit evidence that will streamline audit requirements. Our team has three standing meetings that you can mirror:
- A weekly 30-minute security review to discuss the security impacts of proposed changes, as well as review the disposition of new and known vulnerabilities and their remediation plans
- A weekly 30-minute change control board meeting to review and approve all changes to the system
- A monthly 1-hour security audit with the purpose of a rolling review of FedRAMP artifacts; dozens must be reviewed and updated regularly, so spreading these out throughout the year is extremely helpful
Commit to continuous improvement
Discuss the process and be open to experimental changes to improve efficiency. Challenge the norms. Eliminate unnecessary meetings, reviews, and approvals. As you begin to practice your continuous monitoring process, make time to discuss the process itself and propose changes to streamline it.
As your team becomes more proficient, you can eliminate redundant or unnecessary conversations or approvals in meetings that offline communications could replace. Weekly security review and change control meetings can quickly go from 1 hour to 30 minutes, and you can likely eliminate at least one of them in the future because you can generate the evidence and review it together offline. And now, with data providing visibility into where the team spends its time, you can make plans to streamline your infrastructure to save cost and, more importantly, the team’s time spent on upkeep. All of these improvements free the team up to continue building features and capabilities that enhance the customer experience, which is most important.
Take advantage of cloud-managed services and technologies
Managed services and technologies will minimize your team’s effort to maintain compliance and allow them to focus on implementing beneficial changes. Our technology stack leverages serverless architecture and database services managed by our cloud provider. The FedRAMP authorization of these services is inherited, so there’s no additional work for a team to maintain them. While vendor-hosted FedRAMP-authorized tools like Splunk Cloud are extremely expensive, self-hosting the “on-prem” versions in a compliant way requires a tremendous amount of upkeep, and the hosting costs are significant. It’s not hard to justify the cost of the FedRAMP-authorized versions.
Pariveda has deep expertise in application development in the cloud, organizational strategy, DevOps, cloud cost optimization, and product strategy. We are an AWS Premier Partner with competencies including DevOps, Education, Nonprofit, Healthcare, Data & Analytics, Digital Customer Experience, and Machine Learning. Contact us for more information on how you, too, can be successful in your FedRAMP journey.
