Does FedRAMP certification cost too much? Some recent reports cite a price tag in the millions, but are they accurate? A close look at the data indicates that they may be wildly inflated — and that critics may be asking the wrong question, anyway.
Admittedly, the numbers are startling. One government IT website estimates a cost of between $4 million and $5 million to achieve certification from the Federal Risk and Authorization Management Program, which assesses security of cloud service providers wanting to do business with federal agencies. But the authors of that report spoke only with a few CSPs — hardly a representative sampling, when you consider that more than 100 providers are approved, ready, or in process.
Likewise, a General Services Administration article cited an average cost of $2.5 million — based on information provided by just four CSPs. Good for provoking discussion for sure!
These reports left us at Veris Group, a FedRAMP third-party assessment organization, scratching our heads. How could the experiences of these providers differ so widely from what we have seen?
Having ushered many CSPs through the assessment process, we found these estimates as mind-boggling as everyone else did — but for a different reason: Our clients are not paying these steep prices.
The fact is, no one not intricately involved in the process could know how much a FedRAMP assessment costs. CSPs are not required to publicly report their costs — they are proprietary and private — and the numbers that some have reported have been neither audited nor attested.
What those reports include can vary widely. Did the CSP in question start the process with an outmoded system? Bringing coding and security designs into compliance with FedRAMP can require additional development and architecture. These expenditures aren’t technically a part of the FedRAMP assessment, but providers sometimes roll them in when talking about the costs of obtaining certification.
And then we must consider the process itself. Did the CSP choose the most efficient route to compliance? Some providers hire one party to advise and consult before and during the FedRAMP process, and a different third-party assessment organization to perform the audit. This approach may cost more in the long run, requiring an extra layer of communication among the parties, since the advisory and audit functions must work hand-in-hand.
In our experience, the process works more smoothly when the same organization performs the Capability Assessment Reviews and the FedRAMP auditing assessment. At Veris Group, short-term advisory services generally cost about $20,000 to $40,000, while for CSPs needing more technical engineering support may pay up to $300,000. 3PAO assessment, including a readiness review (highly recommended), normally costs $150,000 to $200,000, depending on what kind of authority to operate the provider seeks, and the complexity and architecture of its system. Additional expenditures include monthly continuous monitoring, which providers can do in-house or contract out, or employ a combination of the two (a $20,000 to $90,000 price tag), and annual assessment and recertification, which typically costs about 70 percent of the initial assessment cost — $110,000 to $200,000.
Granted, FedRAMP certification doesn’t come cheaply. Neither, however, should it break the bank, as the above price ranges show. To those tempted to pinch pennies by hiring a low-cost advisory firm or 3PAO, let the buyer beware: Some of the sky-high costs reported come from providers who had to bring in a second firm to correct or shore up someone else’s substandard work.
Cloud service providers embarking on the FedRAMP journey would do well to keep their eyes wide open when planning, contracting and completing the process — and to keep their eye on the prize, as well.
Federal contracts are the immediate goal, for very good reasons. All indicators point to agencies spending more and more money on cloud services. The government’s push to end noncompliant “shadow” cloud contracting means some $1.6 billion a year in contracts will need to switch to compliant CSPs. And as agencies modernize legacy infrastructure and applications, more will adopt cloud infrastructure-as-a-service and use cloud software-as-a-service, easily reaching the $25 billion that agencies have projected they will spend on cloud services.
What is more, the federal government is not the only game in “Cloudtown,” or the only user of FedRAMP. Many commercial enterprises and state and local governments are using this important program as the de facto security standard for their own cloud service providers.
“It’s unwise to pay too much,” the 19th-century critic and essayist John Ruskin wrote, “but it’s worse to pay too little.”
Perhaps cloud service providers considering FedRAMP ought to ask not whether they can afford to get certified — they probably can — but whether they can afford not to. That may be the million-dollar question.
David McClure is chief strategist for Veris Group, working closely with federal and state agencies to implement cloud strategies and technologies to secure and modernize IT, enhance business performance, and achieve high performance results. He refines corporate strategies and develops joint solutions with the company’s leading industry partners. He is a former associate administrator of the U.S. General Services Administration (GSA) Office of Citizen Services and Innovative Technologies.