The Four Phases of the FedRAMP Ready Process
Did you know? The historic Apollo 11 mission that put a man on the moon took eight days, three hours, 18 minutes, and 35 seconds.
Sometime later, Apollo 13 also flew to the moon using a similar figure-8 flight path with similar planned stages to 11’s. However, 13’s journey took only 5 days, 22 hours, 54 minutes (though they did set a record for the furthest distance from Earth by humans in the process).
Of course, you won’t be facing any critical explosions in space during your FedRAMP Ready timeline. But just as with the Apollo missions to the moon, it may be just as difficult to confirm a set duration for your FedRAMP journey.
Because when it comes to FedRAMP Ready, the number of variables that can complicate the process makes it difficult to nail down confidently how long your experience will take.
But as a Third Party Assessment Organization (3PAO) qualified to perform these assessments, we can do a little better than vague. In this article, we will break down the four phases of the FedRAMP Ready process.
That way, you’ll have a better idea of what’s to come should you decide to pursue this route of a formal FedRAMP Ready designation in the FedRAMP Marketplace. After reading, you’ll understand how the process works and what to expect during each stage.
The 4 Phases of the FedRAMP Ready Process
Before we dive in, we want to be clear. Your level of effort and schedule will be largely determined by the complexity of your systems, your resources, and your cloud service offering (CSO) among other things.
Apollo 11 stopped at the moon, which extended their mission timeline. Due to critical hardware failures, Apollo 13 did not—hence, that operation was shorter. Similarly, there will be factors that come into play at different parts of the process that will have different effects on your experience.
With all that said, the FedRAMP Ready process can be broken down into the following stages from beginning to end.
Phase 1: Preparation for Your FedRAMP Ready Assessment
As with every audit, we begin with preparation—arguably the most important phase of all.
Though a Ready Assessment does not ask you to meet all the FedRAMP requirements, the ones you do need to meet are no walk in the park either. During this preparation phase, you—the cloud service provider (CSP)—will need to design, build, and stand up your CSO in an operational state before your 3PAO assesses it against those requirements.
- As you pay attention to the technical implementations required by FedRAMP, don’t forget about the similarly important documentation aspect.
- The FedRAMP Program Management Office (PMO) will not expect to see 100% completion of your System Security Plan (SSP), policies, and procedures during the Ready Assessment.
- However, the PMO may consider the level of completeness a factor in their decision-making process when determining whether your CSO is FedRAMP Ready.
The timeline for getting fully prepared to become FedRAMP Ready is extremely variable based on several factors, including things like:
- The complexity of the engineering that’ll be needed to get your CSO compliant with the High or Moderate Ready requirements; and
- The quantity and experience of your personnel dedicated to the FedRAMP Ready effort.
Depending on where your CSO fits on this scale, it can take anywhere from one to six months before your CSO may be prepared for FedRAMP Ready.
Phase 2: Your FedRAMP Ready Assessment by a 3PAO
Once your CSO is “fully operational,” you can then bring in a 3PAO to conduct your Ready Assessment.
During this phase, your 3PAO will evaluate the CSO’s technical, management, and operational capabilities using a combination of methods, including:
- Interviews of your personnel;
- Observation of your CSO in action (including live demonstrations);
- Examinations of your CSO against the technical and documentation requirements; and
- On-site visits (e.g., in-person interviews and data center visits as needed).
As your assessment progresses, the 3PAO will need to:
- Gather and review evidence;
- Review discovery scans to validate your authorization boundary; and
- Complete the Readiness Assessment Report (RAR) template.
This phase can typically take anywhere from 4-6 weeks—again, it depends on the complexity of the system and FedRAMP impact level of the CSO (i.e., Moderate or High).
Phase 3: The PMO’s Review of Your Assessment Results
Once your Ready Assessment is complete, your 3PAO will submit the completed RAR to the FedRAMP PMO to be placed in their review queue.
As noted within the 3PAO RAR Guide, “if the queue is extensive, the PMO will send the CSP and 3PAO an email to set expectations regarding approximate review timeframes (e.g., 2 weeks, 4 weeks, etc.).”
However, that timeframe is based on the estimated time it will take the FedRAMP PMO to begin the review of the RAR—it does not reflect the time it will take the PMO to complete the review.
The time it takes the PMO to review the RAR will be dependent on several factors, such as:
- The complexity of the system;
- The aforementioned maturity of the CSO’s diagrams; and
- Any identified gaps.
Once their review is complete, the PMO will either:
- Issue your Ready designation immediately; or
- Schedule a review meeting with you and your 3PAO. That meeting will address all of the PMO’s outstanding questions and will allow you to provide clarifications as necessary.
In our experience thus far, we have seen PMO reviews completed in as short of a time as one week and sometimes take as long as one month.
Phase 4: Remediation (If Applicable)
If you do fall into the latter scenario of a review meeting, you’ll need to remediate and address the PMO’s concerns.
After you make all the necessary changes and remediation is complete, your 3PAO will then revise the RAR with the appropriate updates. That new RAR will be resubmitted and you’ll restart phase 3, as you’ll land back in the PMO’s review queue once again.
To have to tread backward can seem deflating, but there is good news.
When possible, the PMO will prioritize RARs that have already undergone an initial review whose updated version has been submitted by the 3PAO. If the PMO then determines that your updated RAR has sufficiently addressed their concerns, your CSO will be listed as FedRAMP Ready on the FedRAMP Marketplace shortly thereafter.
Moving Forward with FedRAMP Ready
Getting FedRAMP Ready represents one possible route to FedRAMP Authorization, and now you know how that process will work—from standing up your CSO through your Ready assessment, possible necessary remediation, all the way through to that formal Ready Designation.
As you continue onwards towards full FedRAMP Authorization, make sure to read these articles. No matter where you are on the road to FedRAMP, they can help both solidify a direction and streamline your experience:
- How to Become FedRAMP Authorized: The 2 Approaches
- 5 Common Pitfalls when Pursuing FedRAMP Authorization
- Which of the NIST SP 800-Series Publications Should You Follow?
If you’ve already decided on becoming FedRAMP Ready and you’d like to talk through some of your critical variables that might affect your process, please reach out to us. We’re happy to have a conversation that will paint a clearer picture of what this path would look like for your organization.
About Matt Hungate
Matt Hungate is a Senior Manager with Schellman based in Charlottesville, VA. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST SP 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has over 5 years of experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA. Matt is now focused primarily on FedRAMP assessments for organizations across various industries.