Report: Finding efficient paths to FedRAMP compliance


Cloud service providers looking to participate in the Federal Risk and Authorization Management Program (FedRAMP) still face challenges, but there are strategies that can assist firms in preparing for and progressing through the accreditation. 

The number of authorized cloud services saw more than 80-percent growth in 2016 and Office of Management and Budget efforts to accelerate application modernization should drive further increases, according to “Securing Your Cloud Solutions: Research and Analysis on Meeting FedRAMP/Government Standards,” a new marketplace report by cybersecurity, risk management and FedRAMP third-party assessment organization Coalfire.

OMB’s “cloud first” directives, coupled with growth in authorized services for the Department of Defense and federal internet of things and mobility initiatives, means an accelerated demand for secure, value-added services. According to Coalfire research, 60 percent of federal agencies still don’t participate in FedRAMP, and the majority of those that do only use 5-15 authorized solutions.  

While services from Microsoft, Amazon, IBM and Oracle are widely adopted by agencies, Coalfire feels opportunity is there for cloud service providers of all sizes willing to meet the security controls and agency-specific requirements detailed in the National Institute of Standards and Technology Special Publication Security and Privacy Controls for Federal Information Systems and Organizations 800-53.

Coalfire’s advice for common compliance challenges includes regularly updating and patching vulnerability scanning tools, improving vulnerability reporting; standardizing baselines for configuration settings and access restrictions based on federal benchmarks; capturing time stamps, addresses and identifiers for securely stored audit records; managing account access levels and logon controls; and automating detection of inventory and configuration changes.

Best practices suggested by Coalfire’s report include clearly defining and documenting system boundaries and incorporating proactive customer requirements into a system security plan; adopting robust change management technology tools; defining lifecycle activities and system development strategies; utilizing security information and event management software products and services; instituting security awareness training for all users; and establishing procedures and processes to identify, manage and report information-security incidents.

According to Coalfire’s research, the average time for FedRAMP authorization has decreased 65 percent for cloud service providers working with the Joint Authorization Board and 59 percent for those working directly with an agency, and advanced preparation and security maturity play a major part alongside the authorization route chosen. 

Coalfire says that typical costs for pursuing FedRAMP range from $350,000-$865,000, with the majority of initial spending focused on application design, infrastructure, operation segregation and engineering for network architecture, cyber defense or security monitoring and analytics, followed by expenses for advisory services, assessments, continuous monitoring and annual recertification. 

Employing lessons learned and engaged support teams, cloud service providers new to the federal market should find ways to more quickly complete security assessments, concludes Coalfire. 

A complete look at Coalfire’s breakdown of cloud service opportunities, strategies, investments and team responsibilities can be found on