Follow Up on FedRAMP Costs
I wanted to take some time to respond to some of those questions and concerns that I received via Twitter, in person at some events last week, as well as email and phone calls. It’s important for us to tell our story, but also to listen to what all of you are saying and let you know we’re acting.
Are you concerned about these costs?
Absolutely. FedRAMP’s core mission is to protect Federal information in cloud environments. That is goal number one and we will always place this above all other goals. However, goal number two is to promote efficiencies and cost savings through re-use with a “do once, use many times” model. This means we want to ensure we do things right the first time, so CSPs and agencies don’t have to do it again.
As we’re growing and maturing FedRAMP, we’re learning how to introduce new efficiencies and bring down costs as much as possible. I want FedRAMP to be as affordable and efficient as possible without trading the rigorous security needs of protecting Federal information. I personally come from a family of small business owners and want to make sure that small business and companies of all sizes view FedRAMP as an enabler and not an impediment to winning government work.
What are you doing to reduce the cost of FedRAMP?
In our analysis, companies spend about 50% of their money on engineering and 50% on the process. In both of these areas we’ve introduced significant updates to FedRAMP in the past few months to help address these costs.
How we’re addressing the engineering costs: We introduced the Readiness Assessment not only for the government to be able to understand if a vendor is ready, but for a vendor to do the same thing. We expect those assessments to cost from $20-40k for the average system. These assessments will allow for vendors to understand any engineering costs they will incur PRIOR to entering FedRAMP by ensuring their system meets all of the Federal requirements.
How we’re addressing the process costs: We designed FedRAMP Accelerated to ensure the process happens in less than 6 months, and in as few as 3. This is a reduction in time from 12-24 months. That’s anywhere from 50, 25% of the time, which greatly reduces overall process costs.
Even with those reductions, you’re looking at costs of up to $1 million for FedRAMP, isn’t that still too big of a barrier for most small companies?
As we’ve grown FedRAMP, our focus has been on getting enterprise wide solutions into the Federal space. We’re working with digital services teams, CTOs and CIOs across the U.S. government to figure out if there are ways we can expand FedRAMP to make it easier for niche cloud solutions for specific use cases to come through FedRAMP. We’re working to adapt our “one size fits all model” for enterprise solutions to modify that to a model where authorizations can be tailored to the specific use cases for using smaller SaaS solutions.
What’s the return on investment for vendors?
In an upcoming blog post I’m going to detail some success metrics for vendors who have made it through FedRAMP. These will be designed solely from the authorization perspective, but I believe tell a very strong story for the success FedRAMP can bring companies not only from a security perspective, but for increased use by the Federal government as well.
I appreciate all of the dialogue that the last blog post created, and truly value the input we have from the community as we work hard at FedRAMP to bring more cloud providers into the U.S. government. Please keep reading and providing your input, it’s critical to our continued success!