In September, the FedRAMP Program Management Office (PMO) published an article, which addressed the costs associated with going through FedRAMP. The price came out to an average cost of $3,250,000. This cost includes work hours and component costs for engineering the system, developing system documentation, the 3PAO assessment of the system, FedRAMP JAB review and annual continuous monitoring. The article also says the entire process costs $500,000 to $4,000,000.
While this estimate seems like a fairly scary number, there are some important things to note that will help frame FedRAMP costs into something more manageable for a cloud service provider (CSP).
Think of FedRAMP as an overlay applied to the Risk Management Framework from NIST, which is a six-step approach to cyber security. This framework is built from cyber security best practices, and cost-effectiveness is one of the driving factors behind the security control implementation in the framework. These best practices are things that a prospective FedRAMP CSP is likely already doing, or planning to do. The idea is that while there may be a front-end cost, the bottom line will be much lower. This is due to RMF’s heavy focus on automation and eliminating duplication of effort, and one of the key goals of the FedRAMP process, a “do once, use many times” model, which further promotes cost effectiveness.
For instance, a SIEM can cost $1,000 to $150,000 or more. However, it will save time and money by automating event management, and pushing alerts for key events to members of the security team, narrowing their focus to more legitimate threats and more critical systems.
Further illuminating the idea of security best practices is the continuous monitoring component of the FedRAMP breakdown. Continuous monitoring is generally done through a combination of manual effort and automated tasks. The goal of which is ensuring that a system’s security controls are in proper working order, as well as monitoring security risks present on the system. Again, automation helps to reduce associated costs, and the monitoring itself can help identify and mitigate potential issues long before they become costly security events.
FedRAMP is working on ways to cut these costs with a new program: FedRAMP Accelerated. FedRAMP Accelerated includes a FedRAMP readiness assessment, which involves a FedRAMP accredited 3PAO conducting a readiness assessment of a CSP’s working system and producing a Readiness Assessment Report (RAR). The RAR is used to tell FedRAMP and the CSP how likely the CSP is to attain an ATO in their current state. According to this article, FedRAMP expects most CSPs to fail their first readiness assessment. But this is a good thing because even a failed RAR helps a CSP determine where it stands as far as achieving an ATO. With a failed RAR, the CSP can focus its efforts on the pieces it’s lacking, and better prioritize its efforts, instead of flying blind. The RAR functions in much the same way as a gap analysis. A CSP that has a favorable RAR is called “FedRAMP Ready,” and only favorable RARs are submitted with the attestation to FedRAMP.
With FedRAMP Accelerated, the process will take less than six months from start to finish, and as little as three months. This is down from the previous one to two year figures CSPs could expect with the old format. It is worth noting that the sample used in the initial FedRAMP costs article is collected only from CSPs that went through the much lengthier old process.
This new process probably isn’t going to save a CSP as much money as FedRAMP seems to think it will — though it will definitely save time and money for the FedRAMP PMO. It won’t save them anything on the actual technology costs, or the costs of the test event itself. The test event is going to take the time it takes no matter what, that part is inflexible for any given CSP. The requirements of FedRAMP are still the same as they were before. However, these security controls are security best practices, and they are built from a model with a heavy focus on cost-effectiveness: NIST’s RMF. Implementing the security controls should make it cheaper to maintain a system (due to the focus on automation), and avoid costly security events through continuous monitoring. However, this is going to have a relatively immutable cost on the front end for technology and implementation. Any money saved will be through a narrower focus brought on by the readiness assessment, removing the need to do several full test events through the assessment, and the accelerated timeline for getting an ATO.
It should save money on the assessment process, but not the test event, due to less back and forth with the JAB TRs. It will also help a CSP focus its engineering efforts through the readiness assessment, which may save time and money. Ultimately, however, we won’t know exactly how much time and money is saved until a CSP goes through the process. Some CSPs that are going through the program now will have their ATO renewed by November or December.
While the costs quoted in the FedRAMP article may seem high, there are many factors to consider before balking at the prospect of entering the FedRAMP CSP space. The engineering and continuous monitoring costs, while relatively static, include many controls derived from cyber security best practices, which a prospective FedRAMP CSP may already be doing. In other words, they won’t have an additional cost specific to FedRAMP since a CSP would already have implemented that as part of the SDLC. The RMF and FedRAMP process have a heavy focus on automation, which reduces ongoing costs by cutting work hours and shifting security personnel’s focus to key security threats.
Finally, the figures in FedRAMP’s initial article were derived from a sample composed entirely of systems that went through the older and much longer FedRAMP process. While these factors work together to make the cost of doing business in a FedRAMP space much more manageable, we don’t know enough yet to determine what actual savings will be gained from FedRAMP Accelerated.