7 Lessons Learned
The FedRAMP Program Management Office (PMO) interviewed small businesses and start-ups who achieved a FedRAMP Authorization about their experience and customer journey. Below are the lessons they shared:
1. Understand how your product maps to FedRAMP
Perform a gap analysis to understand how your current “as-is” environment aligns to the FedRAMP security requirements.
2. Get organizational buy-in and commitment
Executive Leadership and buy-in is important. Keep in mind that pursuing a FedRAMP Authorization requires potential support from technical teams such as system/database administrators, developers, and architects. The FedRAMP Authorization process runs smoothest when these three best practices are followed: a) your executive leadership agrees on the value of pursuing an authorization and provides the necessary directive and investment, b) your team is comprised of staff who are familiar with other forms of IT audits (e.g., SOC, PCI, ISO, etc.), and c) you have support from your organization’s technical teams to meet the federal security requirements as early as possible in the process.
3. Find an Agency partner
Agencies are required to issue an “Authorization to Operate” (ATO) if they are using your product. The ATO is the official management decision given by a senior Federal official to authorize operation of an information system and to explicitly accept the risk to agency operations. The natural Agency partner to work with for a FedRAMP authorization is one that is using your product or is committed to using your product. If you are in need of assistance, the FedRAMP PMO is here to help communicate the associated requirements/roles and responsibilities to your Agency customer.
4. Spend time accurately defining your boundary
An authorization boundary should describe a cloud system’s internal components and connections to external services and systems and account for the flow of all federal information and metadata through the system. It illustrates a CSP’s scope of control over the system in addition to any system components or services that are leveraged from external services or controlled by the customer. As a core component of any FedRAMP System Security Plan (SSP), it is imperative that CSPs understand how to accurately describe and illustrate their cloud system’s authorization boundary. The FedRAMP PMO is available to review and provide feedback on your authorization boundary.
5. Think of FedRAMP as a continuous program, rather than just a project with a start and end date
The initial authorization represents a major milestone, but only represents a system’s risk posture at a single point in time. Security applies throughout the lifecycle of a system; cloud services must be continuously monitored and kept up to date to ensure the appropriate risk posture is maintained.
6. Carefully consider your authorization approach
If you have multiple products, determine if it may be better to pursue authorizations one-by-one rather than all at once. The FedRAMP PMO is here to help walk you through your options.
7. The FedRAMP PMO is here to serve as a valuable resource
Reach out to the FedRAMP PMO to learn more about how to get started with the process, get answers to technical security questions and discuss strategy. We’re here to help!