Securing an agency sponsor

The most difficult step in the FedRAMP process is securing an agency sponsor for your solution.  The IT and cybersecurity departments of Federal agencies are chronically understaffed and have their hands full securing solutions deployed in their own data centers.  That is why even though many agencies have adopted “Cloud First” strategies, their cloud procurement mainly focuses on solutions that are already FedRAMP authorized.   Agencies generally don’t want the responsibility of being the FedRAMP sponsor of a SaaS solution, with other agencies relying on them as the primary entity verifying both initial compliance and continuous monitoring.

To alleviate this burden for Federal agencies, the FedRAMP JAB (Joint Authorization Board) provides provisional authorizations for a handful of SaaS solutions each year.  But the JAB is also understaffed, so it is very difficult for a SaaS solution to get “prioritized” for a JAB authorization.  Often the solutions that do get prioritized are ones that already have an agency-sponsored authorization, but want to switch to the JAB.  In the end, most SaaS solution providers have no choice but to find some way to convince an agency to be their sponsor.

Convincing an agency to be your sponsor typically involves two requirements:

  1. Getting the agency to see how much they need your solution, and that your solution will be much better for them than any alternative that is already FedRAMP authorized
  2. Making the job of the agency’s cybersecurity department as easy as possible

Most cloud service providers are aware of the first requirement.  This page focuses on the second requirement.

 

The Expensive and Risky Path

If you work with a consultant, you are on your own with convincing an agency to sponsor your solution.  We have heard stories from many SaaS solution providers about how they had convinced all of the “business” people that the agency needed their solution and that no other already FedRAMP-authorized solution would be able to do the job.  But after months of positive signs, in the end, the agency was unwilling to sponsor their solution.  Nine times out of ten, a decision like this is due to the agency’s cybersecurity department making it clear that they do not have the time – being a sponsor puts too large of a burden on them.  A number of SaaS solution providers have come to us after experiences like this, and we helped them make it past this most difficult step.

 

The FasTrack

If you deploy your SaaS on the Project Hosts PaaS, it greatly simplifies the job of a Federal agency’s cybersecurity department.  Our PaaS covers 80% of all FedRAMP controls, and it is already FedRAMP-authorized.  That means that for 80% of the controls, the agency’s cyber team just has to confirm the analysis of FedRAMP and the dozens of agencies that have already granted the PaaS an ATO.  To sponsor your SaaS solution, the agency’s cyber team only has to evaluate the remaining 20% of controls implemented at the SaaS level.  Also, if the agency you are working with is one of the ones that has already granted an ATO to the PaaS, the cyber team’s job is even easier.  That is why so many agency cybersecurity professionals have told us that their agency is generally not sponsoring any FedRAMP solutions – unless it is a SaaS solution on our PaaS.  The job of convincing the agency of the need for your solution is still up to you, but we can take away the barrier that has stopped so many would-be FedRAMP solutions in their tracks.

The final step in securing sponsorship is to have the agency send an email (that we provide) to the FedRAMP PMO in which they state their intention to grant an ATO after evaluating FedRAMP documentation and audit results.

You can pay a lot of money to have a consultant help you with the easy steps (getting audit-ready) and then leave you on your own for the most difficult step (securing an agency sponsor).  Or you can take the FasTrack.

After securing your sponsor, the next step is to go through the FedRAMP authorization process.