Home » Compliance » Surviving the FedRAMP After-Party
FedRAMP After Party

Surviving the FedRAMP After-Party

For cloud service providers, achieving FedRAMP accreditation is a major event worth celebrating. After navigating a sea of documentation, digging deep into your systems and hammering out the details of your security and privacy policies and procedures, you finally have what you need to do business with the federal government.

It’s time to kick back and relax, right?

Not quite.

FedRAMP accreditation is just the first step. It marks the beginning of a CSP’s relationship with the FedRAMP Program Management Office (PMO). And like most relationships, it takes some work.

After receiving accreditation, there are several things a CSP needs to do to keep its authorization current and maintain its status with the federal government.

Continuous Monitoring and Reporting: Initial FedRAMP authorization is not the only time a CSP will go through testing. In fact, ongoing authorization means repeated annual assessments by a third-party assessment organization (3PAO). Firms can select their own accredited third-party organization to perform assessments. However, make sure to vet potential 3PAOs before making a section as providers often have different approaches to the assessment process. Assessments will ultimately lead to an annual report that’s filed with the FedRAMP PMO, so CSPs should consider 3PAO partners that will help simplify the reporting process.

Manage development: To continuously meet FedRAMP standards, a CSP needs to take a strategic approach to development. Some systems modifications could trigger a re-assessment, so it’s imperative that organizations get organized and work FedRAMP considerations into their development planning.

Collaborate on Incident Response: A FedRAMP-compliant incident response policy and procedures provides strict guidelines for how and when to inform the FedRAMP PMO in the event of a security incident. If you experience a security incident, make sure to keep the PMO in the loop, in accordance with your established procedures. They can lend their expertise to help ensure that government data stays safe in your cloud.

Build the relationship: Establishing a positive ongoing relationship with the FedRAMP PMO means including it in major decisions regarding your systems. As with your development processes, you need to work FedRAMP approval into major planning initiatives.

The tight regulation and demanding standards of FedRAMP can seem daunting for CSPs that are hoping to establish a relationship with the federal government. But don’t get discouraged — this partner isn’t out of your league!

As a certified 3PAO, trusted thought leader in cyber security and experienced compliance consultant, Lunarline has what it takes to help you run your FedRAMP program smoothly and cost-effectively. To learn more, visit our FedRAMP services page or contact us today. Also, check out our free whitepaper, “Understanding FedRAMP and Choosing the Right 3PAO.” Click here to download the PDF.

About Spence Witten

Spence has somehow survived ten years at start-ups and small businesses without suffering a (major) nervous breakdown. As Lunarline's Director of Federal Sales, Spence actually loves working on proposals. If there were any doubt, this is proof that he is in fact certifiably insane. While his title says "Sales" Lunarline doesn't let him off that easy. We make him do real work, too. Luckily he's a recognized subject matter expert in security policy and loves helping clients navigate their way around tricky security compliance standards. He's also been known to lead a software development initiative or two, though that pretty much always ends poorly for everyone involved. He can be reached at spence.witten@lunarline.com.