How much does it cost on average for a cloud service provider to go through the authorization process to sell to government?
Finding the answer isn’t simple.
Providers vary in “size, complexity, and scope,” according a recent Federal Risk and Authorization Management Program blog post by Program Manager Matt Goodrich. But despite the differences, Goodrich interviewed four relatively similar cloud service providers to get a median cost to achieve certification: $2.25 million.
The vendors Goodrich interviewed shared some characteristics: They all owned their own infrastructure, and all went through the old authorization process (pre-FedRAMP Accelerated).
Goodrich said FedRAMP is comparing costs between the two processes to determine if they are getting a return on investment with the new process.
[Read more: Exclusive: FedRAMP embraces the need for speed]
Three of the four vendors were infrastructure-as-a-service solutions, and one was a software-as-a-service solution.
Even though the vendors were similar, Goodrich wrote that their costs ranged from a little less than $500,000 for one to a little more than $4 million for another due to things like bringing in outside consultants to help with documentation and whether a system was originally built to pass FedRAMP.
In the blog post, Goodrich also broke down the overall cost into average costs for five main areas: engineering ($1 million), documentation ($400,000), third-party assessment organization assessment ($500,000), FedRAMP Joint Authorization Board review ($250,000) and continuous monitoring ($1 million).
On average, about half the cost was spent on engineering and half on the process itself. Companies will then likely spend an additional $1 million a year on continuous monitoring, Goodrich noted.