The Timeline to Different Stages of a FedRAMP Assessment
One of the questions that we get the most often when we're talking about Federal assessments is how long does it take to get through the assessment process and what happens afterward to actually get to FedRAMP authorization?
In this video, we discuss some of those specifics relative to the stages of the FedRAMP Assessment. To learn more about these different stages you can watch Doug Barbin's video: The Phases to the FedRAMP Process.
We have stage one and stage two. Stage two is where we do the bulk of interviews and technical reviews of evidence. The start of phase two is the interview week, and we use that as the foundation for the rest of the schedule and timeline. We will essentially back into stage one which will be based on the interview week.
From the interview week, we will back that up eight weeks and we'll deliver the information request list (IRL). This is a list of the evidence and artifacts that you need to provide to us across both stages of the assessment for us to be able to execute our testing. There are a few other milestones that happen during stage one. One of those is you'll have an opportunity in a couple of two to three-week periods to actually collect the evidence that we're requesting for stage one, and then provide that to us.
From there, we move into about one to two weeks of reviewing that documentation documenting that in the security assessment plan, or the SAP, and then we provide that SAP to you. During that time, we may perform some interviews and some authorization boundary reviews to really make sure we understand the scope of your boundary for the assessment to ensure that we have requested the right information and that we can complete the SAP for stage one.
In stage one, we're looking at:
- Procedures, and
- All of the appendices or attachments of your assistant security plan
In stage two, we are looking at more technical evidence:
- Specific alerts
- Logs or output from those alerts and logs
And once we start that stage two process, see have the IRL, you'll submit the requests to us for the evidence, and we will then have that interview week.
The interview week really sets up the remainder of stage two, which is the bulk of our testing, and so we will interview your subject matter experts.
Here we will want to:
- Understand how controls are actually implemented
- Ensure that there's consistency in your documentation
- What we're hearing in interviews, and
- What we're seeing in the evidence that we've requested and that you've provided
We have one week of interviews. It's traditionally four days, and we use that extra day to do some cleanup.
From there we move into four to five weeks of remote testing, and so that's where we're doing deep dives of all of the evidence provided. We're documenting those testing procedures in our test case procedure workbook, which is a deliverable within the FedRAMP program, and then from there, we deliver the draft SARs (security assessment report). And throughout this life cycle, we're having weekly status meetings, we have a no-surprises policy. So if we think there's an issue, we'll let you know because we want to make sure that there's an opportunity to either better understand or provide you an opportunity to resolve that during testing. Once we provide the draft report, that gives you an opportunity to review it for any updates, maybe there was an inconsistency or maybe you thought that something was remediated. It gives us an opportunity to resolve any of those issues, make clarifications, and then we'll provide the final report. We do not provide the final report until you give us approval to do so. We want to make sure that all parties are happy.
After The Final Report is Delivered
And then the last piece of this is what happens after we deliver the SAR. All of the right people have the report in hand, but the timeline can vary. And so when we think about this typically an initial assessment, the report goes to your authorizing agency. They take however much time they need to review the report ask any questions of you as a cloud service provider, and then typically we may meet with them to answer questions about the report and about our testing.
And then they will issue an agency authorization. Once that agency authorization is issued, then the report, as well as that authorization goes to the FedRAMP program management (PMO), and they start their FedRAMP review. And it's another level of review. There's typically a meeting associated with that, where They reviewed the package and they provide comments or feedback or questions and both the cloud service provider (you), and Schellman as the 3PAO are going to resolve those comments and go to the meeting prepared to discuss any questions they may have or say, hey, these are the updates that have been made as a result of the feedback received, and at that point, then you'll receive the FedRAMP authorization.
The question is how much time that takes, and it really just depends on how much of a level of effort the agency takes to review the package to issue that authorization, And then what the FedRAMP PMO queue is like because they are reviewing many, many organizations and packages from FedRAMP RARs to initial assessments and annual assessments. So sometimes their queue can have a little bit of a backlog, so it just depends in terms of timing on what those backlogs look like across all the parties.
So in summary, when we think about the assessment process for an initial assessment, it's about three to four months of actual assessment time from the time that we issue that first information request list to the time that you get that final security assessment report or SAR. And then from there, it kind of goes into the queue of the government and the speed that they're able to work.
If you have questions about our timeline or maybe how your situation or your scenario impacts the timeline or you know really how to how to move into the next steps, contact us, fill out our contact us form on the website and a member of our federal team will reach out to you.
About Marci Womack
Marci Womack is a Director in Schellman’s FedRAMP practice and CMMC technical lead, and is based in Denver, CO. Marci has nine years of information security experience across various industries – cloud services, government, and financial services. In addition to performing numerous FedRAMP assessments, Marci has experience assessing organizations for compliance with other federal frameworks, including NIST SP 800-53, DoD CC SRG, NIST SP 800-171, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).