3 Routes for CSPs to FedRAMP
There are three routes commercial cloud service providers (CSPs) can take to be compliant with the government’s baseline cloud computing standards, known as the Federal Risk and Authorization Management Program (FedRAMP). Although these three routes lead to the same ultimate goal, they can differ in time to accreditation and also differ in cost.
Route to FedRAMP #1
The first route, and the most common for commercial cloud service providers, is gaining a provisional authority to operate or (ATO) from the FedRAMP Joint Authorization Board (JAB). This board is led by CIO’s at the General Sales Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DOS). In addition to an ATO, a FedRAMP-accredited third-party assessment organization (3PAO) is required to complete this process.
Route to FedRAMP #2
The second route comes as an alternate. Agencies can grant an ATO to a CSP, and other agencies can choose to take advantage of this authority and work with the company as well. 3PAOs also work with agency-issued ATOs and work with both parties to make sure security standards are met.
Route to FedRAMP #3
The third route and least common is the CSP Supplied route. In this route, a CSP can hire a FedRAMP-accredited 3PAO to complete all required documentation, testing and security assessments. Once all these procedures are complete, the information is sent to GSA’s FedRAMP office for verification. Very few companies have taken this route, due to high cost, but it is a good option for companies that cannot or do not want to take advantage of existing federal contracts and do not wish to partner with other CSP’s.
At the FedRAMP Industry Fair on June 4, 2014 the GSA released a table, which outlined the approximate time it took to become compliant with the government’s baseline cloud computing standards. This table broke out the three routes toward compliancy, under the categories JAB P-ATO’s (Joint Authorization Board) (provisional authority to operate), Agency ATO’s, and CSP Supplied. The timeframe can be found below:
- JAB P-ATO’s: 9+ Months
- Agency ATO’s: 4+ Months
- CSP Supplied: 6 Weeks
As you can see, the process to become cloud computing compliant becomes quicker, when more money and more energy is spent trying to achieve it. These three paths give options, and these options are for companies to choose. This enables you to ask yourself, what route will you take?