Finding Your FedRAMP Consultant: What to Ask and When
In the classic 80s film, The Karate Kid, the legendary Mr. Miyagi trains Daniel LaRusso in the ways of karate. With his mastery and knowledge, Miyagi helps the kid mature and grow into a fighter of great technique and great success. It’s a given that Daniel would not have won the All Valley Tournament without the advice of Mr. Miyagi.
For those of you cloud service providers (CSPs) seeking FedRAMP Authority to Operate (ATO), it’d probably be nice to have a Miyagi of federal compliance to help you navigate one of the most difficult standards out there.
But that’s what consultants are for—to help you put yourself into a position to provide a cloud service to the government or one of its many agencies.
At this time, Schellman does not provide consulting services for FedRAMP—we are a Third Party Assessment Organization (3PAO), so we would only become part of your process to assess you. Before that though, you need to be ready, and that generally means engaging a consultant.
But you don’t just need a consultant—you need the right one to guide you through this arduous process. Though we don’t provide these services themselves, we can still point you in the right direction and equip you for the conversations you’ll need to have.
So let us explain why you could use a consultant and how to find the one for you. Given our experience as a 3PAO, we’ve heard from many of our clients about their chosen advisors. Leveraging that feedback, we’ll provide 3 questions that you should ask anyone you engage with on this front.
That way, you’ll be that much closer to finding the Miyagi who can prepare you for a successful FedRAMP assessment.
Why Do You Need a FedRAMP Consultant?
When searching, you’ll see many firms out there willing to do FedRAMP consulting. But some may not understand the unique difficulties that come with the process, including:
- Dealing with issues that the FedRAMP Program Management Office (PMO) might have with some of your implementations;
- Designing the system to meet the necessary FedRAMP requirements;
- Documenting adequate details in the implementation write-ups; and
- Including necessary specifics to the design diagrams and details, just to name a few.
These are things they need to understand because the consultant you work with will write your system security plan (SSP), policies, and procedures.
Depending on what all you contract them to do, that’s a lot of responsibility they assume. As such, the team you work with can be the difference in some cases between a recommend or do not recommend towards your path to a FedRAMP ATO.
We speak from experience. As assessors that have come in to validate the work of advisors and organizations together, Schellman’s federal team has witnessed unfortunate missteps that were costly to the firm seeking an ATO.
We’ve seen everything from non-compliant design of a system’s architecture to inadequate documents, policies, procedures, and plans that force CSPs to:
- Push out assessment dates—sometimes in the middle of the assessment—which costs more money; and
- Delay their Security Assessment Report (SAR) by weeks or sometimes even months.
Questions to Ask Your Potential FedRAMP Consultant
Those aren’t small consequences. To help you avoid a similar fate, here are three questions you should ask all the consulting firms you consider.
1. What is the Level of Experience of those Performing the Consulting/Assessing?
It makes sense that a firm would send out their “A-team” for the initial sales call. But you need to make sure that when it comes down to the actual consulting, you’re getting the same individuals and an acceptable level of expertise.
If not, you should be allowed to meet the team doing the work to get a feel for their individual experience before you close the deal. The team you elect to work with needs to be knowledgeable with proven attention to detail.
2. What Should You Expect During the Process?
That’s because it’s critical your consultant know the purpose of the system and where any federal and other sensitive information resides in your environment. They should have a process in place for frequent and detailed communication to obtain all that information from you.
When it comes to that time, your assessors will ask an absurd number of questions because they have to write in granular detail how the system is protected (technical controls) and how personnel is protecting the system (administrative controls).
A good consultant will know the questions that’ll be asked during the assessment. They’ll know what documentation you need to back it up and how you should implement security in particular areas of your system to ensure you meet the spirit of the controls. You should get a good idea of how they would walk you through the process before you commit to a consultant.
3. Do They Have Experience Interacting with the FedRAMP PMO and JAB?
Of course, a consultant may know all those questions because they themselves have experience also assessing or advising CSPs through the entire process.
That kind of familiarity will have given them specific experience with the PMO and/or the Joint Advisory Board (JAB) that could prove very beneficial. That kind of exposure could translate to an understanding of the many issues that may come up during an assessment—called showstoppers in the industry—and make for better preparation against them.
One important thing to note is that you cannot hire the same firm to do your advisory work and your assessment, as FedRAMP requires separation between these two roles. A 3PAO cannot assess the same system that they advised on prior.
Other Considerations for Your FedRAMP Consultant
As most things do, much of your decision will come down to price. Compliance isn’t cheap, and you still have to find an assessor too. But while you factor in potential costs, we would caution that cheaper isn’t always better.
Remember, you’re bringing these folks in because you’re investing in this process that will grant you access to work with the government and its agencies. The preparatory process is so involved that it may not be in your best interest to skimp on your consulting service.
By the time you’ve gone through the entire FedRAMP process—all the way to achieving a possible ATO—you will have devoted a significant sum to your infrastructure and systems to meet the guidelines anyway.
You don’t want to have wasted that money or your time only to have to start over, so do the due diligence. Look at reviews of different consultants and ask other CSPs—if you can—about their experiences with different ones. Getting authorization more quickly and easily thanks to a seasoned and knowledgeable consultant may be worth the extra price.
Moreover, you may even consider hiring a current or previous FedRAMP consultant or assessor as a full-time employee. Some CSPs will bring advisors in-house to assist, manage and direct the development of their FedRAMP program, and it does make the process of managing your system and program far less of a hassle.
Remember, if you do get an ATO there is an annual requirement to be assessed for continuous monitoring of your system. Having that kind of expertise on staff to interface with your agency, the PMO, and/or JAB point of contact could ease your navigation of that process over time.
Moving Towards FedRAMP Authorization
Whether they’re in-house or not, using a solid consultant will make your assessment process easier. Now, you understand how their expertise can elevate your organization to a level of preparedness so that there’ll be far fewer do-overs within your process. Using those three questions and their context, you’re further equipped to find the right firm to guide you in getting FedRAMP Ready.
You are your best advocate in this process, so take special care to review and research your consultant candidates. While they all will present the same goal of getting your ATO, you need to be sure the one you choose will:
- Consult you honestly and with transparency; and
- Give you solid advice and direction on your next steps in the development or assessment process.
And even if you’re now on the way to finding the perfect Mr. Miyagi to guide you as Daniel LaRusso in FedRAMP “victory,” you won’t rely on your consultant for everything. Here are three articles that can help you understand even more of what it takes to get FedRAMP Ready:
About Andy Rogers
Andy Rogers is a Lead Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 20 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.