SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The Timeline to Different Stages of a FedRAMP Assessment

FedRAMP | Federal Assessments

One of the questions that we get the most often when we're talking about Federal assessments is how long does it take to get through the assessment process and what happens afterward to actually get to FedRAMP authorization?

In this video, we discuss some of those specifics relative to the stages of the FedRAMP Assessment. To learn more about these different stages you can watch Doug Barbin's video: The Phases to the FedRAMP Process.

Stage One

We have stage one and stage two. Stage two is where we do the bulk of interviews and technical reviews of evidence. The start of phase two is the interview week, and we use that as the foundation for the rest of the schedule and timeline. We will essentially back into stage one which will be based on the interview week.

From the interview week, we will back that up eight weeks and we'll deliver the information request list (IRL). This is a list of the evidence and artifacts that you need to provide to us across both stages of the assessment for us to be able to execute our testing. There are a few other milestones that happen during stage one. One of those is you'll have an opportunity in a couple of two to three-week periods to actually collect the evidence that we're requesting for stage one, and then provide that to us.

From there, we move into about one to two weeks of reviewing that documentation documenting that in the security assessment plan, or the SAP, and then we provide that SAP to you. During that time, we may perform some interviews and some authorization boundary reviews to really make sure we understand the scope of your boundary for the assessment to ensure that we have requested the right information and that we can complete the SAP for stage one.

In stage one, we're looking at:

  • Policies
  • Procedures, and
  • All of the appendices or attachments of your assistant security plan

Stage Two

In stage two, we are looking at more technical evidence:

  • Configurations
  • Specific alerts
  • Logs or output from those alerts and logs
The due dates will be adjusted, so that way you have the appropriate due date for your stage one evidence versus your stage two. And that allows you to get a head start on stage two evidence collection because traditionally it is a bit more technical and requires tapping additional resources and additional teams, perhaps outside of the compliance team that we might normally interface with.

And once we start that stage two process, see have the IRL, you'll submit the requests to us for the evidence, and we will then have that interview week.

The interview week really sets up the remainder of stage two, which is the bulk of our testing, and so we will interview your subject matter experts.

Here we will want to:

  • Understand how controls are actually implemented
  • Ensure that there's consistency in your documentation
  • What we're hearing in interviews, and
  • What we're seeing in the evidence that we've requested and that you've provided

We have one week of interviews. It's traditionally four days, and we use that extra day to do some cleanup.

Remote Testing

From there we move into four to five weeks of remote testing, and so that's where we're doing deep dives of all of the evidence provided. We're documenting those testing procedures in our test case procedure workbook, which is a deliverable within the FedRAMP program, and then from there, we deliver the draft SARs (security assessment report). And throughout this life cycle, we're having weekly status meetings, we have a no-surprises policy. So if we think there's an issue, we'll let you know because we want to make sure that there's an opportunity to either better understand or provide you an opportunity to resolve that during testing. Once we provide the draft report, that gives you an opportunity to review it for any updates, maybe there was an inconsistency or maybe you thought that something was remediated. It gives us an opportunity to resolve any of those issues, make clarifications, and then we'll provide the final report. We do not provide the final report until you give us approval to do so. We want to make sure that all parties are happy.

After The Final Report is Delivered

And then the last piece of this is what happens after we deliver the SAR. All of the right people have the report in hand, but the timeline can vary. And so when we think about this typically an initial assessment, the report goes to your authorizing agency. They take however much time they need to review the report ask any questions of you as a cloud service provider, and then typically we may meet with them to answer questions about the report and about our testing.

And then they will issue an agency authorization. Once that agency authorization is issued, then the report, as well as that authorization goes to the FedRAMP program management (PMO), and they start their FedRAMP review. And it's another level of review. There's typically a meeting associated with that, where They reviewed the package and they provide comments or feedback or questions and both the cloud service provider (you), and Schellman as the 3PAO are going to resolve those comments and go to the meeting prepared to discuss any questions they may have or say, hey, these are the updates that have been made as a result of the feedback received, and at that point, then you'll receive the FedRAMP authorization.

The question is how much time that takes, and it really just depends on how much of a level of effort the agency takes to review the package to issue that authorization, And then what the FedRAMP PMO queue is like because they are reviewing many, many organizations and packages from FedRAMP RARs to initial assessments and annual assessments. So sometimes their queue can have a little bit of a backlog, so it just depends in terms of timing on what those backlogs look like across all the parties.

So in summary, when we think about the assessment process for an initial assessment, it's about three to four months of actual assessment time from the time that we issue that first information request list to the time that you get that final security assessment report or SAR. And then from there, it kind of goes into the queue of the government and the speed that they're able to work.

If you have questions about our timeline or maybe how your situation or your scenario impacts the timeline or you know really how to how to move into the next steps, contact us, fill out our contact us form on the website and a member of our federal team will reach out to you.

About Marci Womack

Marci Womack is a Managing Director in Schellman’s Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Marci also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman in 2016 as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds many key certifications, including CISSP, CISA, and CEH. Marci is also experienced in other frameworks, including StateRAMP, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).