Federal agencies are under increasing pressure to modernize IT infrastructure and improve efficiencies across the board. To do that, they need to replace legacy infrastructure and applications with modern, secure cloud-based solutions. Software vendors, systems integrators and government contractors want to provide those solutions, but when the process requires compliance with the Federal Risk and Authorization Management Program (FedRAMP), it can be slow going.
Increasingly, applications intended for federal agencies need to achieve FedRAMP compliance. Many agencies strongly prefer FedRAMP-compliant solutions, and some won’t even consider those that aren’t compliant. Often, they have no choice; agencies looking for cloud deployments at the Low, Moderate or High Impact levels require FedRAMP authorization, and that authorization is more often mandatory for organizations that want to sell cloud solutions, including sought-after Software-as-a Service (SaaS) solutions, to government agencies.
Despite the cost, difficulties and time required to achieve it, FedRAMP compliance is worth the effort for cloud-based software vendors, especially in the area of security. Because it requires them to implement a set of standardized security controls, many agencies report that FedRAMP improves their overall security posture.
Yet despite federal agencies’ desire and providers’ willingness, the road to FedRAMP certification is often complicated, expensive and long. The preparation process can take 12 months or longer, followed by even more time to get through the third-party assessment process (3PAO) and Authority to Operate (ATO) reviews. The entire process can take 24 months or more.
This results in high opportunity costs on all sides. For federal agencies, it slows projects with ambitious timelines, resulting in missed deadlines. For software vendors, government contractors and systems integrators, it’s about lost business opportunities and revenue, according to our survey (see Figure 2). The survey also found that these delays can put a squeeze on the market, leaving agencies concerned about having a limited choice of FedRAMP-certified products (see Figure 3).
Although some of the time-to-compliance issues can’t be controlled, there are ways to significantly accelerate critical parts of the FedRAMP compliance process — including building a secure and compliant FedRAMP environment and getting audit-ready. For example, the typical non-automated process for making a cloudbased application secure and standards-compliant involves 12 to 18 months of information-gathering, evaluation, product integration, configuration, customization, testing and documentation.
“Often, a software development team will either go it alone or work in concert with a consulting services company to get things up and running” explained John Vecchi, Chief Marketing Officer at Anitian. “That can be a popular approach, but takes a lot of time and money, because vendors have to learn the FedRAMP process, assemble and configure the tools, satisfy hundreds of controls, complete thousands of pages documentation, and make sure they are complying with complex FedRAMP requirements at every stage. It’s all incredibly complicated and takes a lot of time, money and resources.”
Speeding up the process requires automating as much as possible. By relying on an automated, standardized, pre-built framework where resources are already integrated and controls are standardized and preconfigured, an organization can be ready for the 3PAO audit in as little as 60 days.
For one vendor looking to deliver a product to a federal customer, the automated approach worked well. The company, whose flagship product is a healthcare data sharing solution, needed to deploy a FedRAMP-compliant solution quickly on both AWS GovCloud and the agency’s network, while ensuring a stable, secure and compliant environment for the long term. Using a standardized Compliance Automation Platform with pre-built technology, documentation, DevOps and 24×7 Security and Operations (SecOps) stacks, the team stood up an AWS FedRAMP environment with all controls, processes and documentation in 30 days and received a temporary ATO from the agency in just 60 days.