The real question we should ask aboutFedRAMP costs

Commentary: Veris Group' David McClure explains why FedRAMP certification doesn’tcome cheaply, but it also shouldn't break the bank.

BIO

By David McClureDECEMBER 14, 2016 11:52 AM

Dave McClure speaks at a FedScoop event.

Does FedRAMP certification cost too much? Some recent reports cite a pricetag in the millions, but are they accurate? A close look at the data indicates

! "

that they may be wildly inflated — and that critics may be asking the wrongquestion, anyway.

Admittedly, the numbers are startling. One government ITwebsite estimates a cost of between $4 million and $5 million to achievecertification from the Federal Risk and Authorization ManagementProgram, which assesses security of cloud service providers wanting to dobusiness with federal agencies. But the authors of that report spoke onlywith a few CSPs — hardly a representative sampling, when you consider thatmore than 100 providers are approved, ready, or in process.

Likewise, a General Services Administration article cited an average cost of$2.5 million — based on information provided by just four CSPs. Good forprovoking discussion for sure!

These reports left us at Veris Group, a FedRAMP third-party assessmentorganization, scratching our heads. How could the experiences of theseproviders differ so widely from what we have seen?

Having ushered many CSPs through the assessment process, we found theseestimates as mind-boggling as everyone else did — but for a differentreason: Our clients are not paying these steep prices.

The fact is, no one not intricately involved in the process could know howmuch a FedRAMP assessment costs. CSPs are not required to publicly reporttheir costs — they are proprietary and private — and the numbers that somehave reported have been neither audited nor attested.

What those reports include can vary widely. Did the CSP in question start theprocess with an outmoded system? Bringing coding and security designsinto compliance with FedRAMP can require additional development andarchitecture. These expenditures aren’t technically a part of the FedRAMPassessment, but providers sometimes roll them in when talking about the

costs of obtaining certification.

And then we must consider the process itself. Did the CSP choose the mostefficient route to compliance? Some providers hire one party to advise andconsult before and during the FedRAMP process, and a different third-partyassessment organization to perform the audit. This approach may cost morein the long run, requiring an extra layer of communication among theparties, since the advisory and audit functions must work hand-in-hand.

In our experience, the process works more smoothly when the sameorganization performs the Capability Assessment Reviews and the FedRAMPauditing assessment. At Veris Group, short-term advisory services generallycost about $20,000 to $40,000, while for CSPs needing more technicalengineering support may pay up to $300,000. 3PAO assessment, including areadiness review (highly recommended), normally costs $150,000 to$200,000, depending on what kind of authority to operate the providerseeks, and the complexity and architecture of its system. Additionalexpenditures include monthly continuous monitoring, which providers cando in-house or contract out, or employ a combination of the two (a $20,000to $90,000 price tag), and annual assessment and recertification, whichtypically costs about 70 percent of the initial assessment cost — $110,000 to$200,000.

Granted, FedRAMP certification doesn’t come cheaply. Neither,however, should it break the bank, as the above price ranges show. To thosetempted to pinch pennies by hiring a low-cost advisory firm or 3PAO, let thebuyer beware: Some of the sky-high costs reported come from providers whohad to bring in a second firm to correct or shore up someone else’ssubstandard work.

Cloud service providers embarking on the FedRAMP journey would do wellto keep their eyes wide open when planning, contracting and completing theprocess — and to keep their eye on the prize, as well.

-In this Story-

Tech, Cloud Computing & Networking, FedRAMP, Commentary, Guest Columns, DaveMcClure

Federal contracts are the immediate goal, for very good reasons. Allindicators point to agencies spending more and more money on cloudservices. The government’s push to end noncompliant “shadow” cloudcontracting means some $1.6 billion a year in contracts will need to switchto compliant CSPs. And as agencies modernize legacy infrastructure andapplications, more will adopt cloud infrastructure-as-a-service and usecloud software-as-a-service, easily reaching the $25 billion that agencieshave projected they will spend on cloud services.

What is more, the federal government is not the only game in "Cloudtown,"or the only user of FedRAMP. Many commercial enterprises and state andlocal governments are using this important program as the de facto securitystandard for their own cloud service providers.

“It’s unwise to pay too much,” the 19th-century critic and essayist JohnRuskin wrote, “but it’s worse to pay too little.”

Perhaps cloud service providers considering FedRAMP ought to ask notwhether they can afford to get certified — they probably can — but whetherthey can afford not to. That may be the million-dollar question.

David McClure is chief strategist for Veris Group, working closely with federal andstate agencies to implement cloud strategies and technologies to secure andmodernize IT, enhance business performance, and achieve high performanceresults. He refines corporate strategies and develops joint solutions with thecompany’s leading industry partners. He is a former associate administrator of theU.S. General Services Administration (GSA) Office of Citizen Services andInnovative Technologies.

Stay alert to all the latest government IT news.

SIGN UP TODAY

JOIN THE CONVERSATION

GUEST COLUMNS

Securing the future of federal networks with openstandards

RELATED ARTICLES

GUEST COLUMNS

The internet is breaking. Here’s how to save it.

GUEST COLUMNS

Left wide open: Encryption and the public sector

CYBERSECURITY

Do we need a new language to describecybersecurity?

ABOUT / CONTACT

LEADERSHIP TEAM

EDITORIAL TEAM

CONTRIBUTE

CAREERS

# $ % & ' + )

BACK TO TOP COPYRIGHT 2008-2016 FEDSCOOP. ALL RIGHTS RESERVED. ∠