866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Marci Womack

By: Marci Womack

Print/Save as PDF

The Timeline to Different Stages of a FedRAMP Assessment

FedRAMP | Federal Assessments

One of the questions that we get the most often when we're talking about Federal assessments is how long does it take to get through the assessment process and what happens afterward to actually get to FedRAMP authorization?

In this video, we discuss some of those specifics relative to the stages of the FedRAMP Assessment. To learn more about these different stages you can watch Doug Barbin's video: The Phases to the FedRAMP Process.

Stage One

We have stage one and stage two. Stage two is where we do the bulk of interviews and technical reviews of evidence. The start of phase two is the interview week, and we use that as the foundation for the rest of the schedule and timeline. We will essentially back into stage one which will be based on the interview week.

From the interview week, we will back that up eight weeks and we'll deliver the information request list (IRL). This is a list of the evidence and artifacts that you need to provide to us across both stages of the assessment for us to be able to execute our testing. There are a few other milestones that happen during stage one. One of those is you'll have an opportunity in a couple of two to three-week periods to actually collect the evidence that we're requesting for stage one, and then provide that to us.

From there, we move into about one to two weeks of reviewing that documentation documenting that in the security assessment plan, or the SAP, and then we provide that SAP to you. During that time, we may perform some interviews and some authorization boundary reviews to really make sure we understand the scope of your boundary for the assessment to ensure that we have requested the right information and that we can complete the SAP for stage one.

In stage one, we're looking at:

  • Policies
  • Procedures, and
  • All of the appendices or attachments of your assistant security plan

Stage Two

In stage two, we are looking at more technical evidence:

  • Configurations
  • Specific alerts
  • Logs or output from those alerts and logs
The due dates will be adjusted, so that way you have the appropriate due date for your stage one evidence versus your stage two. And that allows you to get a head start on stage two evidence collection because traditionally it is a bit more technical and requires tapping additional resources and additional teams, perhaps outside of the compliance team that we might normally interface with.

And once we start that stage two process, see have the IRL, you'll submit the requests to us for the evidence, and we will then have that interview week.

The interview week really sets up the remainder of stage two, which is the bulk of our testing, and so we will interview your subject matter experts.

Here we will want to:

  • Understand how controls are actually implemented
  • Ensure that there's consistency in your documentation
  • What we're hearing in interviews, and
  • What we're seeing in the evidence that we've requested and that you've provided

We have one week of interviews. It's traditionally four days, and we use that extra day to do some cleanup.

Remote Testing

From there we move into four to five weeks of remote testing, and so that's where we're doing deep dives of all of the evidence provided. We're documenting those testing procedures in our test case procedure workbook, which is a deliverable within the FedRAMP program, and then from there, we deliver the draft SARs (security assessment report). And throughout this life cycle, we're having weekly status meetings, we have a no-surprises policy. So if we think there's an issue, we'll let you know because we want to make sure that there's an opportunity to either better understand or provide you an opportunity to resolve that during testing. Once we provide the draft report, that gives you an opportunity to review it for any updates, maybe there was an inconsistency or maybe you thought that something was remediated. It gives us an opportunity to resolve any of those issues, make clarifications, and then we'll provide the final report. We do not provide the final report until you give us approval to do so. We want to make sure that all parties are happy.

After The Final Report is Delivered

And then the last piece of this is what happens after we deliver the SAR. All of the right people have the report in hand, but the timeline can vary. And so when we think about this typically an initial assessment, the report goes to your authorizing agency. They take however much time they need to review the report ask any questions of you as a cloud service provider, and then typically we may meet with them to answer questions about the report and about our testing.

And then they will issue an agency authorization. Once that agency authorization is issued, then the report, as well as that authorization goes to the FedRAMP program management (PMO), and they start their FedRAMP review. And it's another level of review. There's typically a meeting associated with that, where They reviewed the package and they provide comments or feedback or questions and both the cloud service provider (you), and Schellman as the 3PAO are going to resolve those comments and go to the meeting prepared to discuss any questions they may have or say, hey, these are the updates that have been made as a result of the feedback received, and at that point, then you'll receive the FedRAMP authorization.

The question is how much time that takes, and it really just depends on how much of a level of effort the agency takes to review the package to issue that authorization, And then what the FedRAMP PMO queue is like because they are reviewing many, many organizations and packages from FedRAMP RARs to initial assessments and annual assessments. So sometimes their queue can have a little bit of a backlog, so it just depends in terms of timing on what those backlogs look like across all the parties.

So in summary, when we think about the assessment process for an initial assessment, it's about three to four months of actual assessment time from the time that we issue that first information request list to the time that you get that final security assessment report or SAR. And then from there, it kind of goes into the queue of the government and the speed that they're able to work.

If you have questions about our timeline or maybe how your situation or your scenario impacts the timeline or you know really how to how to move into the next steps, contact us, fill out our contact us form on the website and a member of our federal team will reach out to you.

About Marci Womack

Marci Womack is a Managing Director in Schellman’s Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Marci also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman in 2016 as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds many key certifications, including CISSP, CISA, and CEH. Marci is also experienced in other frameworks, including StateRAMP, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.