Five Lessons Learned from the FedRAMP Process
This commentary was reposted from GNC.com.
The Federal Risk and Authorization Management Program, for good reasons, set a high bar for certifications. Developing a cloud solution to be authorized by FedRAMP is, therefore, a non-trivial pursuit. During the past year my firm has been immersed in the successful pursuit of FedRAMP authorizations for four distinct cloud offerings, and my colleagues and I have learned a lot about the process and its importance for government IT. Here are five of the most important lessons we have learned along the way.
One – Get the Whole Village Engaged
Don’t for a second think that you can have your security team handle the FedRAMP stuff, and thereby minimize the impact to others. You can and must engage a large part of your organization in the pursuit of, and adherence to, FedRAMP. And its not limited to your developers, IT staff, and others geeks. Every employee in the organization will play a part in the initiative. HR, for example, may train new employees when they onboard. Service teams will educate customers and make sure the best practices are adopted. Sales people will need to field questions from customers. And so forth.
Two – Get Organized. Very, Very Organized.
Unless you are one of those rare cloud companies that has employees wondering how to fill their days, you will expecting busy people to do more, sometimes a lot more. This will place a strain on your organizations, so use a ticket system to make sure every task is documented and clear. There will likely be too much to do in the allotted time, so you must provide clarity on priorities. Spend a lot of time prioritizing and ensuring all stakeholders are aligned with those priorities.
Three – Embrace the Change
You may find that large parts of the organization try to resist changes that are necessary in your pursuit of FedRAMP. Minimize changes is not the objective. Quite the contrary. The whole purpose is to adopt superior security practices, and that requires changes. Create a culture that sees these changes as positive. Two reasons: 1) They are positive!, 2) You will be placing a strain on the organization, and positivity is far more motivating than negativity.
Four – Get Help
We had been through dozens of ATO’s with Federal agencies. We had achieved ISO27001 certification (Europe’s sibling to FedRAMP). So we came at the FedRAMP project with an inflated sense of confidence. Even though the FedRAMP requirements are detailed and thorough, there are a surprising number of judgment calls about how to comply. Also, by now you should have a sense that FedRAMP will ask a lot from your organization. For these two reasons, consider hiring a security consultancy that are experienced in FedRAMP – it will have a real ROI.
Five – Educate your Federal Customers
Things will improve over time, but today few agencies have a staff (beyond the security team) that have a good understanding of FedRAMP, what it means and, most importantly, what their obligations are when using a cloud provider. As you near the awarding of the P-ATO make sure that you plan and execute an education campaign with your customers. Think of it like a product launch – succinctly explain the features and benefits.
Six – This one’s free
No doubt you will celebrate the day you receive your provisional FedRAMP ATO, and for good reason. You might have started your journey over two years prior. Have fun and enjoy the accomplishment, but make sure (in the months leading up to the award) your whole organization understands the FedRAMP award is the beginning of something, not the end. Maintaining your accreditation will take time and and effort. As a team member said, “The party was fun, but I better go and start the scanners”. Happiness is about having realistic expectations, so start setting them.
The FedRAMP process can seem daunting and will, without a doubt, put new stresses on your staff. It’s important to remember that FedRAMP compliance will really make your cloud solution safer, more secure and more resilient. This achievement isn’t just a credential, it’s an accomplishment.
About the Author: Bob Ainsbury, Chief Operating Officer at GovDelivery