Get Listed on FedRAMP.gov as FedRAMP Ready
If you don’t have a sponsor, the best way to get an agency to commit is to show them that your solution is listed as “FedRAMP Ready” on FedRAMP.gov. There are three steps to getting your solution listed:
- Prepare your solution for an audit
- Engage a Third-Party Assessor (3PAO) to perform a FedRAMP Ready audit
- Secure sign-off by the FedRAMP PMO that the audit results, architecture, interconnections, and technologies are acceptable
This page focuses on steps two and three.
The Expensive and Risky Path
Some consultants will help and advise you as you go through your FedRAMP Ready audit. There are a lot of potential pitfalls (new version of FIPs, rev 5 of FedRAMP, ever-stricter requirements for interconnections and encryption, etc.). You will have to bring through the audit not only your SaaS solution but also any third-party technologies that your consultant has advised. This will be the first time an auditor or the FedRAMP PMO will have seen this particular combination of technologies, and there are a lot of things that can go wrong or very expensive surprises that can pop up.
Our PaaS is already FedRAMP authorized and covers ~80% of all FedRAMP controls. That means that in your FedRAMP Ready process, neither auditors nor the FedRAMP PMO has to look at the technologies that we incorporate into our PaaS to make your SaaS compliant. They just have to look at the ~20% of controls specific to your solution that are at the SaaS level. We manage the entire audit and FedRAMP PMO interaction on your behalf – as your compliance department. Since we manage so many SaaS audits every year, the auditors that we use are very familiar with how we implement controls, removing risks and surprises from the audit. The same is true for the FedRAMP PMO. Since they see us several times per year, they are comfortable that we have implemented into your SaaS solution all aspects of their latest guidance.
As a result, we can get you through the FedRAMP Ready process in 2 months with no surprises.
After that, the next step is securing an agency sponsor.