The most difficult step in the entire FedRAMP authorization process is convincing a Federal agency to sponsor your SaaS solution for a FedRAMP authorization. If you already have a Federal agency that is willing to sponsor your SaaS solution, you can get authorized in 6 months and skip this step.
If you don’t have a sponsor, the best way to get an agency to commit is to show them that your solution is listed as “FedRAMP Ready” on FedRAMP.gov. There are three steps to getting your solution listed:
Prepare your solution for an audit
Engage a Third-Party Assessor (3PAO) to perform a FedRAMP Ready audit
Secure sign-off by the FedRAMP PMO that the audit results, architecture, interconnections, and technologies are acceptable
This page focuses on steps two and three.
The Expensive and Risky Path
Some consultants will help and advise you as you go through your FedRAMP Ready audit. There are a lot of potential pitfalls (new version of FIPs, rev 5 of FedRAMP, ever-stricter requirements for interconnections and encryption, etc.). You will have to bring through the audit not only your SaaS solution but also any third-party technologies that your consultant has advised. This will be the first time an auditor or the FedRAMP PMO will have seen this particular combination of technologies, and there are a lot of things that can go wrong or very expensive surprises that can pop up.
Our PaaS is already FedRAMP authorized and covers 80% of all FedRAMP controls. That means that in your FedRAMP Ready process, neither auditors nor the FedRAMP PMO has to look at the technologies that we incorporate into our PaaS to make your SaaS compliant. They just have to look at the 20% of controls specific to your solution that are at the SaaS level. Also, we manage the entire audit and FedRAMP PMO interaction on your behalf – as your compliance department. Since we manage so many SaaS audits every year, the auditors that we use are very familiar with how we implement controls, removing risks and surprises from the audit. The same is true for the FedRAMP PMO. Since they see us several times per year, they are comfortable that we have implemented into your SaaS solution all aspects of their latest guidance.
As a result, we can get you through the FedRAMP Ready process in 2 months with no surprises.