Seven common misconceptions about FedRAMP ATO
nellmarie.colman
Wed, 08/05/2020 - 11:45
Cloud solutions providers (CSPs) excel at building and delivering technologies that help solve their customers biggest challenges. Its what theyre best at. CSPs are not, however, typically well-versed in comprehensive federal security and compliance standards and the hundreds of requirements involved.
Yet, to sell their solutions to the U.S. Federal Government, CSPs must first achieve a FedRAMP Authority to Operate (ATO), demonstrating they meet these standards.
The FedRAMP ATO certification process can be daunting, expensive and time-consuming for CSPs. And to make matters worse, CSPs often approach the process with misconceptions that can become significant barriers.
Through our experience helping businesses achieve their FedRAMP ATO over the years, weve identified seven misconceptions that occur most frequently. By sharing these with you, we hope you can avoid making the same mistakes and have a more-successful journey toward your own FedRAMP ATO.
Misconception #1: I do/dont need to be FedRAMP compliant.
Depending on which services you provide, you may be required to be FedRAMP compliant (in the case of selling SaaS), even if you are not actively seeking a government contract. In other cases, you may be seeking compliance when its not actually needed (e.g., you arent a cloud service). Do you know your situation?
Misconception #2: You can get FedRAMP-ready on our own.
Unfortunately, theres not an itemized list of best practices that you can check off as you move down the path to authorization. FedRAMP ATO is a formal government designation that must be implemented, assessed by a third-party and validated by the government.
There are timelines to meet, schedules to build and testing to coordinate. Some processes can track in parallel, while others must proceed in tandem. Documentation must be managed properly so that there are easy-to-follow paper trails. Any delay will cost you money.
And dont forget, you also have your own business to run at the same time, with finite IT resources that might be at risk of being stretched thin.
Misconception #3: Once you become authorized, you are authorized forever.
While it would be nice if, after all your hard work to get authorized, you would just stay that way but unfortunately this is not the case. You must get reauthorized every year, usually at a cost of around $1 million per provider, per year. You must also continuously monitor and document security and governance requirements to maintain your FedRAMP ATO.
Misconception #4: JAB authorization is better than an agency authorization.
While a Joint Authorization Board (JAB) Provisional ATO (P-ATO) may streamline some things, an agency ATO is just as effective. In addition, an agency ATO is typically faster and cheaper to achieve, as you get to skip the FedRAMP Ready step.
Misconception #5: You must use a 3PAO for advisory services.
Many third-party assessment organizations (3PAOs) pitch costly (and often unnecessary) consulting services up front that can put you behind the eight ball financially. Its better if you can establish the requirements your system meets and plan which actions your team must take to address vulnerabilities before you engage a 3PAO.
Misconception #6: Federal agencies are reluctant to sponsor a FedRAMP authorization
With all of the regulation and rules around the FedRAMP ATO process, its easy to think that federal agencies are reluctant to sponsor FedRAMP authorization. Thankfully this couldnt be further from the truth. The federal government realizes that the intrinsic benefits of the cloud (e.g., remote access, scalability, collaboration efficiency) help it achieve its mission to deliver services to the public. They are always looking to sponsor new CSPs.
Misconception #7: Attaining a FedRAMP ATO is straightforward.
Attaining a FedRAMP ATO is an arduous process. You must meet more than 300 requirements, as outlined in 1,200+ documentation pages. With an average investment of $2.25M to get authorized, youll want to make sure youre investing your time and money properly. Thankfully, there exists a shortcut of sorts via inheritable security controls, which can minimize the amount of controls your company must complete in-house, saving you time and money.
Streamline your FedRAMP ATO journey
With Rackspace Technology, you can leverage the power of inheritable security controls and be FedRAMP ATO authorized in as little as four months. Rackspace Government Cloud became the first JAB-authorized platform-as-a-service, back in 2015. Since then, weve helped over a dozen CSPs obtain their FedRAMP ATO. And we can help you, too.
If youd like to take a deeper dive, I invite you to attend our upcoming interactive workshop, where youll learn first-hand from subject matter experts who live and breathe FedRAMP including an authorized CSP, a compliance ISV and a 3PAO. Youll also learn how to manage FedRAMP security and governance requirements and get your government cloud solutions to market faster. Topics well cover include:
Achieving FedRAMP ATO three times faster while saving 70% on monthly operational costs
Reducing advisory, engineering and audit costs to free up time and resources for innovation
Automating security governance and documentation to ace the assessment
Attaining always-on, scalable and secure infrastructure and accessing managed capabilities and tools when you need them whether your cloud is private, public or hybrid.
Seven common misconceptions about FedRAMP ATOLooking to achieve your FedRAMP ATO? Be sure to avoid these seven common misconceptions. Get one step closer to your FedRAMP ATO./fedrampStart here