Painless FedRAMP Authorization: Four Steps to Follow

By Ryan Gilhooley, Enterprise Cloud Solutions Manager

My last column compared the merits of outsourcing FedRAMP authorization with doing it on your own. Many companies have successfully navigated the process on their own. Small independent software vendors (ISVs), however, may find it more advantageous to outsource.

Here are four key areas you should consider when pursuing FedRAMP authorization:

  1. Sponsorship
  2. Leadership buy-in
  3. Knowing the process
  4. Communication

Sponsorship – FedRAMP authorization follows two paths: A Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO). Most ISVs pursue the Agency ATO, which requires agency sponsorship. A sponsor is essential. Without one, you won’t even get far enough to achieve a FedRAMP In Process designation.

Your best bet for sponsorship may be an agency already using your product on-premises. Even after you’ve identified an agency sponsor, your job isn’t over. Your customer is likely not the agency’s Authorizing Official (AO), and only the AO can commit resources and accept risk on the government’s behalf. You’ll have to convince them both early on in the process.

Leadership Buy-In – A company can invest two years and up to $2 million on FedRAMP authorization. That may be a sticking point for executives in a bootstrapped company.

It’s not unusual to spend up to18 months on the problem with no real results. By that point, a company may have spent more money than they’ve budgeted for, but they’ve gone too far to turn back. They then are forced to put authorization on the back burner until they can get the resources to keep going with the process.

Make sure to get buy-in from your senior leadership early in the game and make sure they’ll support you throughout the whole process. Help them understand the process and steps involved with security authorization.

Know the Process – Government processes take time. Be prepared for the time it will take on the agency side.

Your filing might get hung up over an honest mistake. After all, your system security plan (SSP) comprises more than 600 pages of documentation. Getting a draft ready for FedRAMP review can take months. Even then, there are various templates for the SSP, and FedRAMP has its preferences. The evaluation process can get bogged down by something as simple as not using the preferred template.

Be prepared to add resources throughout the cycle. FedRAMP authorization is a never-ending process on a three-year cycle, with a major assessment and two partial assessments in the outlying years. Then at year four you’ll face another major assessment. This will require, at a minimum, some sophisticated project management capability.

Communication – You must have solid coordination with your engineering department and cybersecurity compliance departments. You’ll also need regular contact with your Third-Party Assessment Organization (3PAO). If you think you’re going to need the 3PAO in nine months, don’t wait until the eighth month before contacting them.

Early communication extends to the FedRAMP office. The kickoff meeting shouldn’t be the first time they see your information. Changes in compliance requirements happen at all the time. You’ll need to stay in touch with the FedRAMP office to ensure you come to them with the most up-to-date information.

Getting through the FedRAMP authorization process in an expeditious manner requires resources who have a high level of expertise. Outsourcing the process from the start to a FedRAMP-savvy company can save time and cost less than putting together a dedicated in-house team — and lets your employees focus on their day-to-day responsibilities.

FedRAMP authorization can be an arduous and costly challenge. Understanding these four elements will help ensure a faster path to authorization.


Learn how to navigate the FedRAMP authorization process faster and with less hassle. Download our Roadmap to FedRAMP eBook now.



This blog is adapted from an article written by immixGroup analyst Lloyd McCoy and published in Washington Technology’s online magazine.
The full article can be found here.

About Ryan Gilhooley
Ryan Gilhooley is responsible for enterprise software sales and the overall cloud business at immixGroup, including developing go-to-market strategies for vendors and channel partners. Gilhooley brings more than 10 years of experience selling IT solutions to the federal government and other public sector customers. He earned a B.A in International Relations and Business from the University of Rochester and an M.A in Global Security Studies from Johns Hopkins University.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: