What is the Timeline for the FedRAMP Process?
Ever watched Jeopardy? Even if you haven’t, you’re likely familiar with the iconic theme music that plays every time contestants deliberate over their answers—it’s such an iconic tune that it’s become synonymous with waiting for a conclusion that takes quite a while.
Endeavoring for compliance with the Federal Risk Assessment Management Program (FedRAMP) is one such drawn-out conclusion—it takes time to complete this process, but how much? How long will the Jeopardy theme play?
Before you commit to achieving FedRAMP Authority to Operate (ATO), it’d be helpful to know what you’re getting yourself into. As a Third Party Assessment Organization (3PAO) with the most completed assessments on the FedRAMP marketplace, we have walked over 110 organizations through this journey, and now we want to provide organizations considering the same with important insight.
In this article we will outline the anticipated timeline for what we’ve separated into 4 major phases of FedRAMP—these include the development and preparation of your system, agency sponsorship, execution of an assessment, and the review(s) that yield Authority to Operate (ATO), as well as the continuous monitoring responsibility for your authorized system.
As things move along during your FedRAMP journey, it may—at times—feel like one long pregnant pause with the Jeopardy theme playing. But having read this, you’ll have an understanding of how to get from cradle to grave in the FedRAMP process so you’ll know for sure what step is coming next while you wait.
What is FedRAMP?
Just to lay the groundwork, here’s what you need to know about FedRAMP:
- It’s geared toward Cloud Service Providers (CSPs) that want to do business with the U.S. federal government.
- The standard is designed to safeguard cloud systems with security commensurate to the sensitive data that may be stored, processed, managed, and transmitted within the system.
- Each system that is assessed has an applicable Federal Information Processing Standard (FIPS) 199 risk designation of High, Moderate, or Low depending on the data being processed. These risk levels have considerable variance in the number of security controls:
Risk Category |
Details |
---|---|
Low Risk Li-SaaS/ Tailored |
Number of base controls: 156 A lot of these lower risk assessments are tailored—depending on your sponsoring agency’s risk tolerance, they may add additional controls that must be implemented. Not only that, but they may also add prescriptive requirements for the base controls. |
Moderate Risk |
Number of base controls: 323 This is the most common security assessment we see as 3PAOs. Because of the sheer number of base controls, oftentimes these won’t necessitate any additional tailoring or controls from your agency. (There are exceptions, the most common of which are assessments performed in support of seeking authorization from a Department of Defense (DoD) agency). |
High Risk |
Number of base controls: 410 These are the second most common type and there’s the same caveat that your agency may require additional controls. |
There are two ways to get FedRAMP Authorized—through either agency sponsorship or the Joint Authorization Board (JAB). Since the agency route is more common, we’ll proceed through the phases of the process assuming you’ll be going that way too.
The 4 Phases of FedRAMP
Phase 1: System Development and Preparation
Once you’ve determined your risk designation, you can proceed through the 3 phases of FedRAMP, and that starts with developing your Cloud Service Offering (CSO). The time this takes can range depending on the complexity of the system, but know that using a defense-in-depth methodology when building the system is extremely important if you don’t want to extend your timeline considerably.
Because FedRAMP assessments are some of the most difficult, take longer, and tend to be more expensive than average, developing your CSO with the NIST 800-53 controls in mind can prevent considerable rework, or worse, necessary rearchitecting of your environment to ensure you meet the “spirit” of the FedRAMP controls. But if your system is already developed, you may want to perform or have someone perform a gap assessment to better understand if you are truly meeting FedRAMP requirements before moving forward.
In most cases, hiring an experienced FedRAMP advisor can shorten this timeline—these consultants have interacted with the FedRAMP Project Management Office (PMO) and understand the federally mandated “showstoppers” (a.k.a. things that will derail your authorization). An authorized 3PAO Advisor can provide invaluable guidance on how to meet FedRAMP mandates, which a 3PAO assessor cannot.
Phase 2: Agency Sponsorship
In any case, once your offering is ready to go live, you’ll need to secure an agency sponsor. Without one—or, as we mentioned earlier, authorization from the JAB—the furthest you’ll be able to get is FedRAMP Ready status, which is not an authorization. (If you’re FedRAMP Ready, you’ve proven you have a system meeting the federal mandates and ready for a Security Assessment at either the Moderate or High baseline but will still need an agency sponsor to move to an In Process and eventually Authorized status).
Because success with an agency looks different for everyone, we can’t accurately provide a timetable for how long this will take.
Phase 3: Security Assessment – 7-10 Weeks (Approximately)
But once you do secure an Agency sponsor, you can now proceed through a full initial FedRAMP Security Assessment, and we can provide a rough timeline for that.
While FedRAMP moved to NIST 800-53 Rev 5 which has added and removed controls to the baselines, there are also additional requirements that are new to the baseline which may extend readiness—check out our article explaining some of the most important changes here.
(It's particularly worth noting that FedRAMP added a Red Team exercise requirement. Along with the standard FedRAMP Penetration Test, FedRAMP mandated for all Rev 5 assessments an annual Red Team exercise—not only does this go above and beyond what was required previously with Rev 4, but as more guidance comes out on this requirement it could extend this timeline considerably.)
Anyway, before you get started, you’ll need an American Association for Laboratory Accreditation (A2LA) accredited 3PAO like Schellman to perform the assessment—the full FedRAMP Security Assessment Report (SAR) process can be broken into the following stages:
Security Assessment Plan (SAP)
(1 Week) |
The 3PAO drafts the SAP and submits to the CSP for their approval. In some instances, the sponsoring agency will also request a review prior to finalizing. Once finalized, the SAP is signed by the 3PAO and the CSP. This step is critical as the SAP defines the assessment activities and includes key items such as the Rules of Engagement. At this stage, there are expectations that the CSP will have provided certain audit evidence such as the System Security Plan (SSP), system inventory, and other items required for populating the details of the SAP. |
Control Owner Interviews
(1-2 Weeks) |
Once the SAP is in place, remote or in-person interviews and evidence collection through live screen shares will take place. Interviews can range anywhere from one to two weeks depending on the complexity of the system and FIPS-199 baseline. The requisite penetration testing will also kick off during this time after coordinating the details and putting into place the proper authorizations (as of the writing of this article clear guidance on the Red Team exercise is still being fleshed out). |
Evidence Analysis, Controls Testing and Penetration Testing
(6-8 Weeks) |
At this point, your 3PAO will begin in-depth testing, analyzing both the evidence you submitted as well as what they collected live, which includes vulnerability scans and compliance scans. The penetration test continues through this stage of the assessment. (As a 3PAO, Schellman has a “no surprises” policy, which means we notify our clients of any findings throughout the interview and testing process. We believe this is important, as you’ll want to remediate as many findings as possible before delivery and finalization of the SAR.) |
SAR and Risk Exposure Table Delivery
(2 Weeks) |
Once testing is wrapped up, your 3PAO will provide a draft SAR as well as the Risk Exposure Table documenting the findings from the assessment. You should ensure that any remaining supplemental control implementations (mitigating factors) are brought to your 3PAO’s attention to help reduce or mitigate the documented risks. Once you and your 3PAO are in agreement, the SAR will then be finalized and provided to the sponsoring agency and FedRAMP PMO for their respective reviews. |
Phase 4: Agency Review and PMO Review – 2-6 months
After you’ve completed the assessment and the SAR is finalized, the SAR and supporting details are submitted as the “authorization package” for review to the sponsoring agency and FedRAMP PMO for their respective reviews.
Your sponsoring agency should review the SAR package at this point and hopefully grant an agency Authority to Operate (ATO), which will then kick off a FedRAMP PMO detailed technical review of the assessment.
Given the number of CSPs pursuing FedRAMP authorization, it’s common that a sponsoring agency and the FedRAMP PMO have a number of packages in their queue for review. Because of this and depending on the sponsoring agency, the completion of both reviews can take between 2 and 6 months.
After completion of the PMO review, there will be a meeting that includes the FedRAMP PMO, your sponsoring agency, 3PAO, and you as the CSP to review feedback from the FedRAMP PMO and discuss any questions. This review often results in a revision of the SAR to ensure that all are in agreement with the results and the details contained within.
Once updated, the SAR and any other supporting documentation that has been updated are submitted to the PMO for an additional review. The ideal outcome from the resubmission is to receive an email notification within a few weeks from the FedRAMP PMO letting you know that your CSO has been granted FedRAMP Authorized. The authorization will allow you to provide your CSO to other agencies, and it will be listed on the FedRAMP Marketplace as FedRAMP Authorized with its applicable agency ATO. Given the number of variables that factor into the review process, the duration can vary widely based on the queue mentioned above and the feedback received.
Next Steps for FedRAMP ATO
At this point, you may believe you’re done—the Jeopardy theme will stop playing, the conclusion having been reached. But as long as your CSO is providing services to a federal agency, you will be subject to meeting all continuous monitoring requirements, which include the annual assessment requirement to assess a subset of the full initial controls as well as the annual penetration test—this usually takes 10 – 12 weeks, plus potentially the time it takes to do a red team exercise.
In any case, the process of getting FedRAMP ATO is neither easy nor short, as you now understand. Just the assessment and review periods can take more than three months each, and that doesn’t factor in time spent preparing your offering, however long that may take. No matter what, you’ll need to ensure you have enough time and expertise to get your CSO up to standard so that all your efforts end successfully.
To learn more about FedRAMP, read our other content that can help you further simplify your approach and experience:
About Andy Rogers
Andy Rogers is a Lead Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 20 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.