What Does it Mean to Be FedRAMP Ready?
Self-help guru Tony Robbins once said that "the meeting of preparation with opportunity generates the offspring we call luck."
Becoming FedRAMP authorized is less luck and more work, but it is true that meeting this opportunity with solid preparation can mean a greater chance of success.
The “opportunity” here is obvious—Authorization from FedRAMP allows Cloud Service Providers (CSPs) the lucrative prospect to provide services to the federal government community.
It’s the preparation for the process that requires a lot of your attention, and as a Third Party Assessment Organization (3PAO), we’d like to simplify at least one potential aspect of it—the FedRAMP Ready assessment.
While it can’t gain you Authorization on its own, this assessment represents a big way to bolster your preparation for what can be an extended timeline and a large amount of work.
It’s important to understand the level of effort and resources required to obtain and ultimately maintain a FedRAMP Authorization. So to help you set real expectations, we want to help you better understand how becoming FedRAMP Ready fits into the larger scheme and how it can potentially help you along your own journey.
Because no matter which approach to Authorization you choose—through the Joint Authorization Board (JAB) or an agency—this Ready assessment can and will help you in preparing for the opportunity that is full Authorization.
We’ll explain how.
When to Get FedRAMP Ready
Like with most compliance initiatives, this Ready assessment would take place early in your FedRAMP process, and there are some stipulations. We mentioned that there are two approaches to Authorization, and the Ready assessment plays a particularly big part if you’re in one of these three situations:
- If you have found a sponsoring agency, but are not yet ready to be assessed against the entire FedRAMP Moderate or High control baseline, your sponsoring agency may require the Readiness Assessment Report (RAR) before proceeding with the full assessment. (FedRAMP Ready designation can actually only be granted for Moderate and High impact cloud service offerings.)
- If you’re a CSP that is going through the Joint Authorization Board (JAB), the RAR is a prerequisite to that path.
- If you’re a CSP that is pursuing the Agency Authorization route but have not yet found one willing to sponsor your Cloud Service Offering (CSO), a RAR can help you demonstrate your commitment to the FedRAMP process.
As you can see, there’s no getting around a RAR in some cases, whereas in others, taking it in on is entirely up to you.
So then why go through with it if you’re not required? Or if you’re bound to this prospect, how will it be helpful?
What is FedRAMP Ready?
Before going any further, we should be clear: though this process was designed to function as a stepping stone to Authorization, it is not a guarantee to achieving Authorization.
(Neither is pursuing a full FedRAMP assessment, for the record.)
With that being said, we maintain that becoming Ready can be a difference maker for you.
Why? Because while the Ready Assessment is not intended to cover the entire FedRAMP control baseline, there is still a considerable level of rigor to it—one that is often underestimated by CSPs that opt to do it.
Among other things, your FedRAMP RAR could address an assortment of topics that touch areas including technical requirements, your policies and procedures, any vendor dependencies, and validation of your Authorization boundary. At a minimum, the FedRAMP Program Management Office (PMO) requires that your 3PAO ensures these three things during your FedRAMP Ready process:
- That your CSO is fully operational prior to the start of the assessment.
- That your CSO has a comprehensive Authorization boundary diagram as well as supporting data flow diagrams.
- That your CSO is compliant with the six federal mandates outlined within the FedRAMP RAR templates.
We wrote more extensively on the requirements for completing a RAR in our article here, as well as the process for such. What you should know for now is that this review is less a rubber stamp and more of a boot camp to prepare for the full assessment.
(If specificity helps, a Moderate RAR covers approximately one third of the controls of a full assessment at the FedRAMP Moderate impact level.)
Whatever your case may be, once your Ready assessment is complete, your RAR will be reviewed by the FedRAMP PMO. If the PMO agrees with your 3PAO’s attestation as to your readiness, you will be formally approved for FedRAMP Ready designation on the FedRAMP Marketplace.
Should You Get FedRAMP Ready?
If the RAR is, in fact, so rigorous, then why do it? Why does it matter if you’re officially designated as FedRAMP Ready?
In fact, the decision to pursue (or not pursue) FedRAMP Ready should account for your organization’s unique circumstances, but here are a few considerations to make:
Why You Should Get FedRAMP Ready
- Becoming formally designated as Ready will demonstrate to federal agencies that you are committed to the FedRAMP process, and it’ll provide you more visibility to agencies looking to partner. Your CSO’s name on the FedRAMP Marketplace can be used when responding to a government Request for Proposal (RFP) or to initiate sales discussions with agencies.
- It will allow you to “get your feet wet” with the FedRAMP process and requirements, even if the RAR only focuses on a portion of the controls. In other words, you can focus on the critical controls upfront and save everything else until the full assessment.
Potential Drawbacks to FedRAMP Ready
- There’s less flexibility on what kinds of risks will be accepted by the PMO, and that could cause a future roadblock. A sponsoring agency may have different standards for what kinds of risk they’ll accept when undergoing the full assessment, while the PMO must adhere to the RAR requirements outlined earlier.
- A FedRAMP Ready designation is only valid on the Marketplace for twelve months. At the end of that period, if you haven’t yet found an agency sponsor and would like to continue being listed as Ready, then you must undergo (and pay for) another Ready assessment by a 3PAO.
Ready to Get FedRAMP Ready?
Pursuing a FedRAMP Ready designation is your own prerogative.
If you’re confident that your organization is ready for the full FedRAMP assessment and you’ve already found an agency sponsor without the Ready Assessment, then it may be more beneficial for you to bypass the RAR and jump straight in.
But if you fall into one of the three categories we previously mentioned, then you’ll need to adequately prepare in order to set yourself up for success to become FedRAMP Ready.
If you find you already have questions about how to prepare your organization to obtain a RAR, we’re happy to set up a conversation with you to go over the specific particulars.
But we understand that FedRAMP is a complicated endeavor, so if you’d prefer to continue your research before deciding one way or the other, read our content that will provide additional clarification on the FedRAMP compliance initiative:
About Matt Hungate
Matt Hungate is a Senior Manager with Schellman based in Charlottesville, VA. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST SP 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has over 5 years of experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA. Matt is now focused primarily on FedRAMP assessments for organizations across various industries.