Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

What is the Timeline for the FedRAMP Process?

FedRAMP

Ever watched Jeopardy? Even if you haven’t, you’re likely familiar with the iconic theme music that plays every time contestants deliberate over their answers—it’s such an iconic tune that it’s become synonymous with waiting for a conclusion that takes quite a while.

Endeavoring for compliance with the Federal Risk Assessment Management Program (FedRAMP) is one such drawn-out conclusion—it takes time to complete this process, but how much? How long will the Jeopardy theme play?

Before you commit to achieving FedRAMP Authority to Operate (ATO), it’d be helpful to know what you’re getting yourself into. As a Third Party Assessment Organization (3PAO) with the second-most completed assessments on the FedRAMP marketplace, we have walked over 80 organizations through this journey, and now we want to provide organizations considering the same with important insight.

In this article we will outline the anticipated timeline for what we’ve separated into 4 major phases of FedRAMP—these include the development and preparation of your system, agency sponsorship, execution of an assessment, and the review(s) that yield Authority to Operate (ATO), as well as the continuous monitoring responsibility for your authorized system.

As things move along during your FedRAMP journey, it may—at times—feel like one long pregnant pause with the Jeopardy theme playing. But having read this, you’ll have an understanding of how to get from cradle to grave in the FedRAMP process so you’ll know for sure what step is coming next while you wait.

What is FedRAMP?

Just to lay the groundwork, here’s what you need to know about FedRAMP:

  • It’s geared toward Cloud Service Providers (CSPs) that want to do business with the U.S. federal government.
  • The standard is designed to safeguard cloud systems with security commensurate to the sensitive data that may be stored, processed, managed, and transmitted within the system.
  • Each system that is assessed has an applicable Federal Information Processing Standard (FIPS) 199 risk designation of High, Moderate, or Low depending on the data being processed. These risk levels have considerable variance in the number of security controls:

Risk Category

Details

Low Risk

Number of base controls: 125

Sometimes referred to as Li-SaaS assessments, these can be tailored—depending on your sponsoring agency’s risk tolerance, they may add additional controls that must be implemented. Not only that, but they may also add prescriptiveness to the base controls.

Moderate Risk

Number of base controls: 325

This is the most common security assessment we see as 3PAOs.

Because of the sheer number of base controls, oftentimes these won’t necessitate any additional tailoring or controls from your agency.

(There are exceptions, the most common of which are assessments performed in support of seeking authorization from a Department of Defense (DoD) agency).

High Risk

Number of base controls: 423

These are the second most common type and there’s the same caveat that your agency may require additional controls.

There are two ways to get FedRAMP ATO—through either agency sponsorship or the Joint Authorization Board (JAB). Since the agency route is more common, we’ll proceed through the phases of the process assuming you’ll be going that way too. 

The 4 Phases of FedRAMP

Phase 1: System Development and Preparation

Once you’ve determined your risk designation, you can proceed through the 3 phases of FedRAMP, and that starts with developing your Cloud Service Offering (CSO). The time this takes can range depending on the complexity of the system, but know that using a defense-in-depth methodology when building the system is extremely important if you don’t want to extend your timeline considerably.

Because FedRAMP assessments are some of the most difficult, take longer, and tend to be more expensive than average, developing your CSO with the NIST 800-53 controls in mind can prevent considerable rework, or worse, necessary rearchitecting of your environment to ensure you meet the “spirit” of the FedRAMP controls. But if your system is already developed, you may want to perform/have someone perform a gap assessment to better understand if you are truly meeting FedRAMP requirements before moving forward.

In some cases, hiring an experienced advisor can shorten this timeline—these consultants have interacted with the FedRAMP Project Management Office (PMO) and understand the federally mandated “showstoppers” (a.k.a. things that will derail your ATO).

Phase 2: Agency Sponsorship

In any case, once your offering is ready to go live, you’ll need to secure an agency sponsor. Without one—or, as we mentioned earlier, authorization from the JAB—the furthest you’ll be able to get is FedRAMP Ready status, which is not an ATO. (If you’re FedRAMP Ready, you’ve proven you have a system meeting the federal mandates and ready at either the Moderate or High baseline but will still need an agency sponsor to move forward to In Process and eventually Authorized).

Because success with an agency looks different for everyone, we can’t accurately provide a timetable for how long this will take.

Phase 3: Security Assessment – 7-9 Weeks (Approximately)

But once you do secure an Agency sponsor, you can now proceed through a full initial FedRAMP Security Assessment, and we can provide a rough timeline for that.

Before you get started, you’ll need an American Association for Laboratory Accreditation (A2LA) accredited 3PAO like Schellman to perform the assessment—the full FedRAMP Security Assessment Report (SAR) process can be broken into the following stages:

Security Assessment Plan (SAP)

 

(1 Week)

The 3PAO drafts the SAP and submits to the CSP for their approval. In some instances, the sponsoring agency will also request a review prior to finalizing. Once finalized, the SAP is signed by the 3PAO and the CSP. This step is critical as the SAP defines the assessment activities and includes key items such as the Rules of Engagement.

At this stage, there are expectations that the CSP will have provided certain audit evidence such as the System Security Plan (SSP), system inventory and other items required for populating the details of the SAP template.

Control Owner Interviews

 

(1-2 Weeks)

Once the SAP is in place, remote or in-person interviews and evidence collection through live screen shares will take place.

Interviews can range anywhere from one to two weeks depending on the complexity of the system and FIPS-199 baseline. The requisite penetration testing will also kick off during this time after coordinating the details and putting into place the proper authorizations.

Evidence Analysis, Controls Testing and Penetration Testing

 

(6-8 Weeks)

At this point, your 3PAO will begin in-depth testing, analyzing both the evidence you submitted as well as what they collected live, which includes vulnerability scans and compliance scans. The penetration test continues through this stage of the assessment.

(As a 3PAO, Schellman has a “no surprises” policy, which means we notify our clients of any findings throughout the interview and testing process. We believe this is important, as you’ll want to remediate as many findings as possible before delivery and finalization of the SAR.)

SAR and Risk Exposure Table Delivery

 

(2 Weeks)

Once testing is wrapped up, your 3PAO will provide a draft SAR as well as the Risk Exposure Table documenting the findings from the assessment. You should ensure that any remaining supplemental control implementations (mitigating factors) are brought to your 3PAO’s attention to help reduce or mitigate the documented risks. Once you and your 3PAO are in agreement, the SAR will then be finalized and provided to the sponsoring agency and FedRAMP PMO for their respective reviews.

 

Phase 4: Agency Review and PMO Review – 6-8+ Weeks

After you’ve completed the assessment and the SAR is finalized, the SAR and supporting details are submitted as the “authorization package” for review to the sponsoring agency and FedRAMP PMO for their respective reviews.

Given the number of CSPs pursuing FedRAMP ATO, it's common that a sponsoring agency and the FedRAMP PMO have a number of packages in their queue for review. Because of this and depending on the sponsoring agency, the completion of both reviews can take more than six to eight weeks.

After completion of the reviews, there will be a meeting that includes the FedRAMP PMO, your sponsoring agency, 3PAO and you as the CSP to review feedback from the FedRAMP PMO and discuss any questions. This review often results in a revision of the SAR to ensure that all are in agreement with the results and the details contained within.

Once updated, the SAR and any other supporting documentation that has been updated are submitted to the PMO for an additional review. The ideal outcome from the resubmission is to receive an email notification within a few weeks from the FedRAMP PMO letting you know that your CSO has been granted an ATO. The ATO will allow you to provide your CSO to your sponsoring agency, and it will be listed on the FedRAMP Marketplace with its applicable ATO. Given the number of variables that factor into the review process, the duration can vary widely based on the queue mentioned above and the feedback received.

Next Steps for FedRAMP ATO

At this point, you may believe you’re done—the Jeopardy theme will stop playing, the conclusion having been reached. But as long as your CSO is providing services to a federal agency, you will be subject to the annual assessment requirement to assess a subset of the full initial controls—this usually takes 10 – 12 weeks from start to finish, so it's a little shorter than the full assessment.

In any case, the process of getting FedRAMP ATO is neither easy nor short, as you now understand. Just the assessment and review periods can take more than three months each, and that doesn’t factor in time spent preparing your offering, however long that may take. No matter what, you’ll need to ensure you have enough time and expertise to get your CSO up to standard so that all your efforts end successfully.

To learn more about FedRAMP, read our other content that can help you further simplify your approach and experience:

About Andy Rogers

Andy Rogers is a Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.