Securing FedRAMP Status Can Be a Profitable Endeavor

For private-sector firms, government contracts can be extremely lucrative. They can also be very complex, especially when it comes to all of the necessary authorizations required to operate in the public sector.

As companies and the U.S. federal government moved more operations to the cloud, the Federal Risk and Authorization Management Program (FedRAMP) was born. FedRAMP, which was established in 2011 by the Office of Management and Budget, provides a standardized, cost-effective approach for federal agencies to adopt and use cloud services. It was designed to ensure that cloud services used by the U.S. government are secure and that agencies don’t have to duplicate security assessments.

FedRAMP has authorized several hundred companies, enabling federal agencies to adopt certain cloud technologies while maintaining security compliance.

“It’s the price of admission to be able to sell to the largest market in the U.S., which is the federal government,” says Travis Howerton, CEO and cofounder of RegScale, a tech startup offering governance, risk, and compliance (GRC) and continuous controls monitoring (CCM) platforms.

Companies like RegScale were founded to help technology vendors, business process outsourcers, managed services providers, and similar firms break into the government market. Companies looking for FedRAMP certifications should develop a holistic business strategy, experts say, noting that it’s not an endeavor to be undertaken lightly and will likely require significant investments in time and resources.

“Government security requirements tend to be more stringent. It’s a significant lift in documentation, hardening, auditing, etc. It can be hundreds of thousands, if not millions, of dollars, and take months, if not years, depending on where you’re at in your journey. It’s all a significant undertaking,” Howerton says.

Companies need to have significant business with the federal government to realize a return on their investment, experts agree.

And then, the amount of time, resources, and expense involved are highly dependent on the level of risk involved: low, medium or high.

Low-risk companies provide public websites, publicly releasable information, and scientific information.

Moderate-risk firms, which make up the bulk of the service providers with FedRAMP authorization, process controlled, unclassified information (CUI).

High-risk companies handle the most sensitive data. Companies falling under this classification have many more controls, a heavier security burden, and more monitoring than companies in the other two categories.

Hypori, a provider of mobile data access solutions, achieved the high-authorization designation in March, joining the likes of Microsoft, Google, Pegasystems, and dozens of others.

“Data is the lifeblood of our national security and economic strength, and securing it is our top priority,” says Matt Stern, the company’s chief security officer. “Achieving FedRAMP High Authorization underscores our unwavering commitment to protecting CUI and [federal contract information] while enabling secure, seamless mobility for federal agencies and defense contractors. This level of mobility is critical as agencies prioritize both operational efficiency and cybersecurity resilience in an evolving threat landscape.”

Hypori’s software enables customers to communicate securely with any smartphone or laptop. The high authorization designation means that users don’t need a separate phone for FedRAMP-related communications, Stern says. “The government and other customers are using us to provide a bring-your-own-device (BYOD) capability.”

Some other major CRM vendors that have achieved varying levels of FedRAMP certification in the past year or two have included Content Guru, Talkdesk, Qualtrics, Melissa, Genesys, SuccessKPI, Databricks, Cisco, SAS, and Sprinklr.

Before approaching the federal government business, Hypori already had a significant business in the private sector and knew there would be a government market for its technology, Stern says. “You have to have the addressable market and people who are ready to purchase your capability when it’s [authorized],” Stern says.

The FedRAMP process for companies like Hypori is very intense. However, companies with much simpler cloud applications that won’t be used for sensitive communications or data transmission or storage will have a simpler, quicker, and less costly application and approval process, Stern says.

It Takes More Than IT

Though FedRAMP would at first glance appear to be the responsibility of companies’ IT departments, engineering, human resources, training, physical security, data center operations, and vendor contracting all need to be involved, according to experts, who point out that the multifaceted undertaking requires involvement from the entire organization. Participation from top, senior-level executives, mid-level managers, and even ground-level employees can also make a huge difference.

Communication and close collaboration between a company’s different departments is essential to a successful FedRAMP authorization process, Stern stresses. During auditing, the right people need to present the right information or the entire process is delayed and becomes more costly.

FedRAMP authorization involves several major steps. The first is obtaining consulting advisory: The company seeking authorization needs a government agency as a sponsor, Howerton says. FedRAMP won’t onboard anyone without a government sponsor.

Hypori has 50,000 licenses with the U.S. Army and another 10,000 with the U.S. Air Force. The Department of Defense acted as its primary sponsor throughout the process.

Content Guru, which achieved FedRAMP high authorization status for its storm contact center-as-a-service solution in late March, worked with the U.S. State Department.

“Content Guru values our long-standing relationships with federal agencies, including the U.S. Department of State, which we’ve nurtured over the past 20 years,” said Andrew Casson, Content Guru’s vice president of public sector, in a statement. “Our federal partners understand that security and privacy requirements have evolved significantly over the years, becoming both more critical and more challenging to meet. Their support was instrumental in helping Content Guru achieve the crucial FedRAMP high impact level designation.”

Talkdesk, which achieved FedRAMP Agency Authority to Operate for its Talkdesk CX Cloud Government Edition in February, worked with the Centers for Medicare and Medicaid.

The next step involves building out security controls. This includes developing all documentation, diagrams, photos, technical specifications, and other paperwork that details how the company secures its data and how it operates in a cloud environment. “This is typically the most difficult step for a cloud services provider,” Howerton says.

The number of controls can range from 200 to 400, including everything from access control to configuration management, personal security, and everything in between. Each control includes thousands of required parts and parameters, Howerton notes. “Just creating the paperwork often takes six months or more, and that’s assuming that your security posture is in place to meet all the controls. If it’s not, it can take years and millions of dollars to get a cloud service provider in a position to be able to meet FedRAMP requirements. So it’s a high bar, and it’s a pretty laborious process.”

Before even contemplating the process, ensure that it’s necessary for your business, recommends Tim Golden, CEO of Compliance Scorecard, a provider of governance, risk, and compliance solutions for managed service providers. “You shouldn’t go for something just because. If an IT service provider has 100 customers, and only one is going to require FedRAMP authorization, I wouldn’t do it. But if the business is 100 percent focused on the federal government, then it makes sense to go after it.”

The assessment is the next step in the FedRAMP process. This includes not only a government assessment, but a third-party assessment as well to ensure that the company’s controls, documentation, etc., meet FedRAMP requirements. Third-party assessors are highly trained auditors who validate the company’s documentation and provide a report to FedRAMP.

And then, continuous monitoring also has to be part of the process. Companies need to continue to ensure they stay compliant.

Companies can’t assume that they are all set once they pass the initial audit, Howerton says. “With many audits, once you get approval, [monitoring] is light. That’s not the case with FedRAMP. It has a continuous monitoring requirement. So every month, for as long as you continue to sell [to] the government, you’re providing detailed reports and documentation proving you’re still at an acceptable risk posture. It can be a significant undertaking, which is also part of that barrier to entry, because it’s so expensive.”

Though continuous monitoring is in place to help ensure continued compliance, all FedRAMP authorizations need to be renewed every three years as well.

In addition to the internal and external resources, companies looking for FedRAMP authorization also need to ensure that they have the financial resources and will be able to reap a reasonable ROI before going through the FedRAMP process, which several experts say can cost anywhere from $200,000 on the very low end to several million on the high end.

The funds are needed primarily for the following:

• internal resources to manage and maintain FedRAMP authorization;
• technical remediation of system issues;
• procurement of new or improved cybersecurity and infrastructure systems;
• third-party advisory preparation services; and
• the independent third-party security assessment.

Along with being resource-intensive and costly, the FedRAMP approval process is lengthy as well. Approvals can take years in very extreme cases, though some companies on the lower end of the spectrum could complete the process in as few as six months.

It took two years for Hypori to complete everything it needed for the Defense Department (specifically, the U.S. Army), then another year for FedRAMP authorization, according to Stern. The army was the company’s sponsor throughout the process.

“As a small, veteran-owned business, it took a lot, but we now have pretty much every authorization that you need to do business in the federal government, the army, or in the commercial sector,” Stern says.

Accelerating the Process

“One of the best practices is to determine how you can get there faster,” Howerton says. “There are a variety of ways to do that.”

Companies such as RegScale offer technology that automates many aspects of the FedRAMP process, including evidence collection, control assessment, and reporting, eliminating the cost and time needed to develop such technology in-house. Advisory firms, like Coalfire, which Howerton calls one of best in the business, can help build out FedRAMP application packages.

A third option is to work through FedRAMP landing zones. These landing zone firms, which are already FedRAMP authorized, conduct all the monitoring in exchange for a fee.

Some companies use a combination of third-party automation, advisory services, and landing zones to achieve FedRAMP authorization.

Regardless of which approach or combination of approaches companies use, they should be wary of third-party organizations that promise extremely fast approvals, Stern cautions. “If somebody’s promising that you’re going to get FedRAMP approval in 30 days, that’s just not true. Government doesn’t move that fast.”

Stern also cautions that advisory services might not be worth the price they charge. Hypori started with an advisory service, but even though the company is small, it found that it could do much of that service’s work internally, saving on the expense. FedRAMP offers some templates to help companies start the process.

“Make sure you have your house in order first,” Golden recommends. That means more than having the technical capabilities and controls in place. FedRAMP aspirants also need to have the right company culture. Pursuing FedRAMP authorization can mean a significant shift in how a firm conducts business.

“Having gone through this ourselves, the very first thing that I noticed was that we were doing a lot of the right things, but we had nothing written down. So I had to spend more than six months just writing down what we were doing and making sure it met the requirement. You couldn’t just Google things back then,” he says further.

Simply writing things down isn’t enough, Golden adds. “I had to sit with the staff and make sure they understood that as a government contractor, we had to do things a certain way or we would lose all of our work.”

Internal preplanning and research can sharply reduce the time it takes to go from initial search for a sponsor to FedRAMP approval, Stern adds. But even with the preliminary work, the process takes patience and persistence.

Hypori determined that the code it would use for its government business, which had to meet the highest security standard, would be the code for all of its businesses. That meant the company worked with a single code rather than multiple ones.

And the FedRAMP process continues to evolve as well. The system is currently in its fifth revision, a version it adopted a couple of years ago. The government recently announced the FedRAMP 20x initiative, which is designed to foster a more efficient and collaborative environment, ultimately reducing regulatory burdens and expanding access to the federal marketplace.

The main goals of this latest FedRAMP initiative are to do the following:

• Facilitate the automation of the application and validation of FedRAMP security requirements, with at least four-fifths of requirements to have automated validation. Currently, all controls require narrative explanations.
• Leverage existing industry investments in security by using legacy commercial frameworks already determined to be best-in-class.
• Build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers.
• Enable rapid continuous innovation without artificial checkpoints that halt progress.

Golden said the driver behind the 20x initiative is current bottlenecks that delay the FedRAMP authorization process. “There are too many frameworks, too many rules, too many controls, too many lists, too many things to do.”

No time frame is set yet for when the FedRAMP 20x rules will take effect, so companies can continue to use current processes.

But in either case, the companies that have gone through the process say it was worth it. “Federal and public-sector entities require heightened levels of security to ensure interactions and data stay secure, but citizens, constituents, and other stakeholders they interact with still expect seamless service,” said Tiago Paiva, founder and CEO of Talkdesk, in a statement. 

Phillip Britt is a freelance writer based in the Chicago area. He can be reached at spenterprises1@comcast.net.