- A FedRAMP SaaS audit
- Your agency sponsor grants your solution an Authority to Operate (ATO)
- The FedRAMP PMO validates the agency ATO and lists your solution as authorized on FedRAMP.gov
The Expensive and Risky Path
If you choose to use a consultant for the authorization process, all three of the above steps are difficult, expensive, and risky. The reason is simple: Your SaaS solution documentation and audit evidence will have to cover the entire 80% of FedRAMP controls that are not completely covered by AWS, MS Azure or whichever cloud infrastructure you are using. In particular, the documentation and evidence will have to cover not only your application but also all of the third-party technologies that your consultant requires you to implement (e.g. for scanning, logging, change control, authentication, etc.) in order to meet FedRAMP requirements. Your process will be the first time that an auditor, your agency, and the FedRAMP PMO have seen your application together with all of these technologies, and there are a lot of stumbling blocks that can delay your process or make it unexpectedly much more expensive.
Our PaaS is already FedRAMP authorized and covers ~80% of all FedRAMP controls. That means that in your FedRAMP authorization process, neither auditors nor the FedRAMP PMO has to look at the technologies that we incorporate into our PaaS to make your SaaS compliant. They just have to look at the ~20% of controls specific to your solution that are at the SaaS level. We also manage the entire audit and FedRAMP PMO interaction on your behalf – as your compliance department. Since we manage so many SaaS audits every year, the auditors that we use are very familiar with how we implement controls, removing risks and surprises from the audit. The same is true for the FedRAMP PMO. Since they see us several times per year, they are comfortable that we have implemented into your SaaS solution all aspects of their latest guidance.
Below is a typical timeline for a FedRAMP authorization process for a SaaS solution using our PaaS, but the timeline can be longer if the agency needs more time for its approvals and responses.
Once you have a FedRAMP-authorized solution, the ongoing challenge is to keep it in compliance with Continuous Monitoring.